ibm mobile security &...
TRANSCRIPT
© 2013 IBM Corporation
IBM Mobile Security & Management: Delivering Confidence to Put Mobile First
© 2013 IBM Corporation 2
Enterprises Need Confidence to Put Mobile First…
© 2013 IBM Corporation 3
Mobile devices are shared more often
Mobile devices are used in more locations
Mobile devices prioritise the user
Mobile devices are diverse
.
Mobile devices have multiple personas
• Personal phones and tablets shared with family
• Enterprise tablet shared with co-workers
• Social norms of mobile apps vs. file systems
• Work tool
• Entertainment device
• Personal organiser
• Security profile per persona?
• OS immaturity for enterprise mgmt
• BYOD dictates multiple OSs
• Vendor / carrier control dictates multiple OS versions
• Diverse app development/delivery model
• A single location could offer public, private, and cell connections
• Anywhere, anytime
• Increasing reliance on enterprise WiFi
• Devices more likely to be lost/stolen
• Conflicts with user experience not tolerated
• OS architecture puts the user in control
• Difficult to enforce policy, app lists
• Security policies have less of a chance of dictating experience
Uniqueness of Mobile
© 2013 IBM Corporation 4
A Frame of Reference to Structure Your Strategy
Device Management Network, Data,
and Access Security
Application Layer
Security
Security for endpoint
device and data
Achieve visibility and adaptive
security policies
Develop and test
applications
IBM Mobile Security and Management Framework
© 2013 IBM Corporation 5
Defense in Depth
Context Influences Risk The context of an interaction needs to be analyzed so appropriate security
measures can be employed to counter plausible threats
Interaction Interface is Critical Mobile apps are the primary interaction interface whose integrity needs to
safeguarded and validated
Vigilance is a Necessity Monitoring security events allows the ability to assess the completeness of the
security posture as well as detect intentional and unintentional actions that may
compromise it
Oversee Devices in an Enterprise Context For certain segments of employees or business partners having visibility and
control over the device will mitigate risk exposure
© 2013 IBM Corporation 6
Context Influences Risk
Derive Uniqueness of
Interaction Compute risk
Adapt Authentication
processes
Dynamically control
authorization of specific
transactions
Mobile affords many attributes that pertain to the user’s context allowing for unique
identification of a specific interaction (i.e. location, network, time, device properties etc)
Risk of the unique interaction can be computed based on established policies
The risk score can be utilized to select the authentication processes best suited for that
interaction
The risk score can also be employed to control authorization for specific transactions
during that interaction and deliver education to the user on security best practices in
context
© 2013 IBM Corporation 7
What if context determined capabilities automatically & securely?
• Context On-site inside emergency room
On the hospital network
Authorized doctor on shift
Function: All app features
Data: Full data access and storage
Security: Single-factor authentication
• Context At coffee shop
On an unsecured network
Authorized doctor on call
Function: Designated features only
Data: Specific encrypted data
Security: Multi-factor authentication
Governed
Policy
© 2013 IBM Corporation 8
Integrated Context-Aware Risk-Based Access Control
Client App. (i.e. Mobile
Application)
Applications
Risk / Context
Decision Engine
Auth. Authz.
ISAM Policy
Server
Portal
/ Apps
Process
Server /
ESB
PEPs
User Interaction
Web SSO Worklight
Server
Context based
Access &
Federation
Identity
Propagation
http(s)
Worklight
Runtime
Identity propagation &
Context based access
External Metadata
User
Dir,
Bus.
Data Bus.
Data
Apps
metadata
ISAM Proxy
Proxy - WAM
Session Mgmt.
