Endpoint Evolution


Published on

Kawika Takayama, Symantec

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • [Introduction and welcome]
  • According to research firm, Strategy Analytics, 66.9 million tablets shipped worldwide in 2011, up a staggering 260 percent from the previous year.  In 2010, Apple’s famous iPad controlled nearly 70 percent of the tablet market, but just one year later, Android-based tablets secured just under 40 percent of the market. NFC – Near Field Communications to generate $74B in transactions by 2015 Juniper Networks (http://www.mobilemarketingwatch.com/juniper-says-nfc-will-drive-74-billion-in-transactions-by-2015-21588/)
  • Odyssey’s Athena mobile management product shares considerable code with Symantec Mobile Management, but is integrated with Microsoft System Center Configuration Manager.While there are some differences due to use of SCCM instead of the Symantec Management Platform, most features are similar or the same (e.g. Mobile Library, configuration editing, legacy Windows Mobile software delivery, etc.).The Odyssey product will be renamed “Symantec Mobile Management for SCCM” mid-year.
  • Console Agnostic, Cloud & Mobile PlatformThis shows how Symantec’s platform approach to mobility can greatly simplify an enterprise’s ability to integrate with and leverage existing and future consoles and devices, in a seamless and agnostic way.
  • Extended iOS5 MDM features: Enhanced Email Configuration – Enable S/MIME encryptionPrevent sending email via third party applications and moving messages across different email accountsPrevent apps from sending email so that corporate email addresses don't inadvertently leakTurn off e-mail forwarding so that corporate email cannot be forwarded through a personal accountEnhanced Wi-Fi Configuration – Configure Wi-Fi proxy settings Enable automatic joins to Wi-Fi networksManage Roaming Configuration – Enable/disable voice roaming featuresEnable/disable data roaming featuresiCloud Configuration – Enable/disable iCloud back-up, document sync and Photo StreamUtilize iOS5 layer to report additional device detailsBattery life statusWireless carrier informationManage iTunes password entry Require an iTunes password to make iTunes access more secureManage certificates from non-trusted sources Set whether or not an end-user can accept a certificate from a non-trusted sourcePrevent certificates from being accepted from a non-trusted source.
  • Monitor, block, remove content from outbound iPad traffic Protects HTTP/HTTPS, including:General Web traffic (including Webmail)Active SyncMost-common iPad applications (Dropbox, Facebook, & Twitter)FTPSupports: iPad 1 & 2 (iOS 4.2.1 and higher)3G and WiFi, on and off networkStandard DLP detection methods (DCM, EDM, IDM, VML)General and specialized response rules (including block & remove content)Provides:Flexibility to create Tablet-specific policiesSeparate Tablet incident type
  • As of February 28th Symantec made generally available the first release of Symantec O3. The molecular symbol of O3 stand for Ozone. Ozone provides layer of protection for living things on earth by filtering out dangerous ultraviolet radiation. Symantec O3 similarly protects IT and users “above the cloud” when they access cloud applications and services, even from mobile devices.
  • Let’s take a look now at how Symantec O3 works – first from the perspective of the user, then from the perspective of IT, and particularly operations and security.1. The user experience for Symantec O3 is exceedingly easy to grasp. First the user, on any device he or she might be using, accesses the Symantec O3 gateway through a URL – it is just like going to Google Maps. Next the user is prompted for one userid/password credential, just like he or she were logging onto your corporate network.Symantec O3 federates the passwords, and based one access policy, creates a simple portal of icons showing the Cloud apps and services the user has access to – after that the user never need enter another credential – he/she has single sign on to the Cloud, except in the cases where3b. Policy dictates the need for a second password. The user runs an app, typically on a mobile device, that generates the OTP – one time password, and the user enters that second factor, enabling access to the app. Note that with Symantec O3 we bypass the need for the app to support two factor authentication – the strong authentication is handled entirely by Symantec O3.That is it. The simple portal the user receives listing the apps they have access to remains open if they want, and they can click and launch without entering further credentials. The portal works on mobile devices, PCs, and client device that supports HTTP through a browser interface of some type.
