Companies managing employee devices cut in half, down from 40% to 21%.
If you were to authenticate users through location, device, and applications being requested, where does the organization need to touch the device?
How do organizations apply common fraud controls against these new devices without angering the employees who own their devices • And what if the employer needs to locate devices, or wipe sensitive access and data off devices that are infected, lost or stolen?
Internet/Social Integration – Desktop Browser or Mobile – easy add on to existing OAM
LocalUsername and Password-or-Social Logon(can be user choice)Step up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
Single Sign on between native applications, and also with mobile browser based applications
Mobile Security – web and mobile appDevice registration and fingerprintLost & stolen device securityGPS/WIFI based location awareness
Once secure access is setup, you can enforce mobile access policy
Risk analysis to determine whether to allow, flag, challenge or blockEnforce unjailbroken status, check VPN statusDetailed reporting on device attributes like OS version, GPS/WIFI geolocation, MAC/IP address
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Bring Your Own Device (BYOD) PolicyBenjamin WrightAttorney & SANS Institute Instructorbenjaminwright.usThis is education, not legal advice.
Bring Your Own Device (BYOD)• Rules for employees using own laptop, tablet, smartphone, webmail services for business• Controversial topic; no perfect policy exists• See discussions: http://goo.gl/txlCU, http://goo.gl/7bEAQ, http://goo.gl/QX6Uz, http://goo.gl/edSFF
Subpoena for Employee’s Home Hard Drive• Local government employment dispute• Plaintiff able to subpoena hard drive of manager’s home computer• Wood v. Town of Warsaw, N.C., No. 7:10-CV-00219-D, 2011 WL 6748797 (E.D.N.C. Dec. 22, 2011)
Employer Liability for Security• Massachusetts 201 CMR 17.00: PII on mobile devices must be encrypted• Cal SB 1386 - many breach notices because of stolen, unencrypted laptops (e.g. Guin v. Brazos Higher Education)
Employer Incentives• Device and service monitoring• Data wiping (selective or whole device)• Encryption• Confiscation if monitoring identifies device or service as a risk or threat
Policy/Agreement Challenges• Warning employees• Getting employee consent• Employee privacy• Liability for damage to employee data, device or service
BYOD Policy – Sample Language• http://goo.gl/19idt• Workable policy will come from negotiations among stakeholders• This language tilts toward needs of employer
BYOD Policy"Employees are informed that when theycreate electronic records or work product inthe course of their work for the Company,the records and work product belong to theCompany."
BYOD Policy Continued"When an employee uses his or her own device,such as a computer, a digital tablet or asmartphone, to connect to Company informationresources, then the Company reserves the rightto take security measures relative to the device,including but not limited to inspect the device and. . ."
BYOD ContinuedEmployees are informed, and employees agree, as follows: If theCompany takes control or possession of a Device or Service, ortakes security measures relative to it, then:(a) the Company might not return the Device or Service;(b) the employee is entitled to no compensation for loss of use,control or possession of the Device or Service;(c) the Device or Service could be damaged, the employee couldlose data and the employee’s data could be disclosed to others.The Company will not be liable or responsible for such damage,loss or disclosure.
BYOD Policy Continued"As a matter of honor and reputation -- but not asa matter of legal liability or obligation – theCompany aspires to be forthcoming withemployees as a whole about the practical impactof this Policy on employees over time."
Blogs: benjaminwright.usThis presentation is not legal advice for any particular situation. If youneed legal advice, you should consult the lawyer who advises yourorganization.Any person may reuse this material freely.
Enforcing your BYOD Mobile Access Policies with Oracle Access ManagementLee HowarthSenior Principal Product ManagerOracle
Mobile Access Roadmap• Establish Mobile Access Policies – Monitor and Enforce usage• Extend Enterprise Access to Mobile Devices – Integrates native mobile apps, mobile web with corporate systems & information – Access management, authorizations, API security, and fraud detection – Device context based fine-grained authorization• Enable Mobile Device Security Elements – Support for native security – Device security – jailbreak detection at login – Device lifecycle – white-list/blacklist/lost device management – Device fingerprinting
Extend Enterprise Access Mobile Requirements• Mobile Security Platform – Authentication and SSO – Strong authentication, device fingerprinting and risk-based access – Mobile SDK• Internet / Social Integration• REST/Cloud interfaces
Mobile AuthenticationFlexible options for devices, applications and users
Mobile Single Sign-onMany applications, one sign-on, global logout
Mobile Security Architecture Mobile Device Mobile Interfaces IDM Infrastructure Features Device Fingerprinting & Access Management Tracking Authorization Device Registration API OAM ServiceOracle Native App Lost & Stolen DevicesSDK OAAM Service GPS/WIFI Location Awareness Risk-based KBA & OTP Authentication OPSS Service Web App Platform Security Services Transactional risk analysis API (OPSS) White & Black Lists User Profile Directory Services User Self Registration/Self Security REST Service App API User Profile Services White Pages applications
Context Aware Access Management Account Detail Request Has he accessed between 00:00 – 03:00 in the last two months? Behavioral Patterns Has he used this device more than 20% in the last three months? Does subject live in same geography as requestor? Does he usually perform account lookups? Valid Credentials given fromGet Account Information: outside network, but already logged in from inside network.John, DoeIrvine, CA 92602 Which session is really who we think it is?
Oracle Mobile Access Management Summary Bridges the gap between mobile devices and REST-ful enterprise IDM systems Interfaces Provides context-driven, Device Device Context Registration risk-aware access management Simplifies developer Location Single Data MANAGEMENT Sign-on access to IDM Supports BYOD Provides visibility and control
Q&AIf we don’t answer your questionduring the webcast, we will post afollow up on:http://blogs.oracle.com/oracleidm