Más contenido relacionado La actualidad más candente (20) Similar a Securing Mobile Apps: New Approaches for the BYOD World (20) Securing Mobile Apps: New Approaches for the BYOD World1. Securing Mobile Apps: New
Approaches for the BYOD World !
Presented by:
Cimarron Buser!
Apperian, Inc.
The information and images contained in this document are of a proprietary and confidential nature.
The disclosure, duplication, use in whole, or use in part, of the document for any purposes other than
client evaluation without the written permission of Apperian, Inc. is strictly prohibited.
© Apperian, Inc. 2012. All Rights Reserved.!
3. About Apperian
Top tier investors Award winning product
2012 Product Finalist
Company to Watch
Experienced team Strong customer base
Copyright © 2012, Apperian, Inc. Page! 3!
4. Agenda!
Mobile Device & App Security
Challenges for Mobile Apps and Security
Security in Context: Mobile Enterprise Strategy
Many Options: MDM, MEAP, MAM, MSSS …
Specific Approaches: Virtualization, Sandboxes,
Wrappers, and SDKs
Moving Forward: Balancing and Managing Mobile
Risk
Copyright © 2012, Apperian, Inc. Page! 4!
5. Challenges for Mobile Security
Users
I want quick and IT
easy access to
How do I
business apps
securely Dev
and data!
deploy and How do
manage I make an
devices enterprise-
and apps? grade app?
“BYOD”
Consumerization of IT
Need a solution now!
Single personal/work device Need App examples
Security is still #1
Increased mobility Lack of IT Apple or Android
Have to mobilize workforce experience
Smartphone SDKs not built
for enterprise
Copyright © 2012, Apperian, Inc. Page! 5!
6. Challenge: Where do users get the Apps?
iTunes App Store or Google Market
Consumer app focus
Apps and updates are “optional”
Personal iTunes or Gmail account based
Private “App Catalog” approach
Enterprise “in-house” app focus
Apps and updates “mandatory”
Corporate directory authenticated
Copyright © 2012, Apperian, Inc. Page! 6!
Page!
7. Security in Context: Mobile Enterprise Strategy
Source: The Enterprise
Mobility Foundation
Copyright © 2012, Apperian, Inc. Page! 7!
8. Security in Context: How Big is the Threat?!
Mobile is “attack surface” that can be exploited
Unmanaged devices, networks, OS’s, apps
data flows and storage
Mobile Risk exists and past “events” sound scary
Since 2001 $25B+ in loss (PC/Win based)
Mobile anti-virus and anti-malware emerging
But so far, no “major” similar events in mobile
However – SMS fraud is still a problem…
Congratulations!!! You won R1,000,000.00 in the on-going
Chevron UK bonanza. Claim code: CHVUKB/SA/10. Call
Elizabeth on 0835161978 from 9am to 4pm for claim.
Copyright © 2012, Apperian, Inc. Page! 8!
10. Many Options: But it’s Alphabet Soup!
Mobile Device & App Security Options
The Acronyms:
MDM: Mobile Device Management
MEAP: Mobile Enterprise Application Platform
MAM: Mobile Application Management
MSSS: Mobile Security Software Suite
The Approaches:
Virtualization, Wrappers, SDKs, Sandboxes…
Copyright © 2012, Apperian, Inc. Page! 10!
11. Many Security Touch Points
Visibility Policy Monitoring GRC
User Auth-n/z Education Policies
App SDK Wrapper Middleware
Partition VM Container Partition
Agent AV Firewall Blacklist
Device VPN Location Encryption
OS Sandbox Profiles APIs
Network Carrier Wi-Fi Bluetooth
Copyright © 2012, Apperian, Inc. Page! 11!
12. Anatomy of an iOS Device Security Posture
Remotely wipe devices, track lost or
stolen devices, ensure deletion of data.
Remediation
Manage access and authorize users based
on enterprise credentials.
Auth-n/z
Secure container with App content based
on user role, SDK extends to Apps.
App Container
Manage settings, ensure compliance
policies, remotely wipe and delete.
MDM
Same capabilities Device Profiles
Control security settings for VPN, Wi-Fi,
available to all
email and authentication.
Device Encryption
Apps & Data at rest and in use protected
App Sandbox
via HW encryption.
Limited access to files, preferences,
network, hardware and other Apps.
Copyright © 2012, Apperian, Inc. Page! 12!
13. MDM - Mobile Device Management!
MDM focuses on device-based security, provisioning and
control of mobile devices. Additional features may provide
TEMS, Device Inventory, and app lists (part of MAM)
• MDM is useful for organizations requiring a high level of control over
Corporate Liable devices due to regulatory requirements, or where
the risk of users accessing “non approved” information is high.
• Microsoft Exchange Server provides security with device
management features via ActiveSync, including security profile
(e.g., user must have PIN code or specific type and length), and
device “wipe” and “lock”
• Apple IOS supports a protocol called “MDM” that allows IOS devices
to register with a central server, and thereafter receive specific
commands to perform tasks, e.g., “device wipe”, install security
profiles, or send back device status without user intervention.
Copyright © 2012, Apperian, Inc. Page! 13!
14. MDM – Device Management Examples!
Microsoft Exchange 2007 Server - Device Google Apps Device Management Console
Management feature
Copyright © 2012, Apperian, Inc. Page! 14!
