Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best practices for mobile enterprise security and the importance of endpoint management


Published on

With the rapid growth of smartphones and tablets in the enterprise, CIOs are struggling to secure mobile devices and data across a wide range of mobile platforms. Attend this session to learn best practices around defining a mobile security policy, educating employees about safe computing practices, and deploying a secure technology framework. We'll discuss the benefits of endpoint management solutions like IBM Endpoint Manager in the context of a comprehensive enterprise deployment encompassing smartphones, tablets, PCs and servers.

Published in: Technology
  • Be the first to comment

Best practices for mobile enterprise security and the importance of endpoint management

  1. 1. © 2013 IBM CorporationBest Practices for Mobile Enterprise Security and the Importance ofEndpoint ManagementChris PepinMobile Enterprise ExecutiveIBM Mobile Enterprise ServicesSession
  2. 2. 22 © 2013 IBM CorporationMobile enterprise is a business imperative• Turn mobile into a profit-generatingplatform and attract new customers• Improve employee productivity, attractand retain top talent• Enterprises that don’t embrace mobile riskbeing left behind• Social, cloud and analytics complimentmobile
  3. 3. 33 © 2013 IBM CorporationMobile security risks are significant…FrequencyNever Rare Often FrequentlyLimitedMassiveLoss/Theft/SeizureBased on Gartner, Mobile Security Risks, interviews with members of ISSxForce, and Corporate Executive Board. e.g. Industry (not IBM only) viewBlue ToothSlurpingMan in theMiddleAttackImpactIIIIIIIVRovingBug/IllegalMalware/Spyware/GraywareLocationLogging &Tracking
  4. 4. 44 © 2013 IBM Corporation…and involve more than just the deviceManage deviceSet appropriate securitypolicies • Register •Compliance • Wipe • LockSecure DataData separation •Leakage • EncryptionApplicationSecurityOffline authentication •Application level controlsSecure AccessProperly identify mobileusers and devices • Allowor deny access •ConnectivityMonitor & ProtectIdentify and stop mobilethreats •Log network access,events, and anomaliesSecureConnectivitySecure Connectivity fromdevicesSecure ApplicationUtilize secure codingpractices • Identifyapplication vulnerabilities •Update applicationsIntegrate SecurelySecure connectivity toenterprise applications andservicesManageApplicationsManage applications andenterprise app storeDevice Network Mobile Applications
  5. 5. 55 © 2013 IBM CorporationVideoIBM Mobile Security - Confidently enable productivity, business agility anda rich user experience
  6. 6. 66 © 2013 IBM Corporation• Application sandboxing• Signed code controls• Remote device or data wipeIBM predictionMobile computing devices should be moresecure than traditional user computingdevices by 2014”
  7. 7. 77 © 2013 IBM CorporationA four-pronged approach to mobile securityStrategyPolicyEducationTechnology
  8. 8. 88 © 2013 IBM CorporationA mobile enterprise starts with a strategy• Defining the business problem and success criteria• Personas and use cases• Mobile infrastructure readiness• Processes and governance modelStrategyEnterprises need at least two strategies: B2E and B2C
  9. 9. 99 © 2013 IBM CorporationWritten mobile policy is essential• Terms and conditions‒ What devices, OS’s and versions areallowed‒ Passcode, device wipe, allowedapplications• Corporate owned devices as well asBYOD; data privacy• Human resources, legal, procurementand reimbursementPolicyA comprehensive policy for PCs, smartphones and tablets is recommended
  10. 10. 1010 © 2013 IBM CorporationEmployees are the weakest security link• Identifying cybersecurity threats• Protecting corporate and client data• Safeguarding devices• Data and security incident reporting• Build a “culture of security”Published guidelines, online education and social interaction is recommendedEducation
  11. 11. 1111 © 2013 IBM CorporationTechnology monitors and enforces security policy• Mobile Device Management (MDM)• Data Loss Prevention (DLP)• Containerization, virtualization, encryption• Anti-malware• Network access controlOne size doesn’t fit allTechnology
  12. 12. 1212 © 2013 IBM CorporationUsertypeManagerRegular EmployeeI.T. StaffContractorGuestCorporateLaptopPersonalLaptopiPad/iPhoneAndroidDeviceInternet + Email + IntranetInternet + EmailInternet onlyIn addition to restrictingaccess based on user anddevice type, additionalconditions may also beleveraged such as: Access method (wired,wireless, or VPN Access location(company premises,home office, or remotelocation) Application type (data,voice, video)Network access policy is the first line of defense
