SlideShare a Scribd company logo
Security and Mobile Application
Management with Worklight
Miku Jha, Senior Solutions Architect
Worklight, an IBM Company
IBM Mobile Foundation



     Development
                                   Firewall or Security Gateway
       Lifecycle
         Tools
                                                            IBM End Point
                            IBM Worklight                 Manager for Mobile
                                                               Devices
                                      CastIron Hypervisor Edition                       Elastic Caching
       Mobile
     threats and               IBM Mobile Foundation
       security


                                        SOA & Connectivity
                             (Messaging, ESBs, Cloud Integration, Governance)

                                                                            Business
                       Decision                                                             Social
          Analytics                                                          Process
                      Management                                           Management      Software
                                        Enterprise Apps



2
Components of the IBM Worklight Mobile
Platform
                    Worklight Studio

                    The most complete, extensible environment with maximum
                    code reuse and per-device optimization

                    Worklight Server

                    Unified notifications, runtime skins, version management,
                    security, integration and delivery


    1001010101011
                    Worklight Runtime Components
    1010010100100
    1010111010010
    0110101010101
    0010010010111
    1001001100101
                    Extensive libraries and client APIs that expose and interface
    0101001010100   with native device functionality

                    Worklight Console

                    A web-based console for real-time analytics and control of your
                    mobile apps and infrastructure


3
Worklight Security Focus: Support Creation
       and Delivery of Secure Mobile Apps
                                            Take advantage of
                                           platform architecture
                                          and mobile capabilities



                      Address
               mobile-specific security
                       issues


       Security is a platform-wide
       consideration, relating to all components:
       •   Server
       •   Device run-time
       •   Studio
       •   Console

4
Taking Advantage of Platform Architecture and
                Mobile Capabilities

     Platform architecture benefits:
       – Combining server-side and client-side functionality to provide a
         comprehensive set of security features
       – Opportunity to simplify security approval process


     Mobile capabilities:
       – The device itself can be used as a second factor for user
         authentication (i.e., “what you have”)
       – Use built-in support for secure communications
       – Leverage security APIs when available (e.g., keychain services
         API, app signatures)
       – Some app stores provide high confidence in app legitimacy

5
Worklight Runtime Architecture




      Worklight Server                                        Device Runtime




                                                                                         Application Code
      Server-side
                                             Client-side
    Application Code
                                           App Resources
                       Stats Aggregation




                                                           Cross Platform Technology
    JSON Translation                       Direct Update

                                             Mobile
     Authentication                         Web Apps       Security and Authentication
                                                           Back-end Data Integration
                                                           Post-deployment control
                                           Unified Push
     Adapter Library                                       Diagnostics
                                           Notifications




6
Mobile Application Security Objectives


                     Protect data on                       Enforce security
                     the device                            updates
                     •   Malware, Jailbreaking             • Be proactive: can’t rely
                     •   Offline access                      on users getting the
                     •   Device theft                        latest software update
                                                             on their own
                     •   Phishing, repackaging




       Streamline                         Provide robust                        Protect from the
       Corporate                          authentication                        “classic” threats
       security approval                  and authorization                     to the application
       processes                          • Existing authentication             security
       • Complex                            infrastructure                      • Hacking
       • Time-consuming                   • Passwords are more                  • Eavesdropping
                                            vulnerable                          • Man-in-the-middle




7
Security Features Mapping

                               Protecting data on the                              Enforcing security
                                       device                                           updates




                                        Secure
                                                       App        Compatibility
     Encrypted          Offline       challenge-                                    Remote         Direct
                                                   authenticity   with jailbreak
    offline cache   authentication   response on                                    disable        update
                                                     testing      detection libs
                                        startup


                                                                                    SSL with
        Mobile          Auth            Data                         Proven
                                                      Device                          server        Code
    platform as a    integration     protection                      platform
                                                   provisioning                      identity     protection
     trust factor    framework         realms                        security
                                                                                   verification




        Streamlining                       Providing robust
                                                                                         Application
      Corporate security                  authentication and
                                                                                          Security
         processes                          authorization



8
Protecting data on the device
                                                           Malware, Jailbreaking
                   Protecting data
                    on the device                          Device theft
                                                           Offline access
                                                           Phishing, repackaging
                                        Secure
       Encrypted                                       App        Compatibility
                        Offline       challenge-
        offline                                    authenticity   with jailbreak
                    authentication   response on
         cache                                       testing      detection libs
                                        startup