Se
lf B
ala
ncin
g Authn, Authz
Threat
Protection
xForce threat
protection service
Credentials
Mobile affords customers with the ability to compute risk for an interaction based on the context of the user
and configure authentication processes o Infrastructure to customize the authentication and authorization of both the user and the device (i.e. certificate-based,
biometrics etc)
Mobile apps can employ the risk score generated by ISAM for Mobile to control authorization to various
transactions during that interaction and ISAM also delivers enhanced session management support to
mitigate the risk of man-in-the-middle attack
Access Mgmt Infrastructure integration with Mobile Application Platform External Authn/Authz
Provider (i.e. biometrics,
Q&A challenge etc)
ISAM for Mobile
© 2013 IBM Corporation 9
Interaction Interface is Critical
Facilitate inclusion of core security features
in apps
Perform Vulnerability
Analysis on the App
Validate the Authenticity of
the App
Push Updates Dynamically
Mobile developers need to be assisted with standardized proven techniques to quickly
incorporate core security features in their apps (i.e. encryption of locally stored data)
Vulnerability analysis on the app can significantly mitigate the exploitation of the app
and its chances of going rogue
During each interaction validate that the app has not been modified in any way to
improve confidence in the integrity of the interaction
Dynamically update the app in the event the app has been compromised or new
vulnerabilities were identified
© 2013 IBM Corporation 10
Mobile Apps: New Security Challenges
In addition to IT, Line of Business
teams (i.e. Marketing) are building
mobile apps ad hoc to seize market
opportunities or serve growing demand
An enterprise cannot reproduce
all the apps demanded by
employees so will need to
support third-party apps
New technologies for building native,
hybrid and web apps for mobile
Mobile apps often employ
multiple collaborative
techniques and channels
Lack of security understanding and
structured development processes
may introduce significant risks
App creators may have different
security standards or have not
performed security testing
New vulnerabilities, different types of
exploits and susceptibility to old
attacks being discovered
Multiple interaction points are exposed
to threat vectors
© 2013 IBM Corporation 11
Addressing the OWASP Top Ten Mobile Security Risks with
Vulnerability Analysis of Mobile Apps
OWASP TOP 10 Full-Trace Vulnerability Analysis
1. Insecure Data Storage Trace routes of sensitive data
2. Weak Server Side Controls Security scanning of server side code
3. Insufficient Transport Layer Protection Check for use of SSL/TLS
4. Client Side Injection Checks for common injection flaws including SQLi,
HTMLi, and XSS
5. Poor Authentication and Authorization Track where IDs and Passwords enter/exit the system
6. Improper Session Handling Verify UUID is not used for session management
7. Security Decisions via Untrusted Inputs Track where data originates and how it is used
8. Side Channel Data Leakage Test for data leakage to log files, pasteboard, property
lists, etc
9. Broken Cryptography Identify proper usage of cryptographic usage
10. Sensitive Information Disclosure Test for data leakage to peripherals, network, sockets,
etc.
© 2013 IBM Corporation 12
Vigilance is a Necessity
Track security events
emanating from user access
Track security events
emanating from application behavior
Track security events from
network traffic
Report on Security Posture
or Alert to Emerging Threat
Mobile user access needs to be monitored to potentially identify abnormal behavior
End-to-end visibility of mobile app behavior is needed to identify malicious or rogue
apps
Constant awareness of network traffic allows an organization to identify threats and
take appropriate response
Reporting for compliance as well as proactive action to improve response time to an
emerging threat will reduce exposure
© 2013 IBM Corporation 13
Need for Intelligence…
Targeted attacks at individuals,
organizations or specific regions are
growing in sophistication and
frequency
The development of counter measures is inhibited by a lack of awareness of the attack since
it may require monitoring across various security solutions
The dynamic mobile ecosystem is
inherently social and consumer
oriented with each new capability
introducing new interaction
mechanisms
User behavior deemed risky from an enterprise
security perspective might be practiced without
awareness
Increased governmental
regulation and competitive
pressures
The penalties for security breaches are not only
monetarily expensive but it could result in the
loss of trust relationships with customers,
partners and employees
Emerging threats are evolving, and
new sets of vulnerabilities being
uncovered
© 2013 IBM Corporation 14
Mobile Security Intelligence
© 2013 IBM Corporation 15
Oversee Devices In an Enterprise Context
