ibm mobile security &...

© 2013 IBM Corporation

IBM Mobile Security & Management: Delivering Confidence to Put Mobile First

© 2013 IBM Corporation 2

Enterprises Need Confidence to Put Mobile First…


Mobile devices are shared more often

Mobile devices are used in more locations

Mobile devices prioritise the user

Mobile devices are diverse

.

Mobile devices have multiple personas

• Personal phones and tablets shared with family

• Enterprise tablet shared with co-workers

• Social norms of mobile apps vs. file systems

• Work tool

• Entertainment device

• Personal organiser

• Security profile per persona?

• OS immaturity for enterprise mgmt

• BYOD dictates multiple OSs

• Vendor / carrier control dictates multiple OS versions

• Diverse app development/delivery model

• A single location could offer public, private, and cell connections

• Anywhere, anytime

• Increasing reliance on enterprise WiFi

• Devices more likely to be lost/stolen

• Conflicts with user experience not tolerated

• OS architecture puts the user in control

• Difficult to enforce policy, app lists

• Security policies have less of a chance of dictating experience

Uniqueness of Mobile


A Frame of Reference to Structure Your Strategy

Device Management Network, Data,

and Access Security

Application Layer

Security

Security for endpoint

device and data

Achieve visibility and adaptive

security policies

Develop and test

applications

IBM Mobile Security and Management Framework


Defense in Depth

Context Influences Risk The context of an interaction needs to be analyzed so appropriate security

measures can be employed to counter plausible threats

Interaction Interface is Critical Mobile apps are the primary interaction interface whose integrity needs to

safeguarded and validated

Vigilance is a Necessity Monitoring security events allows the ability to assess the completeness of the

security posture as well as detect intentional and unintentional actions that may

compromise it

Oversee Devices in an Enterprise Context For certain segments of employees or business partners having visibility and

control over the device will mitigate risk exposure


Context Influences Risk

Derive Uniqueness of

Interaction Compute risk

Adapt Authentication

processes

Dynamically control

authorization of specific

transactions

Mobile affords many attributes that pertain to the user’s context allowing for unique

identification of a specific interaction (i.e. location, network, time, device properties etc)

Risk of the unique interaction can be computed based on established policies

The risk score can be utilized to select the authentication processes best suited for that

interaction

The risk score can also be employed to control authorization for specific transactions

during that interaction and deliver education to the user on security best practices in

context


What if context determined capabilities automatically & securely?

• Context On-site inside emergency room

On the hospital network

Authorized doctor on shift

Function: All app features

Data: Full data access and storage

Security: Single-factor authentication

• Context At coffee shop

On an unsecured network

Authorized doctor on call

Function: Designated features only

Data: Specific encrypted data

Security: Multi-factor authentication

Governed

Policy


Integrated Context-Aware Risk-Based Access Control

Client App. (i.e. Mobile

Application)

Applications

Risk / Context

Decision Engine

Auth. Authz.

ISAM Policy

Server

Portal

/ Apps

Process

Server /

ESB

PEPs

User Interaction

Web SSO Worklight

Server

Context based

Access &

Federation

Identity

Propagation

http(s)

Worklight

Runtime

Identity propagation &

Context based access

External Metadata

User

Dir,

Bus.

Data Bus.

Data

Apps

metadata

ISAM Proxy

Proxy - WAM

Session Mgmt.

Se

lf B

ala

ncin

g Authn, Authz

Threat

Protection

xForce threat

protection service

Credentials

Mobile affords customers with the ability to compute risk for an interaction based on the context of the user

and configure authentication processes o Infrastructure to customize the authentication and authorization of both the user and the device (i.e. certificate-based,

biometrics etc)

Mobile apps can employ the risk score generated by ISAM for Mobile to control authorization to various

transactions during that interaction and ISAM also delivers enhanced session management support to

mitigate the risk of man-in-the-middle attack

Access Mgmt Infrastructure integration with Mobile Application Platform External Authn/Authz

Provider (i.e. biometrics,

Q&A challenge etc)

