We are here because we understand mobile computing is important and valuable.
How do we deliver confidence to realize the full business potential of mobile computing provides?
Questions to consider asking audience:
How many people have smartphones?
How many people are using a corporate mobile application?
How many people have non corporate applications on their smartphone?
Of course these are all facts we inherently know about our smartphones and tablets, but lets consider what they mean in context of enterprise security and management. Here are some of the characteristics of mobile computing that increase security risk.
Mobile devices are shared more often…
- Did you ever hand your smartphone to one of your kids?
- Do you have a family tablet?
- IBM has mandatory “Digital Training” that highlights the prohibition of sharing company devices that have corporate data on them.
Mobile devices prioritize the user…
- User experience and consumability is paramount
- I recently updated my iPhone to iOS 6.
- I hit “yes” to the update prompt as I was leaving for work.
- My first thought was boy – this is going to take forever and it will be complex.
- A few minutes and a few questions later I was done.
Security has to be designed in an unobtrusive way. Where security requirements are evident, there has to be enough value there to warrant impacting the user.
Did you ever forget a hotel key?
When you ask the front desk for another key, are you asked to provide identification?
Does it bother you that your identify if being authenticated?
No. Because the value of the security is evident.
Application security and data protection have to address everything that is unique about mobile computing.
And the solutions to these challenges will vary depending on who owns the device and what it's being used for.
The mobile threat landscape included 3 primary risk vectors:
Vulnerable and compromised customer mobile devices: The mobile device itself is also a target. Users often jailbreak/root their device which breaks the security model and allow mobile malware and rogue apps to infect the device and control critical functions like SMS which is used for transaction authentication. Other risk factors include dated operating systems versions, unsecure wi-fi and pharming attacks that direct users to fake sites.
account takeover from the criminal’s mobile device: criminals use mobile devices to access victim’s account through mobile browser. One of the key challenges is creating a unique device ID for each mobile device as most mobile devices look alike when accessing online banking web sites via the native mobile browser. Legacy device ID solutions that sit on the web site have a difficult time uniquely detecting criminal devices. Furthermore, proxies used by criminals are skewing detection of the geographic location of the device based on IP address.
Cross channel credential theft: a big enable for take over is stolen credentials through phishing or malware – on the online channel. To identify ATO from a mobile device it is essential to see the full fraud life cycle and not have “silo” view of the mobile channel only.
IBM focuses on three component areas for enforcing securing within the mobile enterprise; 1) Device Management, 2) Network, Data and Access Security, and 3) Application Layer Security.
Device Management – often the first area an organization will start with, covering aspects such as enrollment and configuration of new mobile devices for business use to monitoring for compliance and to de-provisioning them by remotely wiping corporate information. This allows policy to be deployed an provides some element of control.
Network, Data and Access Security - Once organizations delve deeper into their mobile projects they recognize the perquisite for mobile security at the network. Blocking mobile threats, controlling network traffic, authenticating and authorizing users, encrypting the channel of communication, as well as monitoring all the mobile related security events multiple solutions deployed across the infrstaucture
Application Layer Security - Mobile app security entails enforcing security standards and best practices during development, testing for vulnerabilities, identifying threats to the app and delivering updates
Bullet 1 Proof Points
Cast Iron enables organizations to hook mobile apps to existing enterprise and even public cloud-based systems in just weeks. Integration between IBM Endpoint Manager and Worklight by the end of the year (2012) will ensure a smooth, automated transition of apps from the dev environment to production for faster deployment and greater confidence that the correct build is delivered. Additional integration work will provide performance data from devices back to app dev teams for troubleshooting and performance enhancements.
Bullet 2 Proof Points
Improved management and security of devices, as well as employee self-service portal reduces overall calls to the help desk for locating and wiping lost devices or enrolling new devices. In addition, location mapping services will enable organizations to recover some devices that would have otherwise been lost. As an example, IBM reduced security-related help desk calls by nearly 80% by significantly improving patch management practices on desktops and laptops with IBM Endpoint Manager, saving $10M annually. While mobile devices may be a much lower call volume now, they will only continue to increase their share of the help desk team’s workload.
