Securing Mobile Apps: New  Approaches for the BYOD World                                                                  ...
Today’s WebinarTwitter: #AppSecurityDirect Messages: “Chat Box” in Webinar SessionQ&A At the End of the Presentation      ...
About Apperian     Top tier investors                                        Award winning product                        ...
Agenda!              Mobile Device & App Security        Challenges for Mobile Apps and Security        Security in Cont...
Challenges for Mobile Security         UsersI want quick and                                  IT   easy access to         ...
Challenge: Where do users get the Apps?iTunes App Store or Google Market       Consumer app focus       Apps and updates...
Security in Context: Mobile Enterprise Strategy                                                        Source: The Enterpr...
Security in Context: How Big is the Threat?!        Mobile is “attack surface” that can be exploited              Unmana...
Enterprise Mobile Apps  R U Ready?	                         Page!
Many Options: But it’s Alphabet Soup!         Mobile Device & App Security Options        The Acronyms:              MDM...
Many Security Touch Points               Visibility            Policy                Monitoring   GRC                   Us...
Anatomy of an iOS Device Security Posture                                                                       Remotely w...
MDM - Mobile Device Management!   MDM focuses on device-based security, provisioning and control of mobile devices. Additi...
MDM – Device Management Examples!Microsoft Exchange 2007 Server - Device                       Google Apps Device Manageme...
MEAP - Mobile Enterprise Application Platform!     MEAPs provide “tools and client/server middleware for      mobile (targ...
MEAP - Example!    Source: Antenna Software: AMP Platform                                      Copyright © 2012, Apperian,...
MAM - Mobile Application Management!MAM focuses on the role-based security, provisioning and control of mobile apps in an ...
MAM - Example!    Source: Apperian, Inc. – EASE App Catalog                                        Copyright © 2012, Apper...
MSSS - Mobile Security Software Suite!     MSSS focuses on providing a complete “suite” of solutions that     may include ...
Approaches to Data/App Security!•     Virtualization allows a device to having a different “partition” or      “persona” t...
Mobile Security Solutions                                                                                              “Ho...
Moving Forward: Balancing Risk and Objectives!Security Objective	                  Risk	                                Lo...
Moving Forward: Making a Plan!                                      Make Security part of overall Strategy               ...
QA      www.apperian.com         Additional Questions?         Contact Cimarron Buser         cbuser@apperian.com         ...
Upcoming SlideShare
Loading in …5
×

Securing Mobile Apps: New Approaches for the BYOD World

4,363 views

Published on

In this webinar we discussed the future of mobile application security in the enterprise?

Smart phones, tablets and even e-readers are now seen as security problems for an enterprise by some IT organizations. Applying MDM — aka mobile device management — has been the response of IT to handle devices, but this approach is lacking, especially as BYOD (bring your own device) has become the primary source of devices in companies. And, as “apps” have proliferated, the apps and data are becoming the engine of user empowerment and ROI — and risk.

Users are not accepting the restrictions MDM places on their use of the phone, especially when the user actually owns the device. And if the user leaves, IT may wipe the device, personal data and all. Mobile Application Management (MAM) promise a solution that keeps enterprise apps and data separate and secure. Other approaches are coming in the future as well. Virtualization promises that one phone can run two VMs, one personal and one business. There are containers and sandboxed apps. Ultimately, different approaches to application development and management could solve the puzzle of protecting confidential data while keeping individuals productive. What approach will win out?

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,363
On SlideShare
0
From Embeds
0
Number of Embeds
294
Actions
Shares
0
Downloads
262
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Securing Mobile Apps: New Approaches for the BYOD World