  • Endpoint Evolution

    1. 1. Endpoint Evolution Mobile Device Management – Protecting Sensitive Data Kawika Takayama Public Sector – Endpoint Management and MobilityMobility, Virtualization and the Emerging Workspace 1
    2. 2. Consumerization is Changing the Face of IT 1 Billion Consumer owned Evolving User Focused Management Smartphones or tables by 2016 365M will own Smartphone or Table 2014 Unmanaged in the Workplace* 246M Corp PCs 293M Personal PCs 819M SmartphonesApps/Info/Access 116M Tablets 70M Virtual Desktops 2011 177M Corp PCs Managed 300M Smartphones 15M Tablets 13M Virtual Desktops Relevant Devices Today Future Devices Traditional Device Focus Corporate-Owned Personally-Owned *Forrester Research Device Mobility, Virtualization and the Emerging Workspace 2
    3. 3. Mobility, Cloud and I.T. Mega- Pains Mobile Must support to enhance employees productivity I do not have the means to control security, risk, and Frustration compliance across all of these new I.T. platforms Private Cloud Cloud Must embrace to drive business agility and lower costsMobility, Virtualization and the Emerging Workspace 3
    4. 4. Operating System Diversity Skyrocketing Corporate Desktops First quarter PC forecast: 2009 to 2011 Windows down 2%, Mac+iPad up 250%87.3% 11% 1.7% - asymco, April, 2011 8% 1.3% Android devices outsold the iPhone 2-to-1 in the past three months - PCWorld, September, 2011 Windows Mac LinuxMobility, Virtualization and the Emerging Workspace 4
    5. 5. Stimulating an Evolution in Systems Management Device Centric User Centric Device Software Cloud User Services Location User Device Device User Mobile Data Devices Patches Location Virtual Desktops AppsMobility, Virtualization and the Emerging Workspace 5
    6. 6. Symantec’s HoneyNet Project – March 8, 2012 The Set Up Before the 50 smartphones were “lost,” a collection of simulated corporate and personal data was placed on them to simulate a real phone. While these apps had no actual functionality, they were able to transmit data back to us which logged what apps were activated and when – and the phone finder was presented with an error message or other plausible reason for the app not working. The phones were then dropped in high-traffic areas such as elevators, malls, and office food courts, in New York, Washington D.C., Los Angeles, the Bay Area, and Ottawa, Canada. As people found the smartphones and attempted to access apps and data, details were anonymously logged to track the “human threat” of a lost phone. What to Expect When You Lose Your Phone •96% of lost smartphones were accessed by their finders •89% of devices were accessed for personal-related apps and information •83% of devices were accessed for corporate-related apps and information •50% of smartphone finders notified the owner and gave contact information to return the device – however almost all of these people (86 percent) attempted to access information on the devices. . http://www.msnbc.msn.com/id/46665467 How safe if your smartphone’s Data?Mobility, Virtualization and the Emerging Workspace 6
    7. 7. The Importance of Patching 3rd Party Applications More than ⅔ of all endpoint vulnerabilities are found in Internet Security Threat 3rd party desktop applications Report (April 2011) • 30% increase in the overall number National Vulnerability Database of vulnerabilities in 2010 (6,253) Top 5 Vulnerable Applications Apple Safari | Mozilla Firefox | Google Chrome | • 161% increase in new vendors Microsoft Internet Explorer | Adobe Flash Player affected by vulnerabilities in 2010 • Chrome and Safari vulnerabilities on the rise • 346 vulnerabilities affecting browser plug-insMobility, Virtualization and the Emerging Workspace 7
    8. 8. Mobile Marketplace Of the 1 Billion consumer Smartphone and Tablets, Apple, Google, and Microsoft control 90% of the marketplace*Mobility, Virtualization and the Emerging Workspace 8
    9. 9. Endpoint Management Building Blocks Mobile • Enterprise enablement • Greater need for data security • Central enterprise app store Unified Application Management • More application types to manage 3 • Faster delivery of service • Greater need to enforce compliance Cross Platform Patch 2 Management • Greater threats to other platforms • Third party applications Consistent Tool Sets 1 • Reduce errors and training costs • Fewer steps for routine tasks • Reduce IT silo’sMobility, Virtualization and the Emerging Workspace 9