Bullet 3 Proof Points
With IBM Endpoint Manager, a single infrastructure requiring just one dedicated management server per 250,000 endpoints can be used to manage and secure smartphones, tablets, laptops, desktops, servers, ATMs, and kiosks. This solution is also designed to easily provide endpoint data, including detailed hardware and software inventory information on mobile devices, to service desk, asset management, CMDB, network management, and security event management systems.
Bullet 4 Proof Points
An integrated security approach ensures that not just the device is configured securely, but that security-rich apps are tested and delivered, sensitive data is protected while on that device, secure and authenticated connections are made to enterprise systems from mobile devices, and that security-related event information is correlated with security information from all other aspects of the IT environment.
Bullet 5 Proof Points
Data about access points, signal strength, device location, and other network access relevant properties can be fed from IBM Endpoint Manager to the Netcool / OMNIbus suite for alerting, troubleshooting, and outage prediction analysis. In many organizations, WiFi availability with sufficient signal strength for reasonable data transfer rates are used in mission-critical activities – knowing exactly which router is having problems before it fails and before employees flood IT with complaints, is vital.
What if you could leverage geo-location features in mobile devices to establish context and therefore determine what capabilities are allowed and what security is needed?
For instance let’s look at a scenario where an ER Doctor is in the hospital on her shift accessing patient records and then the next day, she is off shift but on call in a coffee shop checking on her patients by accessing their records while having a coffee.
When doing rounds, the ER docter carries her tablet with her and she is able to quickly and easily get access to patient records. She simply logs into patient side workstations, her tablet or various forms of electronic medical equipment with a simple password or swipe. But much more is going on in the background as there is a secure token on the mobile phone she is carrying in her pocket. Her authentication is actually her password (something she knows) as well as her mobile device (something she has with her). So let's say she logs into a workstation in an exam room and is then distracted and pulled away. As soon as she leaves the bluetooth range of that exam room she is automatically logged off. When she returns, she can quickly restore that session like she never left.
This is accomplished leveraging context information from the IBM Worklight application using Geofencing data – GPS, Network-fencing and Time-fencing.
But let’s take it a bit further. What if you could dynamically change security policy without changing the application itself?
And what if you could easily predetermine what explicit app features and data users could use and access based on where they were. These are the kinds of things IBM research is exploring.
For instance, while the doctor is in the ER she has full capability to access all patient records and medical data to most effectively do her job.
Now let's imagine it is the weekend and the same ER Doctor is on call... getting a coffee at Starbucks. Her security profile has now changed and she is in a higher risk location. Maybe present her with an additional authentication challenge based on the location such as a password and a challenge question. We might also limit her access to one patient record at a time as there is no legitimate reason she would need to run a query on 5000 patient records. If we see that type of activity occurring outside the hospital we know its a problem.
Let's also say the record has sensitive non-medial information such as credit card numbers. In the hospital this information is important for billing purposes but there is no reason the doctor needs access to this data when she is on call. Although this is not filtered out by the application, the security service redacts this information. So without any changes to the application we have dramatically reduced the security risk and allowed our doctor to get a cup of coffee while still remaining connected to the office and her patients.
The context based secureity can be done today with the same tablet where the mobile application deliver through Worklight passes context to IBM Security Access Manager for Mobile and Cloud where a Risk assessment is performed based on context and Authentication decisions are managed through policies set by the security team
This chart represents all of what IBM is doing in mobility on a single page. When we launched MobileFirst back in February at the Mobile World Congress in Barcelona, we were reacting to the fact that no one in the industry had yet laid out a vision of the key services and capabilities that will be needed in this technology transition.
Now we know that you all work with many vendors and partners, so think of this as a blueprint for what you need (you may not get everything from IBM, but we will work to provide the integration across these areas to make things go smoother).
Today I want to focus on some of the key areas, going around the chart to highlight some of what we do and what’s new in each of the areas. Let’s begin with the application and data platform.
