Securing the Mobile Enterprise with IBM Security Solutions
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Securing the Mobile Enterprise with IBM Security Solutions

on

  • 1,295 views

Gain visibility and control with proven security for mobile initiatives in the enterprise ...

Gain visibility and control with proven security for mobile initiatives in the enterprise

Highlights:
- Address the full spectrum of mobile risks with enterprise-class security
- Secure the device, protect access to enterprise resources and enable safe mobile applications
- Empower mobile employees, partners and customers with responsiveness and productivity
- Deliver confidence that the mobile environment is secure and data is safe with visibility and an adaptive approach to mobile security

Technology adoption traditionally has begun in the enterprise and then diffused into the consumer segment. But with mobile technologies, the pattern has been reversed. Enterprises of all types and sizes have adopted mobile computing for its potential not only to provide the communications that consumers enjoy, but also to improve productivity, responsiveness and innovation. By 2015, some 40 percent of enterprise devices are expected to be mobile.

Statistics

Views

Total Views
1,295
Views on SlideShare
1,096
Embed Views
199

Actions

Likes
0
Downloads
20
Comments
0

2 Embeds 199

http://securityintelligence.com 128
https://twitter.com 71

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing the Mobile Enterprise with IBM Security Solutions Document Transcript

  • 1. IBM Software Solution BriefSecuring the mobileenterprise withIBM Security solutionsGain visibility and control with proven securityfor mobile initiatives in the enterpriseHighlights●● ● ●Address the full spectrum of mobilerisks with enterprise-class security●● ● ●Secure the device, protect access toenterprise resources and enable safemobile applications●● ● ●Empower mobile employees, partnersand customers with responsivenessand productivity●● ● ●Deliver confidence that the mobileenvironment is secure and data is safewith visibility and an adaptive approachto mobile securityTechnology adoption traditionally has begun in the enterprise andthen diffused into the consumer segment. But with mobile technologies,the pattern has been reversed. Enterprises of all types and sizes haveadopted mobile computing for its potential not only to provide thecommunications that consumers enjoy, but also to improve productivity,responsiveness and innovation. By 2015, some 40 percent of enterprisedevices are expected to be mobile.1Mobile adoption, however, is not without its pitfalls, and a major concernfor organizations today is how to manage and mitigate the risks associatedwith mobile interactions. Providing security for mobile devices, it turnsout, is significantly different from providing security elsewhere in theenterprise. That’s because mobile devices themselves are different—theyare shared more often, used in more locations, fulfill more roles and aremore technically diverse. Half of mobile applications transmit personaldetails or device information.2 Threats from rogue applications and socialengineering, as a result, are expected to double by 2013.2To meet this challenge, IBM has developed a portfolio of mobile securitysolutions spanning IT domains—people, data, applications and infrastruc-ture. IBM capabilities emphasize an adaptive approach to security thatcan drive down costs, is secure and is just as dynamic as today’s businessclimate. For organizations designing mobile services, deploying data andworkloads to mobile devices, or consuming information
  • 2. 2Solution BriefIBM Softwarefrom mobile-based services, IBM solutions can meet criticalrequirements for managing operational risk and adhering tosecurity priorities.As mobile adoption grows, so do threatsto mobile securityThe projections tell a compelling tale: one billion enterprisesmartphones and 1.2 billion mobile workers expected by2014—with large enterprises tripling their smartphone userbase by 2015.2 The adoption of consumer-owned rather thanenterprise-dedicated devices in 85 percent of large companiesby 2014.2 Half of organizations planning to deploy their ownmobile applications within 12 months.2 But with rapid adoptioncome mounting threats. The need to maintain business agilityand to support changing employee behaviors not only will feedcontinued growth in the use of mobile devices, it will requireorganizations to find ways to mitigate the operational risksassociated with mobility.Growth in enterprise devices by type¹Mobile devicesPCsWhile enterprises have learned security lessons from the PCand Internet era, mobility brings both new challenges and theevolution of previous ones. At the top of the threat list are lostand stolen devices, but rogue applications, social engineering,malware, identity theft, stolen data, malicious websites anddenial of service are becoming more sophisticated and areconstantly on the increase.At the same time, the diversity of platforms and applications,general lack of enterprise visibility and control, and increasedcomplexity in demonstrating regulatory compliance make itmore difficult for IT to support mobile initiatives. Most mobileplatforms are not natively designed to provide comprehensivesecurity, and with the explosive growth in numbers of mobiledevices, hackers have a strong incentive to develop new tech-niques or create attacks aimed specifically at these devices.20181614121086420Mobile operating system exploits³2006 - 20112006 2007 2008 2009 2010 2011