    10. 10. Use Symantec Mobile Management to enforce policyand compliance controls Secure Protect enterprise data and infrastructure from attack and theft Enable Activate enterprise access, apps and data easily and automatically Manage Control inventory and configuration with massive scalabilityRedefining Mobile Protection 10
    11. 11. Now Selling!Odyssey Athena/Mobile Management for SCCM• Managed through the Microsoft SCCM platform• Provides a similar feature set to Symantec Mobile Management 11
    12. 12. 3 Mobile Platform Enhancements Enables “Powered by Symantec”Multiple Consoles Global Policy Editor Configuration Profile Service Tenant Administration Service Device Notification ServiceSymantec Services Device Enrollment Service Notification Feedback Service Device Provisioning Service Console Integrator Device Inventory Service Certificate Management Multiple OSs Core products Add-ons Symantec Mobile Management (existing product) Symantec DLP for Tablets (existing product) Symantec Mobile Management for SCCM (new product) Symantec Managed PKI (existing product) Symantec Advances Enterprise Mobility Strategy 12
    13. 13. Symantec Mobile Superiority• Symantec IS Security – Secure architecture satisfies DOD requirements – More than just MDM – DLP, SEP Mobile• Scalability/Robustness – Most clients per server (40,000+) – Proven platform (can’t be built overnight)• Unified Management – Any MDM will solve today’s tactical issues (executive iPads) – As mobile becomes mainstream, a silo solution is the wrong answer• Future Proofing – MDM is commoditizing, converging with security and PCLCM solutions. Where will “pure play” vendors be a year from now? We are already there.Mobility, Virtualization and the Emerging Workspace
    14. 14. Symantec Mobile ManagementRobust mobile policy and compliance • Enterprise Enablement • Activation of devices across platforms • Software Delivery via Mobile App Store & Mobile Library • Configuration & policy management • Mobile Security • Security configuration, alerts, jailbreak protection • Corporate / personal separation / remote wipe • Identity and certificate management • Enterprise Management • Asset reporting • Single infrastructure console • Scalable architectureMobility, Virtualization and the Emerging Workspace 14
    15. 15. Actual Customers Challenges Banking & Finance VP of Desktop Operations • Cost containment for over 4,000 “Streaming is a stepping applications • Support Brick and Mortar reduction stone to any device initiative • Pressure to support personal devices anywhere” Healthcare & Pharmaceuticals VP of Client Architecture “Any app, any device, Key Challenges • 75% of current workforce is mobile anytime in a secure • Self Service permeates all IT projects fashion” Entertainment & Gaming VP of Desktop Operations “Self Service across • Creative atmosphere driven towards Mac • Enable end user choice in hardware & devices is devices • Consistent software management across key to our IT business platforms model”Mobility, Virtualization and the Emerging Workspace 15
    16. 16. Symantec Mobile Device Solutions TodayMobile Device Security Mobile Device Management Inventory Symantec MMS Threat Protection (SEP Mobile Ed) Configuration Symantec MMS Network Access Control Intelligent Software (SNAC Mobile Ed) Management Symantec MMS Remote Assistance Symantec MMS Mobility, Virtualization and the Emerging Workspace 16
    17. 17. Symantec Mobile Management 7.1Advanced iPhone/iPad/iOS Management• Key Requirements/Features – Native iOS integration • Native agent for iPads and iPhones – Removal of dependency on MS Exchange • Easy device enrollment – User authentication – Automatic download of a device certificate – Automatic initial download of all security and management policies, including the Apple Configuration Utility settings – Identify and block jailbroken phone and other non-compliant devices (min OS, hardware type, etc.) • Collection of detailed asset inventory, e.g. device is jailbroken, what apps are installed, etc. • Confirms security and management policies have been applied to the device – Apple Configuration in Mobile Management 7.1 Console • Support for all of the native MDM features in iOS 4.0 and 5.0 • Define and deploy settings from the Mobile Management 7.1/SMP console – VPN/Wireless settings, Proxy settings, Control iTunes, Safari and other features, etc. – Automatic download and application of new policies • Enterprise app store (“library”) – Enables delivery of in-house apps and content to device – Supports links to Third party apps in Apple App StoreMobility, Virtualization and the Emerging Workspace 17