     Encrypted offline cache
     Offline authentication using password
     Extended authentication with server using secure challenge response
     App authenticity testing: server-side verification mechanism to mitigate
     risk of Phishing through repackaging or app forgery
     Compatibility with various jailbreak and malware detection libraries



9
Enforcing security updates

      Can’t rely on users   Remote Disable: shut down
       getting the latest
      software update on    specific versions of a
           their own        downloadable app, providing
                            users with link to update

          Enforcing
           security
           updates
                            Direct Update: automatically
                            send new versions of the
        Remote     Direct   locally-cached HTML/JS
        disable    update
                            resources to installed apps



10
Middleware Security

       Proven        SSL with
                                       Code
      platform     server identity
                                     protection
      security      verification


                                          Proven platform security: tested by the most
            Protecting from               demanding customers (e.g., top tier banks)
             the “Classic”
            security threats              Client<->Middleware communications over
                                          HTTPS to prevent data leakage
                                          Fail on server certificate verification error
                                          Packaged JS code can be encrypted on desktop
                                          to make static analysis more difficult
           Hacking                        JS code integrity verification on startup
        Eavesdropping                     SQL adapter designed to mitigate SQL-injection
         Man-in-the-
                                          Built-in audit trail
           middle



11
Authentication and Authorization

      Authentication        Data
                                          Device
       integration
       framework
                         protection
                           realms
                                       Provisioning   Very flexible framework for simplifying
                                                      integration of apps with enterprise
                                                      identity & access management solutions
                   Providing robust
                  authentication and                  Manages authenticated sessions with
                    authorization
                                                      configurable expiration
                                                      Open: e.g., custom OTP as
                                                      anti-keylogger mechanism
     Need to integrate with existing                  Server-side services grouped into
      authentication infrastructure                   separate protection realms for different
                                                      authentication levels
     Authenticate users when offline                  Secure device ID generated as part of
                                                      extensible provisioning process
      Mobile passwords are more
      vulnerable (keyboard more
      difficult to use, typed text is
                   visible)
12
Simplifying corporate security processes


           Mobile          Objective: apps developed on the platform
       platform as a       will be easier for the security group to
        trust factor
                           approve

                           Mechanisms: pre-approve platform with
        Streamlining
      corporate security   security group. Identify corporate-specific
          processes        concerns and provide solutions within the
                           platform framework.

                           Result: release cycle for apps made by
        Mandatory          independent development groups within
         approval          the organization significantly shortened.
      processes that
     are complex and
     time-consuming
13
Centralized Build System Provides Control
       Over Coupling of Shell and Inner App
                      “Official” Android code-signing
                      certificate, iOS bundle seed id




                Source Code              Worklight
                 Repository              Build System




14
Worklight Studio simplifies the reuse of
       custom containers across the organization




     One team creates a custom
     container (“Shell Component”) for
     extensive security certification


            Other teams create
         HTML-only “inner apps”
         wrapped in that container
15
Mobile Security Enabled with IBM Solutions
IBM brings together a broad portfolio of technologies and services to meet the
mobile security needs of customers across multiple industries



                                    •Application security
                                         •Worklight
                                         •IBM Rational AppScan

                                    •Mobile device management
                                         •IBM Endpoint Manager for Mobile devices
                                         •IBM Hosted Mobile Device Security Management

                                    •Secure enterprise access
                                         •IBM Security Access Manager

                                    •Security Intelligence
                                        •IBM QRadar




16
Questions?
The Difference Between Secure Apps and
                Device Management

              Mobile Device                   Application-Level
              Management                      Security

     Device-level control:          App takes care of itself:
         • Password protection          • Authentication
         • File-system encryption       • File encryption
         • Managed apps                 • Remote administration
         • Jailbreak detection          • Adaptive functionality


     Requires consent of user to    Applicable in all scenarios,
     have enterprise manage         including BYOD and
     entire device                  consumer-facing contexts

18
Copyright and Trademarks

       © IBM Corporation 2012. All Rights Reserved.