Catalog and Develop an Inventory all Enterprise
Mobile Devices
Define and Enforce Security Policies for the
Device
Deliver and Manage
Enterprise Apps and Inform
about Malicious Apps
Monitor Compliance and
Report
An organization needs visibility of all mobile devices connecting to the corporate
network
A way to define security policies on the device and its interaction and enforceability is
required
A secure channel to deliver enterprise apps and restrict users from installing malicious
or compromising apps is necessary
On-going monitoring and compliance for audit reporting will be important
© 2013 IBM Corporation 16
Enroll
Register owner and services
Configure
Set appropriate security
policies
Monitor
Ensure device compliance
Reconfigure
Add new policies over-the-
air
De-provision
Remove services and wipe
Authenticate
Properly identify mobile users
Encrypt
Secure network connectivity
Monitor
Log network access and events
Control
Allow or deny access to apps
Block
Identify and stop mobile
threats
Develop
Utilize secure coding practices
Test
Identify application
vulnerabilities
Monitor
Correlate unauthorized activity
Protect
Defend against application
attacks
Update
Patch old or vulnerable apps
At the Device Over the Network &
Enterprise For the Mobile App
Corporate
Intranet
Internet
Mobile Security Strategy and Lifecycle Management
IBM
Secu
rity
Fra
mew
ork
do
main
s
Steps to consider when securing the mobile enterprise
© 2013 IBM Corporation 17
Mobile Security Maturity Model
Optimized
Mobile Security Intelligence Risk Assessments, New Threat Detection, Active Monitoring
Integrated management of multiple devices
Device Security policy management
Prevent loss or leakage of sensitive information
Risk / Context based Access
Threat Detection on inbound network traffic
Context / Risk based document collaboration /
creating / viewing
Enforce restrictions on copy/paste
Multi-factor context aware access and offline access
Granular security policy definition and enforcement
Enable data sharing based on policy
Proficient
Endpoint Protection with Anti-malware
White/black list apps
Detection of Jailbreak/rooted
devices
Prevent copy and paste of email, calendar, contacts
and intranet data
Application level VPN
Secure document creation and viewing
Document Collaboration with secure file sync /
collaboration
App Management – provisioning/updates/disabling
Separation of corporate apps from personal apps
Application validation
Basic
Update management
Device lock / Device wipe
Device Registration
Segregated secure access corporate email, calendar,
contacts and browser
User /device authentication and single sign-on
Connectivity to social networks
Secure instant messaging
Enforcing encryption of data within an app
App Vulnerability Testing and Certification
Buying Occasion BYOD Data Separation Mobile Collaboration Mobile App. Security
© 2013 IBM Corporation 18
IBM Solutions
© 2012 IBM Corporation 18
© 2013 IBM Corporation 19
Analytics
Security
Management
IBM and Partner Applications
Application Platform and Data Services
Banking Insurance Transport Telecom Government
Industry Solutions
Healthcare Retail Automotive
Devices Servers
Application Platform
Co
ns
ult
ing
& D
es
ign
Se
rvic
es
In
teg
ratio
n S
erv
ice
s
Cloud & Managed Services
IBM MobileFirst Offering Portfolio
© 2013 IBM Corporation 20
Manage Device & Data
IBM Endpoint Manager
for Mobile
Malware Protection
IBM Mobile Device
Security (hosted)
Application Security
IBM Worklight
IBM MobileFirst offerings to secure the enterprise
Secure Access
IBM Security Access
Manager
IBM WebSphere
Datapower
Monitor & Protect
IBM QRadar
Secure Connectivity
IBM Mobile Lotus Connect
Secure Applications
IBM Security AppScan
Integrate Securely
IBM WebSphere DataPower
Manage Applications
IBM Worklight
At the Device Over the Network &
Enterprise For the Mobile App
Corporate
Intranet
Internet
Mobile Security Strategy and Lifecycle Management
IBM
Secu
rity
Fra
mew
ork
do
main
s
© 2013 IBM Corporation 21
Prioritized security and privacy throughout
the mobile app lifecycle to protect sensitive
business systems IBM Security AppScan 8.next
IBM Security
AppScan
Planned availability 1Q 2013
Mobile Security
What’s New
Accelerates the use of iOS in an Enterprise setting
Native security scanning of iOS applications built in Objective C, Java or JavaScript
Facilitates a "secure by design" process in the software development lifecycle for mobile applications
Addresses requirements for usage in the US Federal Government
A Mobile First organization needs…
© 2013 IBM Corporation 22 *Planned availability 1Q 2013
Endpoint Management
Systems
Management
Security
Management
One console,
One
infrastructure
Unified Device Mgmt
Desktops & Laptops Smartphones
& Tablets Servers
Mobile
Management
What’s New
FIPS 140-2 Certified Encryption Module*
– Meet US Government standards for data protection
Automated Compliance-based Email Access
– Automatically grant or deny email access based on
device compliance.