ISAM for Mobile


Interaction Interface is Critical

Facilitate inclusion of core security features

in apps

Perform Vulnerability

Analysis on the App

Validate the Authenticity of

the App

Push Updates Dynamically

Mobile developers need to be assisted with standardized proven techniques to quickly

incorporate core security features in their apps (i.e. encryption of locally stored data)

Vulnerability analysis on the app can significantly mitigate the exploitation of the app

and its chances of going rogue

During each interaction validate that the app has not been modified in any way to

improve confidence in the integrity of the interaction

Dynamically update the app in the event the app has been compromised or new

vulnerabilities were identified


Mobile Apps: New Security Challenges

In addition to IT, Line of Business

teams (i.e. Marketing) are building

mobile apps ad hoc to seize market

opportunities or serve growing demand

An enterprise cannot reproduce

all the apps demanded by

employees so will need to

support third-party apps

New technologies for building native,

hybrid and web apps for mobile

Mobile apps often employ

multiple collaborative

techniques and channels

Lack of security understanding and

structured development processes

may introduce significant risks

App creators may have different

security standards or have not

performed security testing

New vulnerabilities, different types of

exploits and susceptibility to old

attacks being discovered

Multiple interaction points are exposed

to threat vectors


Addressing the OWASP Top Ten Mobile Security Risks with

Vulnerability Analysis of Mobile Apps

OWASP TOP 10 Full-Trace Vulnerability Analysis

1. Insecure Data Storage Trace routes of sensitive data

2. Weak Server Side Controls Security scanning of server side code

3. Insufficient Transport Layer Protection Check for use of SSL/TLS

4. Client Side Injection Checks for common injection flaws including SQLi,

HTMLi, and XSS

5. Poor Authentication and Authorization Track where IDs and Passwords enter/exit the system

6. Improper Session Handling Verify UUID is not used for session management

7. Security Decisions via Untrusted Inputs Track where data originates and how it is used

8. Side Channel Data Leakage Test for data leakage to log files, pasteboard, property

lists, etc

9. Broken Cryptography Identify proper usage of cryptographic usage

10. Sensitive Information Disclosure Test for data leakage to peripherals, network, sockets,

etc.


Vigilance is a Necessity

Track security events

emanating from user access

Track security events

emanating from application behavior

Track security events from

network traffic

Report on Security Posture

or Alert to Emerging Threat

Mobile user access needs to be monitored to potentially identify abnormal behavior

End-to-end visibility of mobile app behavior is needed to identify malicious or rogue

apps

Constant awareness of network traffic allows an organization to identify threats and

take appropriate response

Reporting for compliance as well as proactive action to improve response time to an

emerging threat will reduce exposure


Need for Intelligence…

Targeted attacks at individuals,

organizations or specific regions are

growing in sophistication and

frequency

The development of counter measures is inhibited by a lack of awareness of the attack since

it may require monitoring across various security solutions

The dynamic mobile ecosystem is

inherently social and consumer

oriented with each new capability

introducing new interaction

mechanisms

User behavior deemed risky from an enterprise

security perspective might be practiced without

awareness

Increased governmental

regulation and competitive

pressures

The penalties for security breaches are not only

monetarily expensive but it could result in the

loss of trust relationships with customers,

partners and employees

Emerging threats are evolving, and

new sets of vulnerabilities being

uncovered


Mobile Security Intelligence


Oversee Devices In an Enterprise Context

Catalog and Develop an Inventory all Enterprise

Mobile Devices

Define and Enforce Security Policies for the

Device

Deliver and Manage

Enterprise Apps and Inform

about Malicious Apps

Monitor Compliance and

Report

An organization needs visibility of all mobile devices connecting to the corporate

network

A way to define security policies on the device and its interaction and enforceability is

required

A secure channel to deliver enterprise apps and restrict users from installing malicious