        IBM, the IBM logo, ibm.com are trademarks or registered
          trademarks of International Business Machines Corp.,
      registered in many jurisdictions worldwide. Other product and
     service names might be trademarks of IBM or other companies.
        A current list of IBM trademarks is available on the Web at
                “Copyright and trademark information” at
                    www.ibm.com/legal/copytrade.shtml.




19
Session Authentication Management
     Step 1 – Unauthenticated Session



                1. Call protected Procedure
                                                 Worklight Server
                                              Access denied because
                                              session is unauthenticated or
                                              expired
                2. Request Authentication




     Session:

     • Created on first access from client
     • Identified using session cookie
     • Associated data is stored on the server




20
Session Authentication Management
     Step 2 – Authentication



            1. Obtain credentials from
               user and device
                                           Worklight Server

             2. Forward credentials      Process authentication data




                                                      3. If necessary:
                                                      • Consult with authentication servers
                                                      • Perform device provisioning
                                                      • Receive authentication token
                                                      • Associate token with session

21
Session Authentication Management
     Step 3 – Authenticated Session



            1. Procedure call on
               authenticated session
                                        Worklight Server
                                       Authenticated token
                                       associated with session
            3. Procedure result

                                         Session ID        Auth
                                                        Tokens/State

                                       2bd4296a3f29    Realm 1:
                                                       25487
                                                       Realm 2: ------   2. Access back-end service
                                                       --
                                                                            using authentication
                                       25617ff82a90    Realm 1: ------
                                                       ---
                                                                            token
                                                       Realm 2:
                                                       a6c9a
                                       89a77921b02     Realm 1:
                                                       7b8df
                                                       Realm 2:
                                                       6a8a0


22
Deployment for SSO and Security Intelligence


                                                                                        Security Intelligence Platform

      Hybrid Mobile Apps                                                                                                                 IBM Endpoint
      Based on WorkLight                                                                                                                   Manager
                                                  Risk Based Access

             Hybrid App.            SSL            Security Proxy            SSO         WorkLight Server                       Enterprise
            Hybrid App.
                                                    (IBM Security                                                              Applications,
       Worklight Runtime                           Access Manager)                         (WAS w/ security)                 Connectivity & Data

         Mobile Device




            Security Proxy
                    Risk based access decisions and authentication - Context awareness
                    Single SignOn and Federation – standards based support OAuth, SAML, OpenID
                    Added value through integration of Security proxy with Mobile application platform (Worklight) – offline authentication,
                     secure cache, app authenticity,..
            Security intelligence with mobile context
                    Intelligence around malware and advanced threats in mobile enabled enterprise
                    User identity and device identity correlation, leading to behavior analysis
                    Geo-fencing, anomaly detection based on device, user, location, and application characteristics

23

More Related Content

What's hot

Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
 
Hybrid Applications with WebSphere commerce and Worklight
Hybrid Applications with WebSphere commerce and WorklightHybrid Applications with WebSphere commerce and Worklight
Hybrid Applications with WebSphere commerce and Worklight
Mohammad Omer Raza
 
IBM Worklight
IBM WorklightIBM Worklight
IBM Worklight
Raj Balasubramanian
 
Pulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentationPulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentation
Leigh Williamson
 
Mobile World Congress 2013 IBM-ATT Session
Mobile World Congress 2013 IBM-ATT SessionMobile World Congress 2013 IBM-ATT Session
Mobile World Congress 2013 IBM-ATT Session
Leigh Williamson
 
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM WorklightEngaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Dirk Nicol
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem Partners
Jeremy Siewert
 
DevBeat 2013 IBM Master Class presentation
DevBeat 2013 IBM Master Class presentationDevBeat 2013 IBM Master Class presentation
DevBeat 2013 IBM Master Class presentation
Leigh Williamson
 
Building Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst PlatformBuilding Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst Platform
Andrew Ferrier
 
Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live! Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live!
Leigh Williamson
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series   mobile development 2012 year end reviewJerry Romanek series   mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
Leigh Williamson
 
Presentation build and connect apps, devices and data ibm worklight overview
Presentation   build and connect apps, devices and data ibm worklight overviewPresentation   build and connect apps, devices and data ibm worklight overview
Presentation build and connect apps, devices and data ibm worklight overview
xKinAnx
 