IBM Lotus Notes Traveler Security Policy Integration
– Ease security administration by setting and reporting
Lotus Traveler security policies through the Endpoint
Manager console
Expanded BYOD Platform Support
– BlackBerry 10, Microsoft Windows Phone 8, Windows
RT, Apple iOS 6.1
Real-time visibility and control over all
mobile devices IBM Endpoint Manager for Mobile Devices
A Mobile First organization needs…
© 2013 IBM Corporation 23
Mobile Security
A Mobile First organization needs…
Increase accuracy of identifying mobile
access security risks IBM Security Access Manager for Cloud and Mobile
Enterprise
Applications &
Connectivity
Access Mgmt.:Risk
based access
Employee, Jane wants to access
confidential data on mobile device from
either corporate network or from outside
the corporation
Application Security &
Optimization: DataPower
- XML Security and
Protocol Transformation
IBM Security Access
Manager for Cloud and
Mobile
User Credentials
Mobile Application
(developed using Worklight Studio)
IBM WorkLight Server
– Application
Transformation
Key Capabilities
Increase accuracy of identifying mobile access security risks
Dynamically assess the security risk of an access request
Quickly enforce Risk-Based Access
Ensuring users and devices are authenticated and authorized
Flexibility and strength in authentication: user id/password, OTP, biometrics, certificate, custom
Protect applications from known security threats by analyzing HTTP traffic
Mobile Threat
Protection
© 2013 IBM Corporation 24
Customer Case Studies
© 2012 IBM Corporation 24
© 2013 IBM Corporation 25
European Bank delivers secure mobile Internet banking Background Major European Bank needed to reduce operational
complexity and cost with a single, scalable
infrastructure to secure access to various back-end
services from multiple mobile apps. A customized
authentication mechanism empowered the bank to
guarantee the security of its customers while
safeguarding the trust relationship with a safe app
platform that encrypts local data and delivers app
updates immediately.
Customer Needs
Extend secure access to banking apps to mobile customers
Enhance productivity of employees to perform secure banking transactions via mobile devices
Support for iOS, Android, and Windows Mobile
Benefits
Authenticates requests made via HTTPS from hybrid mobile apps running on WorkLight platform to back-end services
A custom certificates-based authentication mechanism implemented to secure back-end banking application
© 2013 IBM Corporation 26
A health insurance provider offers secure mobile access
Challenges Differentiate from competitors by offering
customers greater access by supporting
mobility
Reduce overhead of paper-based claims
processing and call-center volume
Solution Requests made via HTTPS to multiple back-end
services from native device applications
protected by IBM Security Access Manager
Authentication enforced with both Basic
Authentication and a custom implementation
through Access Manager’s External
Authentication Interface
Benefits • Simultaneously build trust and improve user
experience with secure membership
management and claims processing
• Improve customer satisfaction and
responsiveness through secure mobile
solutions
© 2013 IBM Corporation 27
Public utility adds mobile devices without adding infrastructure
Company Overview Serving 4.5 million customers in the southwestern
region of the United States, this electric company of
25,000 employees is a leader in clean energy while
exceeding reliability standards and keeping
consumer costs below average. They are
experiencing a migration from traditional endpoints
to mobile devices.
Customer Needs
Support 20,000+ mobile devices
Corporate and employee-owned, many platforms and OS versions
High availability for certain devices used in the field
Adherence to internal security policies, external regulations
Benefits
Scalability to 250,000 endpoints provides room to grow without adding infrastructure
Added mobile devices to existing IEM deployment in days
Ability to integrate with Maximo, Remedy
Responsiveness and agility of product and product team
© 2013 IBM Corporation 28
Global automotive company secures mobile access
Challenges • Automobile customers require secure,
personalized access to vehicle information
services on their mobile devices
• Required secure access to radio, internet and
social network services from the automobile
Solution • IBM Security Access Manager and IBM Federated
Identity Manager along with IBM DataPower
• Seamless authentication and authorization to
back-end automotive business services
Benefits • Simplified single sign-on for trusted third party
service providers
• Scale to hundreds of thousands of devices and
users
• Improved customer satisfaction
© 2013 IBM Corporation 29
Get started with IBM
• Learn more at:
www.ibm.com/mobilefirst
• Access white papers and webcasts
• Get product and services information
• Talk with your IBM representative or
visit the MobileFirst roadmap page
© 2013 IBM Corporation 30
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Learn more at: www.ibm.com/mobilefirst