Security is interesting in that with mobility, there are both opportunities and threats. Our IBM MobileFirst Security solutions address both of those issues.
First, the opportunity to make better decisions around whether or at what level an individual should have access to an application is improved with the mobile context is taken into consideration. Many retailers and branch banks want tablet solutions, but they don’t want them to work when they are outside the footprint of the store. IBM Security Access Manager for Mobile and Cloud, integrates with some of our location capabilities in worklight and addresses that scenario.
Second, getting back to the point about a mature development process, we believe that security vulnerability scanning for mobile apps is critical. That is why we’ve added iOS and Android support to our latest releases of AppScan. This is especially useful when 3rd parties are involved in building mobile applications that represent your brand.
This analysis directly motivates the requirement for framework for securing the mobile enterprise, taking the three areas of focus you saw on the previous page IBM.
No program of work should be begin without a clear strategy, it should be built on the basis of ‘secure the flow of data’, this is what you’re trying to protect across the mobile enterprise. Its also important this strategy includes the lifecycle management of mobile enterprise to keep pace with the rapid change we see with this new form factor. And a point on products, don’t just purchase for today, make sure you purchase for tomorrow challenges too, the tools need to integrate to give you enterprise visibility and security intelligence. Intelligence can be helpful in detecting, preventing and quickly recovering from an attack, its also helpful if you have some means of looking back at audit ready evidence to reduce the risks in future
At the device; with need to establish traditional levels of visibility and control over new types of endpoints; Enforce organizational policies – ensure consistent controls across all devices, and monitor compliance; Compromised security posture – should policy be broken, how can you detect this and take action; Proactive maintenance – how can you enforce patching and regular controls updates; Mitigate management costs – solutions need to scale to meet the explosion of new devices
Over the network and enterprise; Mobile Devices bring unique demands on Access to Enterprise Resources, so access controls need to be sympathetic to the employees current experience, too strong and the user will find ways around. Mobile devices are shared more often, so more granular authentication may be required, device or the user. Free wifi hotspots offer great convenience, the integrity of the transaction must be maintained, with apps or over networks (VPN).
For the mobile app; building of apps for the mobile environment should take the same path as building traditional applications – test and identity vulnerabilities in applications, build in security as you go, rather than bolting it on afterwards, which can be very expensive and slow your time to market. Also its important to monitor apps, restrictions can be added to prevent the downloading of known mobile apps that containing malicious software, using either black-listing or white-listing
Mobile security should be tackled in the just the same way we currently protect our data in the existing enterprise infrastructure.
IBM mobile security is provided by a wide range of powerful solutions, including Maas360, Worklight, IBM Security AppScan, IBM Security Access Manager and Trusteer. Robust security intelligence can be achieved by deploying the IBM QRadar Security Intelligence Platform.
On page 8, we go one step deeper into the details of the specific functionality that MaaS360 provides and the various delivery mechanisms that we can provide it.
4 main suites of fully integrated functionality…show on the left side of page 8.
Great degree of flexibility on how to achieve the desired MDM results. On the right side of page 8…native device, app, or content management and security AND/OR container approach to provisioning, managing, and security apps, content, including PIM suite.
This is a key differentiator for MaaS360. We are good at both native and container. Whereas most competitors as good at one or the other. And, why this matters, is that in organizations of scale, there likely is the need for both – best-in-class native device management and best-in-class container strategies.
An example here would be Ceasar’s Entertainment…. they are native on iOS and container centric on Android for BYOD. This is a growing best practice. For devices on the casino floor in service providers hands, they do just MAM without even any MDM functionality. And, for VIP host applications, they have strong containerization in place as those devices can tunnel into all systems and access all content in order to satisfy any demands of their best customers.
Net-net, we can meet a broad set of user and IT needs and we provide future proofing on possible changing needs.