Ibm worklight
Ibm worklightIbm worklight
Ibm worklight
Django unchained
 
Worklight nitin nm
Worklight nitin nmWorklight nitin nm
Worklight nitin nm
Nitin Gaur
 
IBM Mobile foundation overview
IBM Mobile foundation overviewIBM Mobile foundation overview
IBM Mobile foundation overview
Ajay Chebbi
 
Kony Mobile Management
Kony Mobile ManagementKony Mobile Management
Kony Mobile Management
Dipesh Mukerji
 
Ibm mobile first briefing
Ibm mobile first briefingIbm mobile first briefing
Ibm mobile first briefing
Nitin Gaur
 
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
IBM Switzerland
 
IBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essentialIBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essential
IBM (Middle East and Africa)
 
Soa architect summit mobile 2013_mar [compatibility mode]
Soa architect summit mobile 2013_mar [compatibility mode]Soa architect summit mobile 2013_mar [compatibility mode]
Soa architect summit mobile 2013_mar [compatibility mode]
Sreeni Pamidala
 

What's hot (20)

Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
Hybrid Applications with WebSphere commerce and Worklight
Hybrid Applications with WebSphere commerce and WorklightHybrid Applications with WebSphere commerce and Worklight
Hybrid Applications with WebSphere commerce and Worklight
 
IBM Worklight
IBM WorklightIBM Worklight
IBM Worklight
 
Pulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentationPulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentation
 
Mobile World Congress 2013 IBM-ATT Session
Mobile World Congress 2013 IBM-ATT SessionMobile World Congress 2013 IBM-ATT Session
Mobile World Congress 2013 IBM-ATT Session
 
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM WorklightEngaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
Engaging Mobile Apps with IBM® Social Business Solutions and IBM Worklight
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem Partners
 
DevBeat 2013 IBM Master Class presentation
DevBeat 2013 IBM Master Class presentationDevBeat 2013 IBM Master Class presentation
DevBeat 2013 IBM Master Class presentation
 
Building Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst PlatformBuilding Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst Platform
 
Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live! Build and Connect Enterprise Mobile Applications from developerWorks Live!
Build and Connect Enterprise Mobile Applications from developerWorks Live!
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series   mobile development 2012 year end reviewJerry Romanek series   mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
 
Presentation build and connect apps, devices and data ibm worklight overview
Presentation   build and connect apps, devices and data ibm worklight overviewPresentation   build and connect apps, devices and data ibm worklight overview
Presentation build and connect apps, devices and data ibm worklight overview
 
Ibm worklight
Ibm worklightIbm worklight
Ibm worklight
 
Worklight nitin nm
Worklight nitin nmWorklight nitin nm
Worklight nitin nm
 
IBM Mobile foundation overview
IBM Mobile foundation overviewIBM Mobile foundation overview
IBM Mobile foundation overview
 
Kony Mobile Management
Kony Mobile ManagementKony Mobile Management
Kony Mobile Management
 
Ibm mobile first briefing
Ibm mobile first briefingIbm mobile first briefing
Ibm mobile first briefing
 
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
IBM MobileFirst and Case Studies_Frank Müller_IBM Symposium 2013
 
IBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essentialIBM Software Day 2013. A mobile strategy is essential
IBM Software Day 2013. A mobile strategy is essential
 
Soa architect summit mobile 2013_mar [compatibility mode]
Soa architect summit mobile 2013_mar [compatibility mode]Soa architect summit mobile 2013_mar [compatibility mode]
Soa architect summit mobile 2013_mar [compatibility mode]
 

Similar to Security and Mobile Application Management with Worklight

IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit India
Leigh Williamson
 
Microsoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementMicrosoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT Management
Intergen
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
SecutecGroup Baudewijns
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
Microsoft Singapore
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
IntelAPAC
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
CA API Management
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
Symantec
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
AIP Foundation
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
Nugroho Gito
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADF
F5 Networks
 
ASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devicesASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devices
Cyber Security Alliance
 

Similar to Security and Mobile Application Management with Worklight (20)

IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit India
 
Microsoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementMicrosoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT Management
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADF
 
ASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devicesASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devices
 

More from IBM WebSphereIndia

Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software
IBM WebSphereIndia
 
IBM Mobile Strategy
IBM Mobile StrategyIBM Mobile Strategy
IBM Mobile Strategy
IBM WebSphereIndia
 
