At ConnectED in January , Bill Wimer (Senior Technical Staff, IBM) and Paul Miller (Mobie Development Manager, IBM) presented on mobile security. Their presentation looked at how IBM mobile apps integrate with Mobile Device Management (MDM) and Mobile Application (MAM) solutions. The tip below from their session looks at security requirements for mobile apps including the 3 areas to focus on: connectivity, device management, and application management. The tip also provides in-depth information on security options for Traveler, Connections Mobile, and Sametime Mobile.
These slides are available for free in our ConnectED 2015 community (http://bit.ly/16MCP3q), you just have to be logged in to your free account (sign up: https://reg.socialbizug.org/).
2. Please Note
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The
actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied
on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
3. Landscape: Unique Management and Security challenges
Mobile devices
are shared
more often
Personal
phones and
tablets shared
with family
Enterprise tablet
shared with co-
workers
Social norms of
mobile apps vs.
file systems
Mobile devices
have multiple
personas
Mobile devices
are diverse
Mobile devices
are used in
more locations
Mobile devices
prioritize the user
Work tool
Entertainment
device
Personal
organization
Security profile
per persona?
OS immaturity for
enterprise
management
BYOD dictates
multiple OSs
Vendor / carrier
control dictates
multiple OS
versions
A single location
could offer
public, private,
and cell
connections
Anywhere,
anytime
Increasing
reliance on
enterprise WiFi
Conflicts with
user experience
not tolerated
OS architecture
puts the user in
control
Difficult to
enforce policy,
app lists
4. Landscape: 3 focus areas
Connectivity (options: direct connect to enterprise servers, security gateway/proxy in DMZ):
– Securing enterprise application connectivity
– Restricting access to authorized users and devices
– Protecting the data in transit over enterprise and public networks
Device management (options: provided by enterprise apps, advanced MDM solutions)
– Enforce passwords and password strength for whole device
– Full device wipe
– Block unencrypted devices and prohibit camera
– Ability to dynamically update and push device security profiles that can control all of the device capabilities, not limited by
security policies specified in sync protocols (OS granted security privileges for MDM solutions)
Application management (options: provided by enterprise apps, advanced MAM solutions):
– Application provisioning (server, username)
– Protecting data at rest (local encryption)
– Selective application data wipe
– Single security admin for all enterprise apps
– Data containerization: Application specific authorization and security policies (OS granted security privileges for MAM solutions)
5. Out of the box capabilities
Security features available without external security integration
6. IBM Mobile Connect (IMC)
Removes application servers
from DMZ
Previous password recognition
User based load balancing,
ensures 'stickiness' to
consistent Traveler server for
users with multiple devices
Connections Chat & Meetings
Identifies Sametime Mobile traffic, special
performance stream handler
'prefix' capability in HTTP Access definition
provides ability to support 'where to get photos'
option for mobile clients
Connections Social
Identifies Connections mobile traffic
URL rewriting for access to multiple
Connections services, easily configured
rules file (path logging assist with rule
enablement/restrictions)
Security rich connection, multiple
authentication factors, encrypts
data in transit
Client less solution well suited for
mobile, per app, rather than full VPN
access
Traveler
Recognition of Traveler URLs, applies data
flow optimizers and HTTP header tags
Single URL for multiple Traveler
servers/pools
Traveler Pool Awareness
DMZInternet
(Untrusted)
IMC
Intranet
(Trusted)
7. IBM Traveler – Security, Restricting User and Device Access
Data in motion encrypted:
All supported device clients
support TLS connections
All locally stored data
encrypted
Admin Console: Web & Notes
based (web for new features)
Restricting user and device access
Require SSL/TLS connection Require connection via specific IP address(es) Require device pre-approval
Restrict to only authorized users Deny access to specific device
on premises screens shown
8. IBM Traveler – Security Polices (vary by device type)
Apple, Windows Phone/RT/Pro:
– Most settings enforced via EAS
Account
– Apply to entire device (not just PIM
account)
BB10:
– Most settings enforced via EAS
account (only apply if not managed by
BES)
– Use BES 10 policies to separate work
and personal data
Android:
– IBM Traveler app installs an Android
Device Administrator Account
– Supports both device wide and client
app only policies
9. IBM Traveler – Attachment Security Policies
Traveler administrator enables policy to only allow built-in viewers or approved applications to
access attachments
Apple iOS
Android
* Requires use of Traveler Companion app
10. Connections Social – Security, Admin Console
Data in motion encrypted:
All supported device clients
support TLS connections
Connections Mobile Admin Console*
– Control user access, track audit
history
– View devices using the service
– Deny device access
– Wipe Connections data from
device application
– Define Device Security Policies
(Android)
All locally stored data
encrypted
Client client certificate
based authentication using
PKCS#12 (p12) certificates*
*on premises capabilities only at this time
11. Connections Social – Security, Properties File
Other Connections Mobile security related properties – modify properties file mobile-config.xml
General properties:
Mobile Files properties:
Documentation: https://ibm.biz/connectionsmobileadmin
on premises capabilities only at this time
12. Connections Chat and Meetings - Security
Data in motion encrypted:
All supported device clients
support TLS connections
Chat history (if enabled) is
stored encrypted
Connections Meetings Admin Console* (additional settings)
*on premises capabilities only at this time