  • 3. 3Solution BriefIBM SoftwareOrganizations must therefore put into place tools and processesthat enable them to meet threats designed to exploit mobility-related vulnerabilities, including:●● ●Credentials that enable access to business or personalaccounts●● ●Sensitive data such as confidential business or personalinformation●● ●Device communication services●● ●The mobile device itself, which can be a jumping-off pointto accessing other corporate resourcesFollow the flow of dataUnprotected endpoint devices are like open doors into sensitiveinformation. Organizations need to guard the data on thosedevices—whether the data is at rest or in motion over unse-cured networks and infrastructure. Data protection must bethe primary objective when developing an enterprise mobilestrategy. Effective security for mobile environments shouldtherefore be designed to follow the flow of data and to defendthat data from unauthorized access. The design of an adaptivesecurity posture should include policy management and securityintelligence to guide the overall initiative as well as capabilitiesfor protecting data throughout the mobile lifecycle.Deliver an adaptive security postureSmartphones andtabletsPublic WiFiInternetMobile applicationsWebsitesSecurity gateway Corporate networkTelecom providerData flowAttain visibility into enterprise security events to stay ahead of the threatEfficiently acquire,deploy, secure,manage andde-provision devicesSecure the mobiledevice from malwareand data theftProtect access toenterprise resources,including applicationsand dataDeliver safe mobileapplications with testingand management
  • 4. 4Solution BriefIBM SoftwareWith diverse devices in use throughout the enterprise—especially when the organization has adopted a “bring yourown device” (BYOD) policy—it is first necessary to put intoplace comprehensive, cross-platform capabilities for managingand securing devices and applications. Secure access to enter-prise assets should include secure connectivity with capabilitiesfor managing identities, access and authorization. Conductvulnerability testing of mobile applications to support theorganization’s trust relationships with customers, employeesand business partners. Visibility into the full data flow isimportant for keeping the mobile security program aheadof constantly growing threats.In the world of mobility, more so than in traditional IT envi-ronments, it is important that the security model adapt to theuser rather than requiring the user to comply with mandates.Another reason for security to adapt to the user is that attackstend to be more targeted at individuals, departments or organi-zations rather than being general, mass attacks. It is importantto remember that user behavior is different when the issues aremobile devices and mobile access—more emphasis is placed onavoiding disruption of the user experience. The security modelthat adapts to a user’s mobile context—for example, location,type of content accessed, time of day or risk profile—andthat has minimal impact on user experience will help ensurecompliance with security policies and ultimately assist insecuring enterprise data.The IBM portfolio ensures business-drivenmobile securityIBM takes a holistic approach to mobile security requirements,using the well-established IBM Security Framework as a refer-ence. IBM Mobile Security solutions help customers addresschallenges in mobile device management, access management,application security and security intelligence. Each not onlydelivers mobility-focused capabilities, but is designed to extendand complement existing IT security infrastructures, policiesand procedures. Designed to help organizations transition frombeing reactive to taking the initiative in a constantly changingmobile security landscape, IBM solutions emphasize anintegrated, end-to-end security model with visibility acrossthe enterprise, as well as facilitate proactive responses.IBM Security FrameworkGovernance, Risk and ComplianceSecurity Intelligenceand AnalyticsProfessionalServicesCloudandManagedServicesPeopleDataApplicationsInfrastructureAdvanced Securityand Threat ResearchSoftware and Appliances
  • 5. 5Solution BriefIBM SoftwarePeople: Simplifying identity and access managementAs mobile becomes the preferred screen for many users,preventing unauthorized access by mobile users becomes atop requirement for all organizations. But controlling mobileaccess, while sharing many of the same objectives with control-ling traditional access infrastructures, presents very specificchallenges.IBM Security Access Manager for Mobile protects accessto enterprise resources by authenticating and authorizingmobile users and their devices. This single infrastructure can beemployed for all types of users, while also addressing some ofthe unique requirements of mobile access control. IBM SecurityAccess Manager for Mobile provides solid session managementcapabilities to prevent man-in-the-middle attacks and affordsthe flexibility to employ multiple authentication and authoriza-tion schemes to validate both the user and the device. It alsointegrates with IBM Worklight to deliver seamless user andapplication security.Ongoing development in IBM Security Access Managerfor Mobile will deliver context-aware authentication andauthorization. Organizations will be able to leverage thecontextual information a mobile device provides to computea risk profile and employ appropriate controls.Data: Securing sensitive informationSafeguarding sensitive data and reducing the risk ofunauthorized access is core to any mobile security initiative.IBM Endpoint