  13. 13. 1313 © 2013 IBM CorporationOnboard Device 1A simple and intuitive method of on-boarding the device.Automatically provisioning the device’s settings and checking tomake sure the device hasn’t be compromised in any way orpresent any risk.Invoke a policy2Automatic policy decisionsand enablement.Taking in all of theinformation about the contextof the user and device andenabling the appropriatepolicy.Unified policy enforcement.Apply the policy across theglobal organization, overwired, wireless and remote,and across all of the majormobile device operatingsystems.Enforce policy 3Network access control workflow
  14. 14. 1414 © 2013 IBM CorporationDo I have enoughIP addresses?IP Address Management (IPAM) Many enterprises are still managing the IP address space on their networksmanually via spreadsheets (approximately 75%), via homegrownapplications or a combination of the two1 Existing subnets and IP address pools may not be sufficiently large tohandle the increased number of connected devices Audit and tracking capabilities need to be enhanced for mobile devicesWill my DHCPservices scale?Dynamic Host Configuration Protocol (DHCP) Increased scale and robustness is required to handle the influx of IPaddress requests New mechanisms for dynamically managing lease times and IP address re-use may be requiredIs my DNS readyto support thecloud?Domain Name System (DNS) Mobile applications and cloud-based services will impose a massiveincrease in the use of DNS servicesNetwork impact of mobile devices
  15. 15. 1515 © 2013 IBM CorporationEnterprise Needs: Protect corporate applications and data, not just the device Prevent data leakage from enterprise apps to personal apps andpublic cloud-based services Enforce advanced security features such as file-level encryption Centrally administer and enforce permissions and policies Ability to remotely wipe all work-related applications and dataPersonal Needs: Maintain full control over personal apps and data Enterprise policies do not apply when the device is not connectedto the enterprise network and corporate applications are not in use Selective wipe ensures that personal data remains untouched Simple to switch between personal and work functionsSeparating personal and work data
  16. 16. 1616 © 2013 IBM CorporationVirtualized Devices &Virtual Desktop Infrastructure (VDI)Mobile Device Management Secure ContainerMDMEnterpriseContainerManagementServerEnterpriseDevicePersonalDevice Manage device securitypolicies (password,encryption, etc.) MDM controls enterpriseaccess (WIFI / VPN / email) Wipe and “selective wipe”enterprise data and apps Create a “secure container” Replace the default mail /calendar / contacts Allow organizations to writeapps that run in thecontainer; encryption Virtualize the device OS Create a virtualized“enterprise device” and“personal device” Virtual Enterprise Desktop Virtual application deliveryEnterpriseDesktopMultiple approaches to achieving data separation
  17. 17. 1717 © 2013 IBM CorporationVirtualized applicationsStorageServersVDI InfrastructureVirtual application streamingVirtual application streaming approachPros: No on device storage of confidential data, access to legacy applicationsCons: No offline access, end-user experience
  18. 18. 1818 © 2013 IBM CorporationMobile Enterprise Management solutions• Moving beyond Mobile Device Management (MDM)• Microsoft Exchange ActiveSync is NOT the answer• Connected cloud and on-premise solutions• What devices do I need to manage?• What features do I need?
  19. 19. 1919 © 2013 IBM CorporationIBM is a mobile enterprise• 435,000 employees worldwide; 50%mobile• BYOD isn’t new at IBM and includessmartphone, tablets as well aslaptops• 120,000 employees leveragingsmartphones and tablets; 80,000BYOD• 600,000 managed laptops/desktops;30,000 BYODIBMs BYOD program"really is about supportingemployees in the way theywant to work. They willfind the most appropriatetool to get their job done. Iwant to make sure I canenable them to do that, butin a way that safeguardsthe integrity of ourbusiness.“- IBM CIO Jeanette Horan
  20. 20. 2020 © 2013 IBM CorporationVideoIBM Mobile Technology – A Personal Journey
  21. 21. 2121 © 2013 IBM CorporationMobile @ IBM• LegalPersonally owned device termsand conditions• PolicySame overriding security policy forall endpoints (laptop, mobile, other)• Technical controlsDetailed security settings perplatform (“techspecs”) FormalMandatory Digital IBMer SecurityTraining CasualIBM Secure Computing GuidelinesTargeted w3 articles SocialSecure Computing ForumSecure Computing Blog Posts DeveloperSecure Engineering guidelinesMobile app security guidelines Endpoint Management(overall control) Anti-malware(malicious app protection) Network access control& Application level security(data protection) Containerization / Virtualization(data protection, data privacy, end user acceptance) Mobile as primary Personas(13 inside IBM) BYOD policy(Windows, Linux, Mac, smartphones, tablets)
  22. 22. 2222 © 2013 IBM CorporationKey mobile technology in use inside IBM• IBM Endpoint Manager• IBM Lotus Notes Traveler• BlackBerry Enterprise Server• IBM Sametime Mobile• IBM Connections Mobile• IBM Worklight• IBM Mobile ConnectTechnology
