Your SlideShare is downloading. ×
  • Like
White Paper on Enterprise Mobility
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

White Paper on Enterprise Mobility


White Paper on Enterprise Mobility - Enterprise mobility promises to make employees more productive, empowering them to address business issues in a timely, untethered manner. …

White Paper on Enterprise Mobility - Enterprise mobility promises to make employees more productive, empowering them to address business issues in a timely, untethered manner.

But for security-minded organizations—those using strong security methods to authenticate users trying to access confidential information and data (smart cards or Kerberos with PKI certificates)numerous security concerns emerge when enterprise access is extended to and from smartphones and tablets.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Authentication Challengesin a Mobile WorldA new option for securing intranet access frommobile devices using Kerberos/PKIEnterprise mobility promises to make employees more productive, empowering themto address business issues in a timely, untethered manner. But for security-mindedorganizations—those using strong security methods to authenticate users trying to ac-cess confidential information and data (smart cards or Kerberos with PKI certificates)—numerous security concerns emerge when enterprise access is extended to and fromsmartphones and tablets.The primary issue is this: how to replicate the “trust” that exists inside a corporate net- CONTENTS:work and extend it to a “foreign device” (i.e., a device that is employee-owned and runs • Existing Solutionsone of the many available mobile operating systems). Fall Short • Why ShouldExisting Solutions Fall Short Enterprises Care About StrongHistorically, companies would have used a device level, mobile VPN to extend remote Authentication &access to mobile devices. While, some mobile VPNs support X.509 certificates, tradi- Secure Remotetional mobile VPN solutions are problematic: Access • Security in a BYOD • Open Tunnel: Device-level VPN exposes the corporate network to nefarious apps, World Has New Rules malware, and viruses that may have been downloaded by the user; • Man-in-the-Middle: use of constrained delegation in the demilitarized zone (DMZ) creates a proverbial “Man-in-the-Middle” between the mobile device and the trust- ed active directory in the enterprise; • No PIN Protection: PKI certificates stored in device keychain are accessible to any device user; without a proper PIN there is no “two-factor” authentication.Moreover, mobile devices do not natively support Kerberos, and each mobile OS has itsown peculiarity about security and authentication, making the consistent deployment ofsecurity standards nearly impossible. It’s no surprise, then, that these issues give CIOscause for concern about allowing Bring Your Own Device (BYOD) solutions inside a se-curity-minded enterprise.There has to be a better way...
  • 2. Bringing personal devices to work is an unstoppable trend. As workers embrace the benefitsWhy Should of BYOD and consumerization of the enterprise becomes a generally acceptable practice,Enterprises enterprises must address security issues such as remote control of corporate data and enterprise data-leakage prevention (DLP). Security vigilance is all the more important givenCare About the fact that users can offload or transfer data from a mobile device to removable media likeStrong Micro SD cards placed in the device, a USB-connected PC or hard drive, or a remote storage solution such as iCloud, Dropbox,, or Skydrive.Authentication Many enterprises combat DLP by prohibiting attachments in email as a best practice& Secure and providing links to internal SharePoint or Documentum hosted documents instead ofRemote attachments. This document-access schema requires that the mobile client (e.g., a smart- phone or tablet) be properly authenticated before the link in the secure email can actuallyAccess access and serve the secure document to the specific validated mobile device. Bitzer Mobile’s BMAX-SA Addresses the Problem Bitzer’s Mobile Access Xcelerator with Strong Authentication (BMAX-SA) solution provides a secure container on your employee’s mobile device. The Bitzer Mobile secure container acts as a virtual smart card for authentication purposes. BMAX-SA enables three major differen- tiators that set its functionality and flexibility far beyond current mobile VPN solutions: 1. Device trust vs. gateway; device trust is more secure and easier to maintain; 2. PIN protected certificates vs. device password; PIN protection preserves the consum- er user experience; 3. AppTunnel™ vs. device-level VPN, preventing rogue apps on devices from gaining direct access to your enterprise. 1 2 3 Figure 1: Complicated and insecure solution with mobile VPN and MDM. 1. Gateway trust, 2. Device password, 3. Device-level VPN 1 2 3 Figure 2: BMAX security through simplicity. 1. Device trust, 2. PIN protection, 3. AppTunnel™© 2012 Bitzer Mobile