  1. 1. Securing Mobile Apps: New Approaches for the BYOD World ! Presented by:
 Cimarron Buser! Apperian, Inc.
 The information and images contained in this document are of a proprietary and confidential nature.The disclosure, duplication, use in whole, or use in part, of the document for any purposes other thanclient evaluation without the written permission of Apperian, Inc. is strictly prohibited.© Apperian, Inc. 2012. All Rights Reserved.!
  2. 2. Today’s WebinarTwitter: #AppSecurityDirect Messages: “Chat Box” in Webinar SessionQ&A At the End of the Presentation Page! 2!
  3. 3. About Apperian Top tier investors Award winning product 2012 Product Finalist Company to Watch Experienced team Strong customer base Copyright © 2012, Apperian, Inc. Page! 3!
  4. 4. Agenda! Mobile Device & App Security   Challenges for Mobile Apps and Security   Security in Context: Mobile Enterprise Strategy   Many Options: MDM, MEAP, MAM, MSSS …   Specific Approaches: Virtualization, Sandboxes, Wrappers, and SDKs   Moving Forward: Balancing and Managing Mobile Risk Copyright © 2012, Apperian, Inc. Page! 4!
  5. 5. Challenges for Mobile Security UsersI want quick and IT easy access to How do I business apps securely Dev and data! deploy and How do manage I make an devices enterprise- and apps? grade app?  “BYOD”  Consumerization of IT   Need a solution now!  Single personal/work device   Need App examples   Security is still #1  Increased mobility   Lack of IT Apple or Android   Have to mobilize workforce experience   Smartphone SDKs not built for enterprise Copyright © 2012, Apperian, Inc. Page! 5!
  6. 6. Challenge: Where do users get the Apps?iTunes App Store or Google Market   Consumer app focus   Apps and updates are “optional”   Personal iTunes or Gmail account basedPrivate “App Catalog” approach   Enterprise “in-house” app focus   Apps and updates “mandatory”   Corporate directory authenticated Copyright © 2012, Apperian, Inc. Page! 6! Page!
  7. 7. Security in Context: Mobile Enterprise Strategy Source: The Enterprise Mobility Foundation Copyright © 2012, Apperian, Inc. Page! 7!
  8. 8. Security in Context: How Big is the Threat?!   Mobile is “attack surface” that can be exploited   Unmanaged devices, networks, OS’s, apps data flows and storage   Mobile Risk exists and past “events” sound scary   Since 2001 $25B+ in loss (PC/Win based)   Mobile anti-virus and anti-malware emerging   But so far, no “major” similar events in mobile   However – SMS fraud is still a problem… Congratulations!!! You won R1,000,000.00 in the on-going Chevron UK bonanza. Claim code: CHVUKB/SA/10. Call Elizabeth on 0835161978 from 9am to 4pm for claim. Copyright © 2012, Apperian, Inc. Page! 8!
  9. 9. Enterprise Mobile Apps R U Ready? Page!
  10. 10. Many Options: But it’s Alphabet Soup! Mobile Device & App Security Options   The Acronyms:   MDM: Mobile Device Management   MEAP: Mobile Enterprise Application Platform   MAM: Mobile Application Management   MSSS: Mobile Security Software Suite   The Approaches:   Virtualization, Wrappers, SDKs, Sandboxes… Copyright © 2012, Apperian, Inc. Page! 10!
  11. 11. Many Security Touch Points Visibility Policy Monitoring GRC User Auth-n/z Education Policies App SDK Wrapper Middleware Partition VM Container Partition Agent AV Firewall Blacklist Device VPN Location Encryption OS Sandbox Profiles APIs Network Carrier Wi-Fi Bluetooth Copyright © 2012, Apperian, Inc. Page! 11!
  12. 12. Anatomy of an iOS Device Security Posture Remotely wipe devices, track lost or stolen devices, ensure deletion of data. Remediation Manage access and authorize users based on enterprise credentials. Auth-n/z Secure container with App content based on user role, SDK extends to Apps. App Container Manage settings, ensure compliance policies, remotely wipe and delete. MDM Same capabilities Device Profiles Control security settings for VPN, Wi-Fi,available to all email and authentication. Device Encryption Apps & Data at rest and in use protected App Sandbox via HW encryption. Limited access to files, preferences, network, hardware and other Apps. Copyright © 2012, Apperian, Inc. Page! 12!
  13. 13. MDM - Mobile Device Management! MDM focuses on device-based security, provisioning and control of mobile devices. Additional features may provide TEMS, Device Inventory, and app lists (part of MAM)•  MDM is useful for organizations requiring a high level of control over Corporate Liable devices due to regulatory requirements, or where the risk of users accessing “non approved” information is high.•  Microsoft Exchange Server provides security with device management features via ActiveSync, including security profile (e.g., user must have PIN code or specific type and length), and device “wipe” and “lock”•  Apple IOS supports a protocol called “MDM” that allows IOS devices to register with a central server, and thereafter receive specific commands to perform tasks, e.g., “device wipe”, install security profiles, or send back device status without user intervention. Copyright © 2012, Apperian, Inc. Page! 13!
  14. 14. MDM – Device Management Examples!Microsoft Exchange 2007 Server - Device Google Apps Device Management ConsoleManagement feature Copyright © 2012, Apperian, Inc. Page! 14!