Manager for Mobile delivers data securityon the mobile device. It enforces the compliance of deviceconfigurations with enterprise security policies and employsplatform facilities to enforce data encryption. This solutionprovides remote device lock and both full and selective data-wipe capabilities while providing the infrastructure to deliveranti-malware solutions. It can also require that virtual privatenetworks be used to protect sensitive data communications.IBM Worklight offers developers application-level data securityby providing facilities with the tools needed to encrypt theirapplications’ data.In addition, subscription-based IBM Hosted Mobile DeviceSecurity Management is a turnkey software-as-a service (SaaS)solution that provides assurance of data security and policycompliance with anti-malware, anti-theft, lock and wipefeatures—all delivered from the cloud.Applications: Fortifying mobile-deployed webapplicationsPoor coding practices and human error, combined withthe relative ease with which hackers find and exploit thesevulnerabilities, can make application security the Achilles’heel of enterprise security initiatives. With the projecteddramatic increase of enterprise mobile applications, securitymust keep pace.The security features of IBM Worklight enable organizations toefficiently develop, deliver and run safe HTML5, hybrid andnative mobile applications with direct updates and applicationvalidation. IBM Security AppScan® detects vulnerabilities inmobile web applications, in the web elements of hybrid mobileapplications and in Android applications through static analysisduring development. The IBM WebSphere® DataPower®message protection and XML firewall capabilities guaranteethe integrity of message content and protect applicationprogramming interface calls.Infrastructure: Protecting mobile endpoints andconnectionsMobile endpoints go everywhere, making them moresusceptible than traditional, stationary devices to attack, loss,infection or compromise. Mobile device management, as aresult, should range from the acquisition and registrationof devices to providing secure communications via virtualprivate networks, to password and configuration compliance.
  • 6. 6Solution BriefIBM SoftwareIBM Lotus® Mobile Connect enables secure connectivityfrom mobile devices to backend systems, while IBM EndpointManager for Mobile Devices gathers and delivers detaileddevice information to assess compliance. IBM EndpointManager can also be used to identify compromised mobiledevices—including “jailbroken” or “rooted” ones—and restricttheir connections to the enterprise network.Security intelligence: Visibility into activity and threatsWith attacks on devices, applications and access growing morenumerous and more sophisticated daily, it is more importantthan ever for organizations to have visibility into events andthe environment. Comprehensive visibility can identify vulnera-bilities before they can be exploited or attacks before they cantake effect.IBM QRadar offers a unified collection, aggregation andanalysis architecture facilitating the consumption of securitylogs from IBM Worklight; security events from IBM EndpointManager for Mobile Devices and IBM Access Managerfor Mobile; vulnerability data from IBM Security AppScanfor Mobile; as well as configuration files and network flowtelemetry. IBM QRadar also includes forensic capabilitiesto support security investigations and audits.Mobile enterprise security roadmapNo matter how capable a mobile security solution is, its value isgreatly diminished if it cannot be efficiently deployed or easilymanaged. The organization needs to carefully assess the overallrisks to the enterprise and the effort required for initial roll-outand ongoing management of a solution. To help build an effec-tive mobile enterprise strategy and roadmap, IBM can deliver arange of comprehensive professional security services, eitherdirectly or through local business partners.Building on technology leadership and worldwide engagementswith organizations across industries and of all sizes, IBM takes arisk-based approach to securing the mobile enterprise with thefollowing steps:●● ●Securing the mobile device:– Capture detailed device information and identify non-compliant devices; detect “jailbroken” or “rooted” devices– Enforce security best practices and take corrective actionincluding updates, denying or removing access, virtual pri-vate network configuration and delivery of anti-malwaresolutions– Remotely locate, lock and perform selective wipes whendevices are lost, stolen or decommissioned– Leverage a single infrastructure to deliver controls for abroad set of enterprise endpoints including smartphones,tablets, desktops, laptops and servers●● ●Protecting access to enterprise resources:– Deploy context-aware authentication and authorizationof mobile users and their devices– Support mobile-friendly open standards such as OAuth– Implement strong session management and protection– Extend the infrastructure employed for protecting accessfrom any endpoint with the ability to address requirementsunique to mobile computing●● ●Delivering safe mobile applications:– Support developers with security features including dataencryption, direct updates and application validation– Perform vulnerability assessments during development,testing and runtime to mitigate the risk of deploying unsafeapplications– Employ a secure channel through which to deliver mobileapplications to enterprise mobile users– Offer a secure runtime environment for mobileapplications that enables centralized managementwith application locking●● ●Attaining visibility and delivering an adaptive securityposture:– Generate reports on compliance– Assess consistency of security policy enforcement– Be proactive in responding to emerging threats andadapt to changing user behaviors