  23. 23. 2323 © 2013 IBM CorporationIBM Endpoint ManagerEndpointsPatchManagementLifecycleManagementSoftware UseAnalysisPowerManagementMobileDevicesSecurity andComplianceCoreProtectionDesktop / laptop / server endpoint Mobile Purpose specificSystems Management Security ManagementServerAutomationContinuously monitor the health and security of all enterprise computers in real-time via a single, policy-driven agent
  24. 24. 2424 © 2013 IBM CorporationIBM Endpoint Manager componentsSingle intelligent agent• Continuous self-assessment• Continuous policy enforcement• Minimal system impact (<2% CPU, <10MB RAM)Single server and console• Highly secure, highly available• Aggregates data, analyzes and reports• Manages up to 250K endpoints per serverFlexible policy language (Fixlets)• Thousands of out-of-the-box policies• Best practices for operations and security• Simple custom policy authoring• Highly extensible/applicable across all platformsVirtual infrastructure• Designate IBM Endpoint Manager agent as a relayor discovery point in minutes• Provides built-in redundancy• Leverages existing systems/shared infrastructure
  25. 25. 2525 © 2013 IBM CorporationEndpoint ManagementSystemsManagementSecurityManagementCommon agentUnified consoleSinglemanagementserverManaged = SecureDesktops, Laptops,& ServersSmartphones& TabletsPurpose-specificEndpointsImplement BYOD withconfidenceSecure sensitive data,regardless of deviceHandle multi-platformcomplexities with easeMinimize administrationcostsIBM Endpoint Manager addresses key business needs
  26. 26. 2626 © 2013 IBM CorporationBenefits of IBM Endpoint Manager “Organizations…would prefer to use the same tools across PCs, tablets and smartphones,because its increasingly the same people who support those device types”– Gartner, PCCLM Magic Quadrant, January 2011 Although at some level mobile is unique, the devices are just another form of endpoints in yourinfrastructure. This means whichever technologies you procure should have a road map forintegration into your broader endpoint protection strategy.– Forrester, Market Overview: Mobile Security, Q4, 2011Reduces Hardware &Administration Costs• “Single pane” for mobiledevices, laptops, desktops,and servers• Single Endpoint ManagerServer scales to 250,000+devices• Unifiedinfrastructure/administrationmodel reduces FTErequirementsFast Time-to-Value• Enterprise-grade APIsenable integration withservice desks, CMDBs, etc(Integrated ServiceManagement)• Cloud-based contentdelivery model allows forrapid updates with nosoftware upgrade orinstallation required
  27. 27. 2727 © 2013 IBM CorporationWhat’s New in IBM Endpoint Manager?Integration with Enterproid’s Divide container technologiesfor iOS and AndroidWeb-based administration console for performing basicdevice management tasks with role-based access controlIntegration with BlackBerry Enterprise Server for integratedsupport of BlackBerry v4 – v7 devicesEnhanced security with support for FIPS 140-2 encryptionand bi-directional encryption of communications withAndroid agentIBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequentfeature enhancements without the difficulty of performing upgrades
  28. 28. 2828 © 2013 IBM CorporationApplication Security ObjectivesIBM Worklight SecurityApplication Security Design• Develop secure mobile apps usingcorporate best practices• Encrypted local storage for data• Offline user access• Challenge response on startup• App authenticity validation• Direct Update of application• Remote disable (of applications perdevice and version)• Enforcement of organizationalsecurity policies
  29. 29. 2929 © 2013 IBM CorporationKey messages• There are mobile security challengesbut there are also solutions• Endpoint management is a requiredcomponent but not the only solution youwill need• There are no one size-fits-all mobilesolutions• The mobile landscape continues toevolve – be flexible and embracechange
  30. 30. 3030 © 2013 IBM Corporation1 Learn up for the IBM Mobile workshopEmail us at -- the (#IBMMobile) ways to get started with MobileFirst
  31. 31. 3131 © 2013 IBM CorporationQuestions?Chris PepinMobile Enterprise ExecutiveIBM Global Technology
  32. 32. 3232 © 2013 IBM Corporation
  33. 33. 3333 © 2013 IBM CorporationLegal Disclaimer• © IBM Corporation 2013. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information containedin this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which aresubject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothingcontained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms andconditions of the applicable license agreement governing the use of IBM software.• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/orcapabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment tofuture product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken byyou will result in any specific sales, revenue growth or other results.