  15. 15. MEAP - Mobile Enterprise Application Platform! MEAPs provide “tools and client/server middleware for mobile (targeting any sort of mobile application) and multichannel (highly device/OS- and network-adaptive) thick (offline) enterprise application development”*•  MEAPs are used by some organizations that require an integrated development environment.•  MEAPs are attractive to companies that want to deploy an enterprise-wide solution across many different device types, using central logic for large, complex apps•  MEAP Sandboxes enable multiple applications within a single “native app” sandbox, thereby providing control over the application from a single dashboard * Source: Gartner Group Copyright © 2012, Apperian, Inc. Page! 15!
  16. 16. MEAP - Example! Source: Antenna Software: AMP Platform Copyright © 2012, Apperian, Inc. Page! 16!
  17. 17. MAM - Mobile Application Management!MAM focuses on the role-based security, provisioning and control of mobile apps in an organization with capabilities that may include device inventory, reporting/tracking, and user compliance.•  MAMs are useful for organizations providing “in-house” apps to users on either CL or IL devices. For example, if a user leaves an organization or group, apps and data belonging to the organization can be de-provisioned, without resorting to a full “device wipe”•  MAM solutions are typically used in mixed (CL/IL) environments or where BYOD policies are implemented.•  Apple and Android supports over-the-air delivery of apps than enable apps and profiles to be delivered from a server Copyright © 2012, Apperian, Inc. Page! 17!
  18. 18. MAM - Example! Source: Apperian, Inc. – EASE App Catalog Copyright © 2012, Apperian, Inc. Page! 18!
  19. 19. MSSS - Mobile Security Software Suite! MSSS focuses on providing a complete “suite” of solutions that may include antivirus, personal firewall, VPN, encryption, anti- spam, and remote monitoring and control services.•  MSSS solutions extend traditional “enterprise” protections for the PC environment to mobility. Services can include remote back up and restore, lost and stolen device location, as well as data wipe.•  MSSS can also send an alert when “security” events occur, e.g., when a SIM card has been removed or replaced.•  MSSS capabilities are beginning to overlap or be subsumed by MDM or built-in OS solutions (e.g. iCloud) and certain features, such as anti-virus, are not necessarily viewed as critical… yet Copyright © 2012, Apperian, Inc. Page! 19!
  20. 20. Approaches to Data/App Security!•  Virtualization allows a device to having a different “partition” or “persona” that provides two or more virtual device modes; apps built for these modes may require an SDK or Wrapper•  SDKs provide direct support to native app developers for authentication, authorization, reporting/tracking and other services to provide for app and data security enforcement•  Wrappers offer the promise of “wrapping” an existing mobile app without the need to re-compile or change code; the resulting app can then be managed centrally•  Sandboxes allow a single or multiple apps to live within a “sandbox” and be logically separated from other apps but managed centrally … Application Developers may use one or more of these approaches to address security issues, or use “do it yourself” methods * Source: ISO Copyright © 2012, Apperian, Inc. Page! 20!
  21. 21. Mobile Security Solutions “Holy Grail Solution” MDM Mobile Iron Air Watch BoxTone Virtualization (OS) MAM Device Management VMWare Horizon ATT Toggle Device Mgmt Apperian AppCentral MS Exchange Partnerpedia Google DM Apple Profile Mgr MEAP MPSS (Sandboxes) Symantec Antenna McAfee Sybase Wrappers RSA Pyxis GOOD Mocana Arxan App and Data Management Copyright © 2012, Apperian, Inc. Page! 21!
  22. 22. Moving Forward: Balancing Risk and Objectives!Security Objective Risk Low Medium High Confidentiality Unauthorized disclosure of limited serious severe orPreserving authorized restrictions information … to adverse effect adverse effect catastrophicon information access and organizational operations, adverse effect disclosure, including means for organizational assets, orprotecting personal privacy and individuals proprietary information. Integrity Unauthorized modification or limited serious severe orGuarding against improper destruction of information … adverse effect adverse effect catastrophicinformation modification or to operations, organizational adverse effect destruction, and includes ensuring assets, or individuals. information non- repudiation andauthenticity. Availability Disruption of access to or use limited serious severe orEnsuring timely and reliable of information or an adverse effect adverse effect catastrophicaccess to and use of information. information system .. on adverse effect organizational operations, organizational assets, or individuals Source: Adapted from “Standards for Security Categorization of Federal Information and Information Systems” (FIPS PUB 199) Copyright © 2012, Apperian, Inc. Page! 22!
  23. 23. Moving Forward: Making a Plan!   Make Security part of overall Strategy   Focus on “high impact” areas   Establish Basic Policies User Agreement   “Best Practices” including encryption for data in transit and data at rest   Basic security policy for PINs, registration (“Find Me”) and enabling wipe for company and user   Have Plan in Place for Data Breach   Event reporting protocol   Specific steps and actions   Measure and Monitor Copyright © 2012, Apperian, Inc. Page! 23!
  24. 24. QA www.apperian.com Additional Questions? Contact Cimarron Buser cbuser@apperian.com Page! 24!

×