Extending IT Investment with Connectivity & Integration
Extending IT Investment with Connectivity & IntegrationExtending IT Investment with Connectivity & Integration
Extending IT Investment with Connectivity & Integration
IBM WebSphereIndia
 
Websphere Application Server V8.5
Websphere Application Server V8.5Websphere Application Server V8.5
Websphere Application Server V8.5
IBM WebSphereIndia
 
Process Innovation for 2012
Process Innovation for 2012Process Innovation for 2012
Process Innovation for 2012
IBM WebSphereIndia
 
Websphere Application Server: Much more than Open Source
Websphere Application Server: Much more than Open SourceWebsphere Application Server: Much more than Open Source
Websphere Application Server: Much more than Open Source
IBM WebSphereIndia
 
Smarter lending leads to Business Agility
Smarter lending leads to Business AgilitySmarter lending leads to Business Agility
Smarter lending leads to Business Agility
IBM WebSphereIndia
 
Enable process visbility: The Value Proposition for SAP customers
Enable process visbility: The Value Proposition for SAP customers Enable process visbility: The Value Proposition for SAP customers
Enable process visbility: The Value Proposition for SAP customers
IBM WebSphereIndia
 
Transform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementTransform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision Management
IBM WebSphereIndia
 
IBM PureSystems
IBM PureSystemsIBM PureSystems
IBM PureSystems
IBM WebSphereIndia
 

More from IBM WebSphereIndia (11)

Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software Collaborative lifecycle development for Mobile Software
Collaborative lifecycle development for Mobile Software
 
IBM Mobile Strategy
IBM Mobile StrategyIBM Mobile Strategy
IBM Mobile Strategy
 
Extending IT Investment with Connectivity & Integration
Extending IT Investment with Connectivity & IntegrationExtending IT Investment with Connectivity & Integration
Extending IT Investment with Connectivity & Integration
 
Websphere Application Server V8.5
Websphere Application Server V8.5Websphere Application Server V8.5
Websphere Application Server V8.5
 
Process Innovation for 2012
Process Innovation for 2012Process Innovation for 2012
Process Innovation for 2012
 
Websphere Application Server: Much more than Open Source
Websphere Application Server: Much more than Open SourceWebsphere Application Server: Much more than Open Source
Websphere Application Server: Much more than Open Source
 
Smarter lending leads to Business Agility
Smarter lending leads to Business AgilitySmarter lending leads to Business Agility
Smarter lending leads to Business Agility
 
Enable process visbility: The Value Proposition for SAP customers
Enable process visbility: The Value Proposition for SAP customers Enable process visbility: The Value Proposition for SAP customers
Enable process visbility: The Value Proposition for SAP customers
 
Transform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementTransform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision Management
 
IBM PureSystems
IBM PureSystemsIBM PureSystems
IBM PureSystems
 
Impact 2010 Pictures
Impact 2010 PicturesImpact 2010 Pictures
Impact 2010 Pictures
 

Recently uploaded

Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 

Recently uploaded (20)

Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 

Security and Mobile Application Management with Worklight

  • 1. Security and Mobile Application Management with Worklight Miku Jha, Senior Solutions Architect Worklight, an IBM Company
  • 2. IBM Mobile Foundation Development Firewall or Security Gateway Lifecycle Tools IBM End Point IBM Worklight Manager for Mobile Devices CastIron Hypervisor Edition Elastic Caching Mobile threats and IBM Mobile Foundation security SOA & Connectivity (Messaging, ESBs, Cloud Integration, Governance) Business Decision Social Analytics Process Management Management Software Enterprise Apps 2
  • 3. Components of the IBM Worklight Mobile Platform Worklight Studio The most complete, extensible environment with maximum code reuse and per-device optimization Worklight Server Unified notifications, runtime skins, version management, security, integration and delivery 1001010101011 Worklight Runtime Components 1010010100100 1010111010010 0110101010101 0010010010111 1001001100101 Extensive libraries and client APIs that expose and interface 0101001010100 with native device functionality Worklight Console A web-based console for real-time analytics and control of your mobile apps and infrastructure 3
  • 4. Worklight Security Focus: Support Creation and Delivery of Secure Mobile Apps Take advantage of platform architecture and mobile capabilities Address mobile-specific security issues Security is a platform-wide consideration, relating to all components: • Server • Device run-time • Studio • Console 4
  • 5. Taking Advantage of Platform Architecture and Mobile Capabilities  Platform architecture benefits: – Combining server-side and client-side functionality to provide a comprehensive set of security features – Opportunity to simplify security approval process  Mobile capabilities: – The device itself can be used as a second factor for user authentication (i.e., “what you have”) – Use built-in support for secure communications – Leverage security APIs when available (e.g., keychain services API, app signatures) – Some app stores provide high confidence in app legitimacy 5
  • 6. Worklight Runtime Architecture Worklight Server Device Runtime Application Code Server-side Client-side Application Code App Resources Stats Aggregation Cross Platform Technology JSON Translation Direct Update Mobile Authentication Web Apps Security and Authentication Back-end Data Integration Post-deployment control Unified Push Adapter Library Diagnostics Notifications 6
  • 7. Mobile Application Security Objectives Protect data on Enforce security the device updates • Malware, Jailbreaking • Be proactive: can’t rely • Offline access on users getting the • Device theft latest software update on their own • Phishing, repackaging Streamline Provide robust Protect from the Corporate authentication “classic” threats security approval and authorization to the application processes • Existing authentication security • Complex infrastructure • Hacking • Time-consuming • Passwords are more • Eavesdropping vulnerable • Man-in-the-middle 7
  • 8. Security Features Mapping Protecting data on the Enforcing security device updates Secure App Compatibility Encrypted Offline challenge- Remote Direct authenticity with jailbreak offline cache authentication response on disable update testing detection libs startup SSL with Mobile Auth Data Proven Device server Code platform as a integration protection platform provisioning identity protection trust factor framework realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization 8
  • 9. Protecting data on the device Malware, Jailbreaking Protecting data on the device Device theft Offline access Phishing, repackaging Secure Encrypted App Compatibility Offline challenge- offline authenticity with jailbreak authentication response on cache testing detection libs startup Encrypted offline cache Offline authentication using password Extended authentication with server using secure challenge response App authenticity testing: server-side verification mechanism to mitigate risk of Phishing through repackaging or app forgery Compatibility with various jailbreak and malware detection libraries 9
  • 10. Enforcing security updates Can’t rely on users Remote Disable: shut down getting the latest software update on specific versions of a their own downloadable app, providing users with link to update Enforcing security updates Direct Update: automatically send new versions of the Remote Direct locally-cached HTML/JS disable update resources to installed apps 10
  • 11. Middleware Security Proven SSL with Code platform server identity protection security verification Proven platform security: tested by the most Protecting from demanding customers (e.g., top tier banks) the “Classic” security threats Client<->Middleware communications over HTTPS to prevent data leakage Fail on server certificate verification error Packaged JS code can be encrypted on desktop to make static analysis more difficult Hacking JS code integrity verification on startup Eavesdropping SQL adapter designed to mitigate SQL-injection Man-in-the- Built-in audit trail middle 11