or compromising apps is necessary

On-going monitoring and compliance for audit reporting will be important


Enroll

Register owner and services

Configure

Set appropriate security

policies

Monitor

Ensure device compliance

Reconfigure

Add new policies over-the-

air

De-provision

Remove services and wipe

Authenticate

Properly identify mobile users

Encrypt

Secure network connectivity

Monitor

Log network access and events

Control

Allow or deny access to apps

Block

Identify and stop mobile

threats

Develop

Utilize secure coding practices

Test

Identify application

vulnerabilities

Monitor

Correlate unauthorized activity

Protect

Defend against application

attacks

Update

Patch old or vulnerable apps

At the Device Over the Network &

Enterprise For the Mobile App

Corporate

Intranet

Internet

Mobile Security Strategy and Lifecycle Management

IBM

Secu

rity

Fra

mew

ork

do

main

s

Steps to consider when securing the mobile enterprise


Mobile Security Maturity Model

Optimized

Mobile Security Intelligence Risk Assessments, New Threat Detection, Active Monitoring

Integrated management of multiple devices

Device Security policy management

Prevent loss or leakage of sensitive information

Risk / Context based Access

Threat Detection on inbound network traffic

Context / Risk based document collaboration /

creating / viewing

Enforce restrictions on copy/paste

Multi-factor context aware access and offline access

Granular security policy definition and enforcement

Enable data sharing based on policy

Proficient

Endpoint Protection with Anti-malware

White/black list apps

Detection of Jailbreak/rooted

devices

Prevent copy and paste of email, calendar, contacts

and intranet data

Application level VPN

Secure document creation and viewing

Document Collaboration with secure file sync /

collaboration

App Management – provisioning/updates/disabling

Separation of corporate apps from personal apps

Application validation

Basic

Update management

Device lock / Device wipe

Device Registration

Segregated secure access corporate email, calendar,

contacts and browser

User /device authentication and single sign-on

Connectivity to social networks

Secure instant messaging

Enforcing encryption of data within an app

App Vulnerability Testing and Certification

Buying Occasion BYOD Data Separation Mobile Collaboration Mobile App. Security


IBM Solutions



Analytics

Security

Management

IBM and Partner Applications

Application Platform and Data Services

Banking Insurance Transport Telecom Government

Industry Solutions

Healthcare Retail Automotive

Devices Servers

Application Platform

Co

ns

ult

ing

& D

es

ign

Se

rvic

es

In

teg

ratio

n S

erv

ice

s

Cloud & Managed Services

IBM MobileFirst Offering Portfolio


Manage Device & Data

IBM Endpoint Manager

for Mobile

Malware Protection

IBM Mobile Device

Security (hosted)

Application Security

IBM Worklight

IBM MobileFirst offerings to secure the enterprise

Secure Access

IBM Security Access

Manager

IBM WebSphere

Datapower

Monitor & Protect

IBM QRadar

Secure Connectivity

IBM Mobile Lotus Connect

Secure Applications

IBM Security AppScan

Integrate Securely

IBM WebSphere DataPower

Manage Applications

IBM Worklight

At the Device Over the Network &

Enterprise For the Mobile App

Corporate

Intranet

Internet

Mobile Security Strategy and Lifecycle Management

IBM

Secu

rity

Fra

mew

ork

do

main

s


Prioritized security and privacy throughout

the mobile app lifecycle to protect sensitive

business systems IBM Security AppScan 8.next

IBM Security

AppScan

Planned availability 1Q 2013

Mobile Security

What’s New

Accelerates the use of iOS in an Enterprise setting

Native security scanning of iOS applications built in Objective C, Java or JavaScript

Facilitates a "secure by design" process in the software development lifecycle for mobile applications

Addresses requirements for usage in the US Federal Government

A Mobile First organization needs…

© 2013 IBM Corporation 22 *Planned availability 1Q 2013

Endpoint Management

Systems

Management

Security

Management

One console,

One

infrastructure

Unified Device Mgmt

Desktops & Laptops Smartphones

& Tablets Servers

Mobile

Management

What’s New

FIPS 140-2 Certified Encryption Module*

– Meet US Government standards for data protection

Automated Compliance-based Email Access

– Automatically grant or deny email access based on

device compliance.