  • 7. 7Solution BriefIBM SoftwareIBM case study: European bank delivers secure mobileInternet bankingWith dual goals of extending secure access to banking applicationsto mobile customers and enhancing the ability of employeesto perform secure transactions via mobile devices, the bank istargeting popular Google Android and Apple iOS platforms, withfuture support for Microsoft Windows Mobile-based devices. UsingIBM Security Access Manager for Mobile to authenticate requestsand the IBM Worklight platform to support backend services, thebank safeguards its trust relationship with customers with dataencryption and timely application updates.Why IBM?With IBM solutions, organizations can support mobileemployees, enable mobile collaboration with partners andnurture customer relationships. They can realize new revenuechannels as they reduce risk. They can ensure effective securityfor their mobile environments with capabilities for mobiledevice management, mobile identity and access management,network and data protection, and mobile application security.The industry-leading IBM X-FORCE® research anddevelopment team provides the expertise for a solid, preemptivesecurity approach. The team provides reports documentingall aspects of threats that affect Internet security, as well asmaintaining a comprehensive threats and vulnerabilitiesdatabase that powers the preemptive protection deliveredby IBM products. In addition, the team distributes alerts andadvisories that provide information about how IBM productsand services can protect against the latest threats.Security intelligence,analytics andgovernance, riskand compliance At the deviceManage device and dataPeopleDataApplicationsIBMSecurityFrameworkdomainsInfrastructureMalware protectionApplication securitySecure accessOver the network and enterpriseMonitor and protectSecure connectivitySecure applicationsFor the mobile applicationIntegrate securelyManage applicationsMobile security strategy and lifecycle managementIBM Endpoint Manager for MobileIBM Mobile Device Security(hosted)IBM WorklightIBM Security Access Managerfor MobileIBM WebSphere DataPowerIBM QRadarIBM Lotus Mobile ConnectInternetCorporate intranetIBM Security AppScanIBM WebSphere DataPowerIBM WorklightMeet mobility needs with IBM solutions
  • 8. Please Recycle For more informationTo learn more about IBM Mobile Security solutions, pleasecontact your IBM representative or IBM Business Partner,or visit: ibm.com/mobile-securityAdditionally, IBM Global Financing can help you acquirethe software capabilities that your business needs in the mostcost-effective and strategic way possible. We’ll partner withcredit-qualified clients to customize a financing solution to suityour business and development goals, enable effective cashmanagement, and improve your total cost of ownership. Fundyour critical IT investment and propel your business forwardwith IBM Global Financing. For more information, visit:ibm.com/financing© Copyright IBM Corporation 2012IBM CorporationSoftware GroupRoute 100Somers, NY 10589Produced in the United States of AmericaJuly 2012IBM, the IBM logo, ibm.com, Lotus, WebSphere, AppScan, DataPower,and X-FORCE are trademarks of International Business Machines Corp.,registered in many jurisdictions worldwide. Other product and servicenames might be trademarks of IBM or other companies. A current list ofIBM trademarks is available on the web at “Copyright and trademarkinformation” at ibm.com/legal/copytrade.shtmlMicrosoft and Windows are trademarks of Microsoft Corporation inthe United States, other countries, or both.This document is current as of the initial date of publication and maybe changed by IBM at any time. Not all offerings are available in everycountry in which IBM operates.THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS ORIMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND ANY WARRANTY OR CONDITION OFNON-INFRINGEMENT. IBM products are warranted according to theterms and conditions of the agreements under which they are provided.The client is responsible for ensuring compliance with laws and regulationsapplicable to it. IBM does not provide legal advice or represent or warrantthat its services or products will ensure that the client is in compliance withany law or regulation. Statements regarding IBM’s future direction andintent are subject to change or withdrawal without notice, and representgoals and objectives only.IT system security involves protecting systems and information throughprevention, detection and response to improper access from withinand outside your enterprise. Improper access can result in informationbeing altered, destroyed or misappropriated or can result in damage toor misuse of your systems, including to attack others. No IT system orproduct should be considered completely secure and no single product orsecurity measure can be completely effective in preventing improper access.IBM systems and products are designed to be part of a comprehensivesecurity approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be mosteffective. IBM does not warrant that systems and products are immunefrom the malicious or illegal conduct of any party.1 IBM projection.2 Blackstone, “IBM Enterprise Mobility,” September 12, 2011.3 IBM X-FORCE, “IBM X-FORCE 2011 Trend and Risk Report,”March 2012. WGS03003-USEN-00