MaaS360 Secure Productivity Suite delivers a Dual Persona approach to separate personal and enterprise data in this BYOD era. It provides a Trusted WorkPlace container for a complete mobile security and productivity solution with strong data leak prevention (DLP) and consistent and seamless workflows.
It is the only comprehensive cloud-based solution for iOS and Android that enables employees to securely access corporate data while preserving the mobile experience on their personal devices.
MaaS360 Secure Productivity Suite keeps everything your users need for work in one secure container. They can manage all their emails, contacts, calendars, apps, documents and Web browsing from one dedicated workspace on their mobile devices, no matter what devices they’re using or who owns them.
With policies to control the movement of data, you can restrict sharing by users, forwarding of attachments, and copying and pasting. Devices that are lost, stolen or compromised can be selectively wiped to remove the secure container and everything in it.
It uses a dual persona approach to separate work from play so you can put controls in place to manage this secure container that won't affect the rest of the device.
MaaS360 provides IT teams a wide range of mobile security options to separate corporate and personal information across different categories of users, devices, content, and apps, all within the context of their business. This gives our customers the flexibility to offer tiered or layered mobile security to address their varied end user needs and IT security requirements, from MDM essentials to stricter lockdown capabilities of corporate data for specific users.
For businesses that need stringent security policy and compliance controls, such as those in the highly regulated healthcare and financial services industries, containerization can be especially helpful in making the BYOD experience more palatable for users.
With MaaS360, organizations can phase in BYOD and “right size” their mobile security investments for different classes of users, departments, geographies, devices and applications, and apply the technology approach that best meets the need of those use cases, all from a unified platform.
Components of the Secure Productivity Suite
MaaS360 Secure Mail
A secure office productivity app with email, calendar and contacts.
MaaS360 Application Security
A mobile application container with full operational and security management.
MaaS360 Secure Document Sharing
A fully secure document container with expanded user support to edit content.
MaaS360 Secure Browser
A fully-functional web browser to enforce compliance and control access to content.
Key benefits
Complete set of productivity tools for viewing, editing and sharing
Safely and securely support Bring Your Own Device (BYOD)
Separate personal and corporate data
Reduce risk of sensitive data leakage
Leverage single sign-on for authentication, and on-line and off-line compliance checks
Wipe suite container, app containers, enterprise profiles or whole device
Experience consistent and seamless workflows for iOS and Android devices
Use granular administrative controls and reporting
Background
AimArs needed to reduce operational complexity and cost with a single, scalable infrastructure to secure access to various back-end services from multiple mobile apps. A customized authentication mechanism empowered the bank to guarantee the security of its customers while safeguarding the trust relationship with a safe app platform that encrypts local data and delivers app updates immediately.
Customer Needs
Extend secure access to banking apps to mobile customers
Enhance productivity of employees to perform secure banking transactions via mobile devices
Support for iOS, Android, and Windows Mobile
Benefits
Authenticates requests made via HTTPS from hybrid mobile apps running on WorkLight platform to back-end services
A custom certificates-based authentication mechanism implemented to secure back-end banking application
Solution components:
IBM Worklight
Finance All Solutions (FAS)
Internal: http://w3.ibm.com/sales/ssi/cgi-bin/ssialias?appname=crmd&subtype=cs&infotype=rf&htmlfid=CPAR-8TNQF4
External: http://www.ibm.com/software/success/cssdb.nsf/cs/CPAR-8TNQF4?OpenDocument&Site=corp&ref=crdb
The following slide is approved for external use but may not be altered in any way.
For additional information, contact Ronald P Favali/White Plains/IBM
MAIN POINT: Next steps include leveraging the ibm mobile enterprise web site to gain access to information and trials of key software. Talk to your IBM representative or business partner to find the right next step for you.
SPEAKER NOTES:
Thank you for your time today. We’d be happy to answer your questions between and after sessions today. To learn more about what you’ve heard so far in the first two session and to actually being using trials of the IBM Mobile Foundation software offerings you can visit the main IBM mobile enterprise website shown on the screen.
Above all, take the time to talk with your IBM representative or business partner to find the right next step for you.