15. MEAP - Mobile Enterprise Application Platform!
MEAPs provide “tools and client/server middleware for
mobile (targeting any sort of mobile application) and
multichannel (highly device/OS- and network-adaptive)
thick (offline) enterprise application development”*
• MEAPs are used by some organizations that require an integrated
development environment.
• MEAPs are attractive to companies that want to deploy an
enterprise-wide solution across many different device types, using
central logic for large, complex apps
• MEAP Sandboxes enable multiple applications within a single
“native app” sandbox, thereby providing control over the
application from a single dashboard
* Source: Gartner Group
Copyright © 2012, Apperian, Inc. Page! 15!
16. MEAP - Example!
Source: Antenna Software: AMP Platform
Copyright © 2012, Apperian, Inc. Page! 16!
17. MAM - Mobile Application Management!
MAM focuses on the role-based security, provisioning and control
of mobile apps in an organization with capabilities that may
include device inventory, reporting/tracking, and user
compliance.
• MAMs are useful for organizations providing “in-house” apps to users
on either CL or IL devices. For example, if a user leaves an
organization or group, apps and data belonging to the organization
can be de-provisioned, without resorting to a full “device wipe”
• MAM solutions are typically used in mixed (CL/IL) environments or
where BYOD policies are implemented.
• Apple and Android supports over-the-air delivery of apps than
enable apps and profiles to be delivered from a server
Copyright © 2012, Apperian, Inc. Page! 17!
18. MAM - Example!
Source: Apperian, Inc. – EASE App Catalog
Copyright © 2012, Apperian, Inc. Page! 18!
19. MSSS - Mobile Security Software Suite!
MSSS focuses on providing a complete “suite” of solutions that
may include antivirus, personal firewall, VPN, encryption, anti-
spam, and remote monitoring and control services.
• MSSS solutions extend traditional “enterprise” protections for the
PC environment to mobility. Services can include remote back up
and restore, lost and stolen device location, as well as data wipe.
• MSSS can also send an alert when “security” events occur, e.g.,
when a SIM card has been removed or replaced.
• MSSS capabilities are beginning to overlap or be subsumed by MDM
or built-in OS solutions (e.g. iCloud) and certain features, such as
anti-virus, are not necessarily viewed as critical… yet
Copyright © 2012, Apperian, Inc. Page! 19!
20. Approaches to Data/App Security!
• Virtualization allows a device to having a different “partition” or
“persona” that provides two or more virtual device modes; apps built
for these modes may require an SDK or Wrapper
• SDKs provide direct support to native app developers for
authentication, authorization, reporting/tracking and other services
to provide for app and data security enforcement
• Wrappers offer the promise of “wrapping” an existing mobile app
without the need to re-compile or change code; the resulting app can
then be managed centrally
• Sandboxes allow a single or multiple apps to live within a “sandbox”
and be logically separated from other apps but managed centrally
… Application Developers may use one or more of these approaches
to address security issues, or use “do it yourself” methods
* Source: ISO
Copyright © 2012, Apperian, Inc. Page! 20!
21. Mobile Security Solutions
“Holy Grail Solution”
MDM
Mobile Iron
Air Watch
BoxTone
Virtualization (OS)
MAM
Device Management
VMWare Horizon
ATT Toggle
Device Mgmt
Apperian
AppCentral
MS Exchange Partnerpedia
Google DM
Apple Profile
Mgr
MEAP
MPSS
(Sandboxes)
Symantec
Antenna
McAfee
Sybase
Wrappers
RSA
Pyxis
GOOD
Mocana
Arxan
App and Data Management
Copyright © 2012, Apperian, Inc. Page! 21!
22. Moving Forward: Balancing Risk and Objectives!
Security Objective
Risk
Low
Medium
High
Confidentiality
Unauthorized disclosure of limited serious severe or
Preserving authorized restrictions information … to adverse effect
adverse effect
catastrophic
on information access and organizational operations, adverse effect
disclosure, including means for organizational assets, or
protecting personal privacy and individuals
proprietary information.
Integrity
Unauthorized modification or limited serious severe or
Guarding against improper destruction of information … adverse effect
adverse effect
catastrophic
information modification or to operations, organizational adverse effect
destruction, and includes ensuring assets, or individuals.
information non- repudiation and
authenticity.
Availability
Disruption of access to or use limited serious severe or
Ensuring timely and reliable of information or an adverse effect
adverse effect
catastrophic
access to and use of information.
information system .. on adverse effect
organizational operations,
organizational assets, or
individuals
Source: Adapted from “Standards for Security Categorization of Federal
Information and Information Systems” (FIPS PUB 199)
Copyright © 2012, Apperian, Inc. Page! 22!
23. Moving Forward: Making a Plan!
Make Security part of overall Strategy
Focus on “high impact” areas
Establish Basic Policies User Agreement
“Best Practices” including encryption
for data in transit and data at rest
Basic security policy for PINs,
registration (“Find Me”) and enabling
wipe for company and user
Have Plan in Place for Data Breach
Event reporting protocol
Specific steps and actions
Measure and Monitor
Copyright © 2012, Apperian, Inc. Page! 23!
24. QA
www.apperian.com
Additional Questions?
Contact Cimarron Buser
cbuser@apperian.com
Page! 24!