oracle openworld | con9707 enterprise mobile security architecture beyond the corporate perimeter
TRANSCRIPT
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 1
OpenWorld 2015Mobile Security beyond the corporate perimeter
Indus KhaitanProduct Management, Oracle Mobile
Ali AhmedMobile Security Architect, Oracle
October 28, 2015
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Agenda
1
2
3
4
3
The Classic Perimeter and Mobile + Cloud
Architecture of a Perimeter-less organization
Short & Long term solutions and challenges
Q&A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
The Classic PerimeterFirewalls, NAC appliances, Gateways, Moats, Snake pits, Fire pits
• Physical Security using network separation
• Bad guys outside, good guys inside
• Implicit privileged access to good guys
• VPNs bring you inside and implicit authorization
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Mobile & Cloud in a perimeter world
• Devices need unfettered access
– VPNs were designed for a wired world
• Cloud Security has limited IT control
• Data is rapidly moving to mobile & cloud
• BYOD compounds problems
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Problems with Classic Perimeter in the new world
• Few tightly controlled gates
• Mobile devices are the weak link
• Inside attacks
• Application access based on IP and/or ports
– Legacy applications use “remote host” to elevate user privilege
6
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
1
2
3
4
7
The Classic Perimeter and Mobile + Cloud
Architecture of a Perimeter-less organization
Short & Long term solutions and challenges
Q&A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Architecture requirements of a Perimeter-less organization
• Security is a key driver
• Access based on risk profile
– End point trust
– Geo information
• Identity based on risk profile.– Adaptive risk based multi factor auth
– Step-up auth
• Federated Identity
– SSO to cloud and intranet apps
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Architecture requirements of a Perimeter-less organization
• Data security
– Data encryption at rest
– Transport security for data in motion
• Device level trust for managed devices– Integrity / compliance
• App level trust for unmanaged devices
– Integrity / compliance
9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Architecture Components of a Perimeter-less Organization
10
Proxy and
Security Policy
Enforcement
Intranet
applications
Device / App
Management
Federated
Identity
Identity /
Policy
Management
Cloud
Applications
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Risk Aware Access and AppsEnterprise use-case for access based on risk profile
Address Book (Low Risk) CRM (Medium Risk) BI - Sales Booking Data (High Risk)
Managed / Unmanaged Access allowed on Both Access allowed on Both Managed
User Authentication Yes Step-up on Unmanaged Yes
Policy based (e.g: location) Not required Geo fence Yes
Lock/Wipe Yes Yes Yes
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
1
2
3
4
12
The Classic Perimeter and Mobile + Cloud
Architecture of a Perimeter-less organization
Short & Long term solutions and challenges
Q&A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Short-term and long term Solutions
13
Short-term Long-term
Device Management EMM, App Container. Device control, app control and data control.
Policy Management App level policies exist today in IDM as well as EMM products.
App and data level policies.
Authentication SSO. Single switch to revoke access. Multiple Identities across application vendor boundaries.
Federation. Single ID. Federation across channels and app boundaries.
Authorization Light weight authorization policies. Part of the proxy business logic.
Data level policies.
Cloud Security SSO is primary control point. Application specific policies.
Cloud-access broker. Traffic goes through a forward proxy in the middle.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Adoption and Implementation Challenges
• Fragmented Devices (esp. Android, hard to inventory)
• Certificate-based authentication is brittle
• User-credentials are a starting point
• Network latency issues in weak connectivity areas
• Legacy application rely on desktop-based controls and trusted remote IP
• Not easy to put a proxy in front of cloud applications
• IT rethinking needed to remove VPN
14
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Mobile Security for 24x7 unfettered access to corporate data
Oracle Mobile Platform
MANAGE
Custom Mobile Apps Packaged Mobile Apps Partner Built Mobile Apps
15Oracle Confidential – Highly Restricted
DEVELOP INTEGRATE
ANALYSE SECURE
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 16
Questions?
