Apresentação IBM Solutions Connect 2013: Desafios da mobilidade nos ambientes corporativos. Soluções de segurança da IBM para proteção de ambientes móveis parte da iniciativa IBM Mobile First.
IBM examines the challenges of delivering mobile security for today's always-connected workforce and explains the benefits of a holistic approach to mobile security. Answer emerging threats with innovative IBM tools and technologies that span device management, identity and access management, and mobile application-layer security, enabling enterprises to improve productivity, enhance collaboration and better meet compliance requirements. Preview: http://www.youtube.com/watch?v=jTaLpb96ims Download: http://cattail.boulder.ibm.com/cattail/#view=vdheap@us.ibm.com/files/29DA6FA02F9C3DDC8AA18980093F23B6
Of course these are all facts we inherently know about our smartphones and tablets, but lets consider what they mean in context of enterprise security and management. Here are some of the characteristics of mobile computing that increase security risk. Mobile devices are shared more often… - Did you ever hand your smartphone to one of your kids? - Do you have a family tablet? - IBM has mandatory “Digital Training” that highlights the prohibition of sharing company devices that have corporate data on them. Mobile devices prioritize the user… - User experience and consumability is paramount - I recently updated my iPhone to iOS 6. - I hit “yes” to the update prompt as I was leaving for work. - My first thought was boy – this is going to take forever and it will be complex. - A few minutes and a few questions later I was done. Security has to be designed in an unobtrusive way. Where security requirements are evident, there has to be enough value there to warrant impacting the user. Did you ever forget a hotel key? When you ask the front desk for another key, are you asked to provide identification? Does it bother you that your identify if being authenticated? No. Because the value of the security is evident. Application security and data protection have to address everything that is unique about mobile computing. And the solutions to these challenges will vary depending on who owns the device and what it's being used for.
Bullet 1 Proof Points Cast Iron enables organizations to hook mobile apps to existing enterprise and even public cloud-based systems in just weeks. Integration between IBM Endpoint Manager and Worklight by the end of the year (2012) will ensure a smooth, automated transition of apps from the dev environment to production for faster deployment and greater confidence that the correct build is delivered. Additional integration work will provide performance data from devices back to app dev teams for troubleshooting and performance enhancements. Bullet 2 Proof Points Improved management and security of devices, as well as employee self-service portal reduces overall calls to the help desk for locating and wiping lost devices or enrolling new devices. In addition, location mapping services will enable organizations to recover some devices that would have otherwise been lost. As an example, IBM reduced security-related help desk calls by nearly 80% by significantly improving patch management practices on desktops and laptops with IBM Endpoint Manager, saving $10M annually. While mobile devices may be a much lower call volume now, they will only continue to increase their share of the help desk team’s workload. Bullet 3 Proof Points With IBM Endpoint Manager, a single infrastructure requiring just one dedicated management server per 250,000 endpoints can be used to manage and secure smartphones, tablets, laptops, desktops, servers, ATMs, and kiosks. This solution is also designed to easily provide endpoint data, including detailed hardware and software inventory information on mobile devices, to service desk, asset management, CMDB, network management, and security event management systems. Bullet 4 Proof Points An integrated security approach ensures that not just the device is configured securely, but that security-rich apps are tested and delivered, sensitive data is protected while on that device, secure and authenticated connections are made to enterprise systems from mobile devices, and that security-related event information is correlated with security information from all other aspects of the IT environment. Bullet 5 Proof Points Data about access points, signal strength, device location, and other network access relevant properties can be fed from IBM Endpoint Manager to the Netcool / OMNIbus suite for alerting, troubleshooting, and outage prediction analysis. In many organizations, WiFi availability with sufficient signal strength for reasonable data transfer rates are used in mission-critical activities – knowing exactly which router is having problems before it fails and before employees flood IT with complaints, is vital.