  • 12. Authentication and Authorization Authentication Data Device integration framework protection realms Provisioning Very flexible framework for simplifying integration of apps with enterprise identity & access management solutions Providing robust authentication and Manages authenticated sessions with authorization configurable expiration Open: e.g., custom OTP as anti-keylogger mechanism Need to integrate with existing Server-side services grouped into authentication infrastructure separate protection realms for different authentication levels Authenticate users when offline Secure device ID generated as part of extensible provisioning process Mobile passwords are more vulnerable (keyboard more difficult to use, typed text is visible) 12
  • 13. Simplifying corporate security processes Mobile Objective: apps developed on the platform platform as a will be easier for the security group to trust factor approve Mechanisms: pre-approve platform with Streamlining corporate security security group. Identify corporate-specific processes concerns and provide solutions within the platform framework. Result: release cycle for apps made by Mandatory independent development groups within approval the organization significantly shortened. processes that are complex and time-consuming 13
  • 14. Centralized Build System Provides Control Over Coupling of Shell and Inner App “Official” Android code-signing certificate, iOS bundle seed id Source Code Worklight Repository Build System 14
  • 15. Worklight Studio simplifies the reuse of custom containers across the organization One team creates a custom container (“Shell Component”) for extensive security certification Other teams create HTML-only “inner apps” wrapped in that container 15
  • 16. Mobile Security Enabled with IBM Solutions IBM brings together a broad portfolio of technologies and services to meet the mobile security needs of customers across multiple industries •Application security •Worklight •IBM Rational AppScan •Mobile device management •IBM Endpoint Manager for Mobile devices •IBM Hosted Mobile Device Security Management •Secure enterprise access •IBM Security Access Manager •Security Intelligence •IBM QRadar 16
  • 18. The Difference Between Secure Apps and Device Management Mobile Device Application-Level Management Security Device-level control: App takes care of itself: • Password protection • Authentication • File-system encryption • File encryption • Managed apps • Remote administration • Jailbreak detection • Adaptive functionality Requires consent of user to Applicable in all scenarios, have enterprise manage including BYOD and entire device consumer-facing contexts 18
  • 19. Copyright and Trademarks © IBM Corporation 2012. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. 19
  • 20. Session Authentication Management Step 1 – Unauthenticated Session 1. Call protected Procedure Worklight Server Access denied because session is unauthenticated or expired 2. Request Authentication Session: • Created on first access from client • Identified using session cookie • Associated data is stored on the server 20
  • 21. Session Authentication Management Step 2 – Authentication 1. Obtain credentials from user and device Worklight Server 2. Forward credentials Process authentication data 3. If necessary: • Consult with authentication servers • Perform device provisioning • Receive authentication token • Associate token with session 21
  • 22. Session Authentication Management Step 3 – Authenticated Session 1. Procedure call on authenticated session Worklight Server Authenticated token associated with session 3. Procedure result Session ID Auth Tokens/State 2bd4296a3f29 Realm 1: 25487 Realm 2: ------ 2. Access back-end service -- using authentication 25617ff82a90 Realm 1: ------ --- token Realm 2: a6c9a 89a77921b02 Realm 1: 7b8df Realm 2: 6a8a0 22
  • 23. Deployment for SSO and Security Intelligence Security Intelligence Platform Hybrid Mobile Apps IBM Endpoint Based on WorkLight Manager Risk Based Access Hybrid App. SSL Security Proxy SSO WorkLight Server Enterprise Hybrid App. (IBM Security Applications, Worklight Runtime Access Manager) (WAS w/ security) Connectivity & Data Mobile Device  Security Proxy  Risk based access decisions and authentication - Context awareness  Single SignOn and Federation – standards based support OAuth, SAML, OpenID  Added value through integration of Security proxy with Mobile application platform (Worklight) – offline authentication, secure cache, app authenticity,..  Security intelligence with mobile context  Intelligence around malware and advanced threats in mobile enabled enterprise  User identity and device identity correlation, leading to behavior analysis  Geo-fencing, anomaly detection based on device, user, location, and application characteristics 23