    18. 18. Apple Configuration Profiles (Policies)• Passcode Profile • Restrictions – Require passcode – App installation – Allow simple value – Camera – Require alphanumeric value – Screen capture – Passcode length – Automatic sync of mail accounts while – Number of complex characters roaming – Maximum passcode age – Voice dialing when locked – Time before auto-lock – In-application purchasing – Number of unique passcodes before reuse – Require encrypted backups to iTunes – Grace period for device lock – Explicit music & podcasts in iTunes – Number of failed attempts before wipe – Allowed content ratings for movies, TV – Control Configuration Profile removal by user shows, apps• Certificates and identities – Safari security preferences – Credentials – YouTube – SCEP – iTunes Store• Exchange ActiveSync – App Store• Email (IMAP/ POP) – Safari• VPN (L2TP, PPTP, IPSec, Cisco, Juniper, • LDAP F5, custom) • CalDAV• Wi-Fi (Open, WEP, WPA, WPA2, WEP • CardDAV Enterprise, WPA Enterprise, etc.) • Subscribed calendars• Advanced – APN, Proxy settings • Web ClipsMobility, Virtualization and the Emerging Workspace 18
    19. 19. Apple iOS 4 and 5 MDM Actions and Asset Info• Mgmt Console Actions • Inventory Data – Remote wipe – Device information • Unique Device Identifier (UDID) – Remote lock • Device name – Reset passcode • iOS and build version • Model name and number – Update Policies • Serial number • Updates configuration and Provisioning • Capacity and space available • IMEI Profiles over the air • Modem firmware • Performs selective wipe of specific • Location (Lat./Long.) settings/email when selected policies are – Network information removed • ICCID • Bluetooth® and Wi-Fi MAC addresses – Send Inventory • Current carrier network – Remove MDM and reset agent • SIM carrier network • Carrier settings version • Provides full selective wipe by removal of all • Phone number profiles and content • Data roaming setting (on/off) – Configuration profile targeting – Compliance and security information • Based on standard policy targeting • Configuration Profiles installed • Certificates installed with expiry dates • Admin defined list of policies • List of all restrictions enforced • Hardware encryption capability • Passcode present – Applications • Applications installed (app ID, name, version, size, and app data size) • Provisioning Profiles installed with expiry datesMobility, Virtualization and the Emerging Workspace 19
    20. 20. Athena MDM Agent for Android • Policies – Minimum symbols required in – Wipe data1 password2 – Lock now – Minimum numerical digits required in password2 – Reset password – Minimum uppercase letters – Password enabled required in password2 – Set maximum failed passwords – Password expiration (number for wipe of days)2 – Set maximum inactivity time to – Password history (max lock number of past passwords – Set password minimum length stored)2 – Alphanumeric password – Password complex characters required required2 – Minimum letters required in – Data Encryption2 password2 – Camera Disable3 – Minimum lowercase letters 1 - Wipes user data on device; does required in password2 not wipe memory (SD) card – Minimum non-letter characters 2 - Android 3.x+ required required in password2 3 - Android 4.x+ requiredPresentation Identifier Goes Here 20
    21. 21. Athena MDM Agent for BlackBerry®• Premium support for BlackBerry smartphones – Simplified enrollment with AD authentication – Extended hardware and software inventory – Zero-touch management – Live remote assistance – remote control, etc.Presentation Identifier Goes Here 21
    22. 22. Enterprise Mobility Roadmap Advancing our mobility strategy DLP Sept 2011 March 2012 Summer/Fall 2012* Comprehensive iOS Support Single Sign-On for Cloud/Web Advancing MDM Support Public and Enterprise Apps Services (O3) (iOS, Android, WP7/8) Symantec Mobile Management IT Analytics for Mobile iOS Document Library & for SCCM (Odyssey Athena) Enterprise Appstore Secure Sync & Share June 2012 Collaboration Q1 2012 DLP for Tablets & SMM - Advanced AndroidSMM DLP enhancements (Jan) Management Mobile Security - Android AgentVeriSign MPKI Integration (Feb) Symantec Confidential and Proprietary 22 *Disclaimer - Roadmap contents and timing subject to change without notice
    23. 23. Introducing DLP for Tablets New Technology = New Challenges Introduced Nov 2011 Execs pushing How do you say adoption “Yes”? Access to corporate email and network How do you demonstrate compliance? No control off-network How do you All the access, secure IP? few of the controlsMobility, Virtualization and the Emerging Workspace 24