  • 3. 1. Device Trust vs. Gateway TrustBMAX extends your network’s Kerberos authentication trust directly to the user’s device in-stead of stopping at a gateway server sitting in the DMZ.* Bitzer’s patent-pending technologyis significantly more efficient and secure than implementing constrained delegation offeredby VPN providers. This differentiation is critical: a constrained delegation solution is not onlyless secure but also more cumbersome to set up and maintain.If the insecurity of a constrained delegation solution doesn’t offer reason enough to pauseand consider alternatives, keep in mind that, to enable gateway trust, your enterprise mustconfigure and maintain long lists of all the internal servers that accept this trust. In a largeorganization, the list could contain hundreds of continually and dynamically changing serv-ers. Configuration and maintenance can represent an administrative nightmare of signifi-cant proportions. Bitzer’s device-trust approach eliminates the need to maintain additionallists of internal servers; administrators continue to authorize users and servers only in ActiveDirectory, as they do today.2. PIN Protected Certificate vs. Device PasswordThe continual battle between IT and end users regarding the tradeoff between usabilityand security is magnified when dealing with consumer devices and BYOD** programs.Corporate IT requires strong PINs to protect the certificate and corporate data on BYODdevices; conversely, users want simple PINs—or preferably no PIN at all—so they can easilyaccess Facebook® and other consumer apps.Requiring a device password is frustrating for users, as they are constantly using the devicefor non-enterprise purposes that don’t require enterprise authentication. As a matter ofcompromise for executive BYOD users (the people who access the organization’s mostconfidential IP and data), IT loosens password requirements for mobile devices, resulting ina lowest-common-denominator security solution.Unfortunately, mobile devices are the most vulnerable devices; they are more subject toloss and theft and are susceptible to CDMA/GSM/LTE/WiMAX scanning technology. Thesedevices should, therefore, utilize your strongest authentication solution, not your weakest.Bitzer’s solution provides the necessary balance between security and usability when deal-ing with BYOD programs.Bitzer’s Solution Solves the Certificate-Security ProblemBy holding the certificate inside a secure container app, Bitzer enforces PIN protection onlywhen the user is trying to access corporate resources. The Bitzer secure container elimi-nates the battle between usability and security. Users can still access their consumer appswithout any device password, and enterprises can enforce password policies to PIN protectonly when enterprise authentication is required.* Demilitarized Zone — DMZ** Bring Your Own Device — BYOD © 2012 Bitzer Mobile
  • 4. Bitzer’s solution also includes a remote Mobile Container Management (MCM) component that can enforce policy and remotely lock or wipe the secure container on the employee’s mobile device instantaneously. Policies can include authentication and access to certain resources. Access can be restricted to certain locations or time windows, affording the enterprise control over intranet access by whom, with what, from when, and from where. 3: AppTunnel™ vs. Device VPN Device-level VPNs provide a trusted, secure tunnel between a user’s device and a corpo- ration’s network. Yet device-level VPN solutions are problematic: they are more appropri- ate for corporate-owned and secured endpoint devices such as laptops than for consumer mobile devices. The stark reality is that once a mobile-device VPN tunnel is open to your network, any app on that device has access to this secure tunnel. This is a huge security hole and a pathway to danger. With the near-exponential rise in mobile application malware, spyware, viruses, and general nefarious code, can any enterprise ensure that consumer-focused BYOD users have not unintentionally or intentionally downloaded a rogue app onto their devices? Does your organization really need the additional overwhelming, if not impossible, task of monitoring and managing all the content on all your employees’ mobile devices? Secure AppTunnel™ Talks Only to the Secure Container With Bitzer’s secure AppTunnel™, the connection from the mobile device to the enter- prise intranet exists only between the secure container and enterprise servers. The solution redefines enterprise mobility. Security in a BYOD World Has New Rules Your organization has invested significantly in implementing secure Kerberos/X.509 authen- tication, both inside your enterprise and for laptop remote access; however, the complexity of authentication challenges is exacerbated with mobility, consumer devices, and especially BYOD programs. Security-conscious IT professionals must look beyond current solutions to ones designed for the new challenges that accompany changing realities. Create a far more secure solution while simplifying deployment and preserving the user experience. Bitzer can make the difference for your organization. BITZER MOBILE 440 N. Wolfe Road Sunnyvale, CA 94085, USA 1-(866) 603-8392 Follow us on @bitzermobile Join us on | | Bitzer Mobile© 2012 Bitzer Mobile