Editor's Notes

  1. A quick note on IBM Worklight.IBM Worklight is a core component of IBM Mobile Foundation enabling enterprises to build mobile, connect and manage mobile applications.The key essence of the platform is to remove the overhead of building powerful mobile apps across different environments and to meet high end enterprise needs. One of the top concerns of enterprises is security.What you see here are four primary components of the platform and each component plays a role n the overall security.When it comes to security,IBM has a comprehensive end-to-end solution solution on mobile Security spanning across Mobile Apps, Devices and network but in this session we will focus on theWL platform and its approach to mobile security.
  2. Lets dive into the security aspect of the platform.They way that we address security is by creating and delivering secure mobile apps.There are 2 primary aspects to doing that:One is addressing mobile specific security issues. And you will find there are mobile specific security issues out there.The counterpart of that is taking advantage of the architecture of the mobile platform to deliver secure mobile apps.
  3. Let’s look at WL runtime This is a typical deployment: Having WL server installed behind the firewall and mobile applications deployed on devices outside the firewallIn this case it doesn’t matter whether the devices are employee owned, enterprise owned or consumer owned. There is a separation between the devices and the server component connected to the backend.There might be variations to this but it is a typical deployment with WL server protected.Let’s look at what security in a mobile context means…
  4. Here is a categorization of different security issues faced by enterprises when they run mobile apps.Large number of security challenges are categorized into 5 different categories.Protecting data on deviceEnforcing security updatesHow do you streamline corporate governanceHow do you authenticateAnd finally classic security threats that are applicable to mobile devices as well such as Man in the middle attach, SQL injection etc.
  5. Here we see a catalog of security features that WL platform provides and how it maps to the categories that we outlinedIn the previous slide.Lets go through these in details.
  6. Lets review these and try to understand these challenges.Protecting data on device: mobile apps provide users access to sensitive data: pass code, banking account detail, transaction history, account details. The corporate data that keeps CIOs up at night.Mobile devices are a portal to this data and are subject to loss. Devices can be stolen. They are not immune to malware especially for jail broken or rooted devicesAlso mobile applications have to function offline so apps have to cache this data which makes things even worse. So measures have to be taken to secure this on device data.Jailbroken devices present a significant risk on terms of data security.Mobile users as still not at the point where they install malware detection software on their devices. One of primary features is encrypted offline cache. This creates a secured storage area where an application can store the dataTo access it online or offline and prevent access to the data unless the user is authorized.We use AES 256 bit encryption to encrypt the data.The key is derived from the user provided passcode and is not stored in plain text any where in memoryServer is responsible for generating the encryption key.The encrypted cache mechanism can also be used to validate the users in the offline mode.Other features include:Integrity verification of hybrid code makes sure that application was not compromised after it was installed on the device.When app starts it does a checksum of JS resources of itself and will refuse to run if it finds a checksum mismatch.App authenticity testing to provide security measures against forged apps so you validate the originality of the app.Include custom code that tries to identify if a device is rooted and we integrate with such libraries.
  7. The second category is enforcing security updates.It is not uncommon to find security issues/bugs after the apps are released and installed on devices.Unlike web pages where if you want to fix or change something, all you need to do is put a new copy on the web server and the applications get it automatically, for theDownloadable apps, users have to be proactive to look for notification and manually download the fix from the app store or market place.Relying on users to do this is a challenge. For example, about a year ago, a leading bank found a security issue in its mobile app but couldn’t get its users to download the fix. They ended up sending letters in the mail for users to get the fix.We cant rely on users to get security updates.Wl provides 2 features to help with this challenge: remote disable and direct update.remote disable.Direct update:
  8. Classic security threats apply to mobile devices such as man in the middle attacks.Wl platform is deployed with several top tier banks and has been tested by them.The client has been tested, the server has been tested.Overall we have validation from customers that platform is secure.Communication from the app to the server is done over https so data is encrypted to prevent tapping into data stream between client and serverWhen a WL hybrid application initiates a procedure on server that procedure call will fail if server doesn’t present a valid certificate that matches the host name of the server.Code obfuscation to prevent reverse engineering of the code.We have a built in audit trail in the server. Every adapter procedure can be marked audited and server will keep a log of requestsMade to that procedure
  9. We are used to web applications connecting to single sign on and things like that.Mobile apps do not come with such built in infrastructure to make that happenEnterprises have to build that on their own.Applications are difficult to protect because passwords as more vulnerable in mobile context.Unlike PC context where you can type your pwd easily mobile is different. You have a hard time typing the long password.[which Ibmers in this room can identify with ]Wl server provides a flexible framework to integrate with existing authentication infrastructure.WL server manages a state for each open session from the mobile app running on the deviceAn advanced feature of authentication is to maintain multiple authentication realm. For example once client application can make calls to multiple backend system where WL server can maintain different authentication policy/tokenFor each backend system. The openness: each customer can introduce custom authentication mechanism.One of our customers created a custom key pad to prevent key logging attack.An image of a randomly ordered key pad is generated on the server and is sent to the client. The user is presented with a pin code entry pad.The client application has no information about the order of the keys.The client application passes the coordinates of the pin code to the server and server validates it by comparing the pin code with the image.2 factor authentication is possible to do as well and has been done using device ID as a second factor by one of our customers.
  10. Approving mobile apps in terms of security is not easy.Every time you release a new version you have to go through a set of tests and policies to ensure it complies with enterprise.This can become a bottleneck. The core idea here is that security org within the enterprise will go through the rigorous process of approving the app, verify the policies as followed and so on.For each application developed on the platform now has to check fewer things. Beyond that security org can enforce use of a custom/tested hybrid container tested by the org.This ties into the next slide.
  11. Explain custom shell.Release cycles can be shortened.One of our customers chose WL because of our ability to do this.