    24. 24. Why use Symantec DLP for Tablets? Comprehensive Coverage Corporate Email Personal Email Social Media Cloud Apps Most User Works over Wi-Fi and 3G Friendly Enables full use and productivity of the device. Our approach does NOT • Require a restrictive “sandbox” approach, or • Break business processes by restricting what data can go to the iPad Lowest TCO Symantec DLP for Tablets™ is tightly integrated w/ Symantec DLP Suite: • Common, advanced technologies for detecting confidential information • Consistent application of DLP policy • Seamless, integrated reporting & analyticsRedefining Mobile Protection 25
    25. 25. Symantec™ Data Loss Prevention for Tablets• Extends DLP to the newest endpoint – Bridges the BYOD gap• Prevents IP and PII data loss – Corporate and Web email – Web uploads and postings – Popular Apps• Demonstrate compliance to auditors• Educate your users• Standalone or as part of the Symantec™ Data Loss Prevention SuiteMobility, Virtualization and the Emerging Workspace 26
    26. 26. Data Loss Prevention for Tablets – Sample Use CaseSimilar to Data Loss Prevention for Endpoint capability Problem DLP Policy DLP Actions Results • Users send • DLP inspects all • Monitor only, • User behavioral sensitive data outbound email notify, block or change via email remove sensitive • Automated data compliance • Risk reducedMobility, Virtualization and the Emerging Workspace 27
    27. 27. Cross Platform Asset Lifecycle Management New Applications Update Applications Retire Applications (Purchased Software) (Version Control) (Recover Licenses) Policy Management Issues Visibility Control EffortMobility, Virtualization and the Emerging Workspace 28
    28. 28. Altiris Client Management Suite for Mac Discovery and Inventory Intelligent Software & Patch Management Remote Assistance Imaging and Deployment 29Mobility, Virtualization and the Emerging Workspace
    29. 29. Application Streaming and Virtualization Separating the things that matter Streaming Server Operating System Operating System Traditionally Installed Streamed and VirtualizedMobility, Virtualization and the Emerging Workspace 30
    30. 30. Securely Deliver and Manage Any Serviceto Any User in Any Location Support any device Manage applications Enable servicesregardless of ownership regardless of type regardless of location Laptops Desktops & Tablets SaaS Social & Physical Thin Clients Delivery Cloud Apps Services App Store Delivery Models Virtual Apps & DesktopsMobility, Virtualization and the Emerging Workspace 31
    31. 31. Introducing Symantec O3 A New Cloud Information Protection Platform Symantec O3™ Access Information Cloud Control Security Compliance Control Protection Visibility Private CloudRedefining Mobile Protection 32
    32. 32. How Symantec O3 Works – User View End-User Any Device Symantec O3™ Symantec O3 Symantec O3 Symantec O3™ Gateway Intelligence Center Identity and Access Broker Context-based Policies Information Gateway Status Monitoring Layered Protection Log and Audit Services 2F Authentication DLP Encryption Cloud, SaaS and Web Applications Public Cloud Services Datacenter / Private CloudRedefining Mobile Protection 33
    33. 33. Symantec Service Offering Accelerated Adoption Program A free 2 day workshop that supports customer migrations from 6.x to 7.1 Distance Learning Assessment A free service offering to Education Accounts to provide insight on how to establish a world class distance learning program Mobile Security Assessment 5 week evaluation to identify risk inherent in the enterprise from the use of iPhones, iPads, and Android devices Malicious Activity Assessment Free non-intrusive evaluation of network traffic on a customer’s entire network or a specific network segmentMobility, Virtualization and the Emerging Workspace 34
    34. 34. EMM Partner Solution Integrators ITS Partners Privilege Management and Lockdown Mobile Management-as- a-Service Device Lockdown Network Resource Management Intuitive Network Mgmt Endpoint Management-as- a-Service Cloud Services ITMS eiPower Green Energy Power Management and Control Service CatalogRequest Fulfillment and Service Catalog Mobile Deployment App Package Mobile Solutions & Support for SCCM (Now Apart of Symantec) DeployExpert and HiiS Install, License Entitlement, App DeliveryPublic Sector SE Management Team 35
    35. 35. Thank you!Mobility, Virtualization and the Emerging Workspace