Security offerings are a key part of the IBM MobileFirst offering portfolio, which provides customers with an end to end set of offerings to help them embrace mobile first. IBM MobileFirst Platform Increase your enterprise's agility with new mobile apps and multichannel Web experiences connected to back-end systems and applications, with accelerated application delivery and support for native and offline apps. Learn more » IBM MobileFirst Management Enhance your enterprise's productivity as you manage mobile devices, data, applications, expenses, and services throughout their lifecycles. "Bring your own device" (BYOD) policies bring more capabilities into your mobile enterprise, making employees more productive when their smartphones and tablets can immediately connect to networks, apps, and data. Learn more » IBM MobileFirst Security Provide secure transactions from an array of devices, from around the world, while keeping your networks safe and efficient. And with employees working BYOD–with access to corporate resources–your IT team needs to gain close control over those devices. Learn more » IBM MobileFirst Analytics Strengthen your business capabilities by redefining the end-to-end mobile customer experience. Open and expand marketplaces. Reach consumers at the moment of decision by leveraging location services, and create value through mobile capabilities that drive loyalty and satisfaction. Learn more »
IBM focuses on three component areas for enforcing securing within the mobile enterprise; 1) Device Management, 2) Network, Data and Access Security, and 3) Application Layer Security. In this presentation, we’re focusing on a product that helps address “network, data and access security.” Back-up: The following overview was discussed in the MobileFirst Security presentation, so may not need to be discussed again now. Device Management – often the first area an organization will start with, covering aspects such as enrollment and configuration of new mobile devices for business use to monitoring for compliance and to de-provisioning them by remotely wiping corporate information. This allows policy to be deployed an provides some element of control. Network, Data and Access Security - Once organizations delve deeper into their mobile projects they recognize the need for mobile security at the network. Blocking mobile threats, controlling network traffic, authenticating and authorizing users, encrypting the channel of communication, as well as monitoring all the mobile related security events multiple solutions deployed across the infrastructure. Application Layer Security - Mobile app security entails enforcing security standards and best practices during development, testing for vulnerabilities, identifying threats to the app and delivering updates
With Mobile every transaction is unique…type of interaction, time of day, application accessed. What if you could leverage geo-location features in mobile devices to establish context and therefore determine what capabilities are allowed and what security is needed? For instance let’s look at a scenario where an ER Doctor is in the hospital on her shift accessing patient records and then the next day, she is off shift but on call in a coffee shop checking on her patients by accessing their records while having a coffee. When doing rounds, the ER docter carries her tablet with her and she is able to quickly and easily get access to patient records. She simply logs into patient side workstations, her tablet or various forms of electronic medical equipment with a simple password or swipe. But much more is going on in the background as there is a secure token on the mobile phone she is carrying in her pocket. Her authentication is actually her password (something she knows) as well as her mobile device (something she has with her). So let's say she logs into a workstation in an exam room and is then distracted and pulled away. As soon as she leaves the bluetooth range of that exam room she is automatically logged off. When she returns, she can quickly restore that session like she never left. This is accomplished leveraging context information from the IBM Worklight application using Geofencing data – GPS, Network-fencing and Time-fencing. But let’s take it a bit further. What if you could dynamically change security policy without changing the application itself? And what if you could easily predetermine what explicit app features and data users could use and access based on where they were. These are the kinds of things IBM research is exploring. For instance, while the doctor is in the ER she has full capability to access all patient records and medical data to most effectively do her job. Now let's imagine it is the weekend and the same ER Doctor is on call... getting a coffee at Starbucks. Her security profile has now changed and she is in a higher risk location. Maybe present her with an additional authentication challenge based on the location such as a password and a challenge question. We might also limit her access to one patient record at a time as there is no legitimate reason she would need to run a query on 5000 patient records. If we see that type of activity occurring outside the hospital we know its a problem. Let's also say the record has sensitive non-medial information such as credit card numbers. In the hospital this information is important for billing purposes but there is no reason the doctor needs access to this data when she is on call. Although this is not filtered out by the application, the security service redacts this information. So without any changes to the application we have dramatically reduced the security risk and allowed our doctor to get a cup of coffee while still remaining connected to the office and her patients. The context based secureity can be done today with the same tablet where the mobile application deliver through Worklight passes context to IBM Security Access Manager for Mobile and Cloud where a Risk assessment is performed based on context and Authentication decisions are managed through policies set by the security team
This analysis directly motivates the requirement for framework for securing the mobile enterprise, taking the three areas of focus you saw on the previous page IBM. No program of work should be begin without a clear strategy, it should be built on the basis of ‘secure the flow of data’, this is what you’re trying to protect across the mobile enterprise. Its also important this strategy includes the lifecycle management of mobile enterprise to keep pace with the rapid change we see with this new form factor. And a point on products, don’t just purchase for today, make sure you purchase for tomorrow challenges too, the tools need to integrate to give you enterprise visibility and security intelligence. Intelligence can be helpful in detecting, preventing and quickly recovering from an attack, its also helpful if you have some means of looking back at audit ready evidence to reduce the risks in future At the device; with need to establish traditional levels of visibility and control over new types of endpoints; Enforce organizational policies – ensure consistent controls across all devices, and monitor compliance; Compromised security posture – should policy be broken, how can you detect this and take action; Proactive maintenance – how can you enforce patching and regular controls updates; Mitigate management costs – solutions need to scale to meet the explosion of new devices Over the network and enterprise ; Mobile Devices bring unique demands on Access to Enterprise Resources, so a ccess controls need to be sympathetic to the employees current experience, too strong and the user will find ways around. Mobile devices are shared more often, so more granular authentication may be required, device or the user. Free wifi hotspots offer great convenience, the integrity of the transaction must be maintained, with apps or over networks (VPN). For the mobile app ; building of apps for the mobile environment should take the same path as building traditional applications – test and identity vulnerabilities in applications, build in security as you go, rather than bolting it on afterwards, which can be very expensive and slow your time to market. Also its important to monitor apps, restrictions can be added to prevent the downloading of known mobile apps that containing malicious software, using either black-listing or white-listing Mobile security should be tackled in the just the same way we currently protect our data in the existing enterprise infrastructure.