IBM Lotus Notes Traveler Security Policy Integration

– Ease security administration by setting and reporting

Lotus Traveler security policies through the Endpoint

Manager console

Expanded BYOD Platform Support

– BlackBerry 10, Microsoft Windows Phone 8, Windows

RT, Apple iOS 6.1

Real-time visibility and control over all

mobile devices IBM Endpoint Manager for Mobile Devices



Mobile Security


Increase accuracy of identifying mobile

access security risks IBM Security Access Manager for Cloud and Mobile

Enterprise

Applications &

Connectivity

Access Mgmt.:Risk

based access

Employee, Jane wants to access

confidential data on mobile device from

either corporate network or from outside

the corporation

Application Security &

Optimization: DataPower

- XML Security and

Protocol Transformation

IBM Security Access

Manager for Cloud and

Mobile

User Credentials

Mobile Application

(developed using Worklight Studio)

IBM WorkLight Server

– Application

Transformation

Key Capabilities

Increase accuracy of identifying mobile access security risks

Dynamically assess the security risk of an access request

Quickly enforce Risk-Based Access

Ensuring users and devices are authenticated and authorized

Flexibility and strength in authentication: user id/password, OTP, biometrics, certificate, custom

Protect applications from known security threats by analyzing HTTP traffic

Mobile Threat

Protection


Customer Case Studies



European Bank delivers secure mobile Internet banking Background Major European Bank needed to reduce operational

complexity and cost with a single, scalable

infrastructure to secure access to various back-end

services from multiple mobile apps. A customized

authentication mechanism empowered the bank to

guarantee the security of its customers while

safeguarding the trust relationship with a safe app

platform that encrypts local data and delivers app

updates immediately.

Customer Needs

Extend secure access to banking apps to mobile customers

Enhance productivity of employees to perform secure banking transactions via mobile devices

Support for iOS, Android, and Windows Mobile

Benefits

Authenticates requests made via HTTPS from hybrid mobile apps running on WorkLight platform to back-end services

A custom certificates-based authentication mechanism implemented to secure back-end banking application


A health insurance provider offers secure mobile access

Challenges Differentiate from competitors by offering

customers greater access by supporting

mobility

Reduce overhead of paper-based claims

processing and call-center volume

Solution Requests made via HTTPS to multiple back-end

services from native device applications

protected by IBM Security Access Manager

Authentication enforced with both Basic

Authentication and a custom implementation

through Access Manager’s External

Authentication Interface

Benefits • Simultaneously build trust and improve user

experience with secure membership

management and claims processing

• Improve customer satisfaction and

responsiveness through secure mobile

solutions


Public utility adds mobile devices without adding infrastructure

Company Overview Serving 4.5 million customers in the southwestern

region of the United States, this electric company of

25,000 employees is a leader in clean energy while

exceeding reliability standards and keeping

consumer costs below average. They are

experiencing a migration from traditional endpoints

to mobile devices.

Customer Needs

Support 20,000+ mobile devices

Corporate and employee-owned, many platforms and OS versions

High availability for certain devices used in the field

Adherence to internal security policies, external regulations

Benefits

Scalability to 250,000 endpoints provides room to grow without adding infrastructure

Added mobile devices to existing IEM deployment in days

Ability to integrate with Maximo, Remedy

Responsiveness and agility of product and product team


Global automotive company secures mobile access

Challenges • Automobile customers require secure,

personalized access to vehicle information

services on their mobile devices

• Required secure access to radio, internet and

social network services from the automobile

Solution • IBM Security Access Manager and IBM Federated

Identity Manager along with IBM DataPower

• Seamless authentication and authorization to

back-end automotive business services

Benefits • Simplified single sign-on for trusted third party

service providers

• Scale to hundreds of thousands of devices and

users

• Improved customer satisfaction


Get started with IBM

• Learn more at:

www.ibm.com/mobilefirst

• Access white papers and webcasts

• Get product and services information

• Talk with your IBM representative or

visit the MobileFirst roadmap page

http://www.ibm.com/mobilefirst

http://ibm.co/ZPXEAg




© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Learn more at: www.ibm.com/mobilefirst

http://www.ibm.com/mobilefirst

ibm mobile security &...

Documents