IBM secure the mobile enterprise with a framework mapped to a comprehensive integrated security solution set…. AT THE DEVICE IBM Endpoint Manager for Mobile delivers data security on the mobile device. It enforces the compliance of device configurations with enterprise security policies and employs platform facilities to enforce data encryption. IBM Hosted Mobile Device Security Management is a turnkey software-as-a service (SaaS) solution that provides assurance of data security and policy compliance with anti-malware IBM Worklight offers developers application-level data security by providing facilities with the tools needed to encrypt their applications’ data OVER THE NETWORK & ENTERPRISE IBM Security Access Manager for Mobile protects access to enterprise resources by authenticating and authorizing mobile users and their devices. also integrates with IBM Worklight to deliver seamless user and application security. IBM WebSphere DataPower message protection and XML firewall capabilities guarantee the integrity of message content IBM QRadar offers a unified collection, aggregation and analysis architecture facilitating the consumption of security logs from IBM Worklight; security events from IBM Endpoint Manager for Mobile Devices and IBM Access Manager for Mobile; IBM AppScan app vulnerabilities. IBM Lotus® Mobile Connect enables secure encrypted connectivity over non-secure networks and infrastructure from mobile devices to backend systems FOR THE MOBILE APP IBM Security AppScan detects vulnerabilities in mobile web applications, in the web elements of hybrid mobile applications and in Android applications through static analysis during development IBM WebSphere DataPower protect application programming interface calls. IBM Worklight enable organizations to efficiently develop, deliver and run safe HTML5, hybrid and native mobile applications with direct updates and application validation
Speaker notes These capabilities make Endpoint Manager more attractive to US Federal agencies and existing Lotus Notes customers. Commercial and non-governmental organizations can also benefit from these security enhancements – especially those organizations subject to data privacy laws (Healthcare, Retail, most companies outside US) that have, or plan to allow access to regulated data from mobile devices. The expanded platform support demonstrates IBMs agility and speed in the mobile marketplace.
Speaker notes These capabilities make Endpoint Manager more attractive to US Federal agencies and existing Lotus Notes customers. Commercial and non-governmental organizations can also benefit from these security enhancements – especially those organizations subject to data privacy laws (Healthcare, Retail, most companies outside US) that have, or plan to allow access to regulated data from mobile devices. The expanded platform support demonstrates IBMs agility and speed in the mobile marketplace.
Increase precision of identifying risk associated with anytime/anywhere mobile access to enterprise systems For audience: Chief Information Security Officer, CIO Who need: [ Manage & Secure] Business desires to deliver context aware mobile user security to improve assurance and enable the definition of custom mobile-specific authentication schemes. Organization requires centralized web access management and SSO for mobile users to demonstrate compliance. Enterprise wants to employ threat protection for mobile traffic. IBM can help: Deliver user security that adapts to the requirements of the context in which access is made and allows enhanced user experience Enabled by: IBM Security Access Manager (ISAM) for Cloud and Mobile (FIM v6.2.2 SPM v7.1.0.4) Provides mobile user access and single sign-on with context based access control Risk-Based Access features: Mobile device & app attributes for risk calculation and scoring Policy templates for location/network/time fencing OAuth 2.0, OpenID for federated SSO Mobile Authentication features One Time Password Threat Protection: packet analysis module
IBM Mobile Connect helps protect enterprise data in transit between mobile devices and back-end systems. It does this by providing these key capabilities: Clientless app-level Virtual Private Network (VPN) with a SSL-secured tunnel to specific HTTP application servers. Application-specific Virtual Private Network (VPN) access, which was added in December 2012. This clientless, reverse-proxy-like access for applications can deploy across multiple backend servers, while surfacing only a single URL to the application, which is needed by some mobile applications. Strong authentication and encryption of data in transit. These features help deliver a security-rich connection to enterprise resources from mobile devices.
Speaker notes <Note to author: In simple, easy to understand words, please articulate the following What are we announcing and why is this news worthy? Is IBM first to market, does it position IBM well above the competition, is it unique and innovative to mobile? What are the key new features or capabilities we are announcing, and how are they going to help our clients accelerate their mobile strategy? 3. Describe a simple scenario where this new offering or initiative might be used. Describe a current obstacle a customer might have in adopting mobile, and how the new feature helps remove or reduce that obstacle.
Speaker notes <Note to author: In simple, easy to understand words, please articulate the following What are we announcing and why is this news worthy? Is IBM first to market, does it position IBM well above the competition, is it unique and innovative to mobile? What are the key new features or capabilities we are announcing, and how are they going to help our clients accelerate their mobile strategy? 3. Describe a simple scenario where this new offering or initiative might be used. Describe a current obstacle a customer might have in adopting mobile, and how the new feature helps remove or reduce that obstacle.