Best practices for mobile enterprise security and the importance of endpoint management

© 2013 IBM Corporation

Best Practices for Mobile Enterprise Security and the Importance of

Endpoint Management

Chris Pepin

Mobile Enterprise Executive

IBM Mobile Enterprise Services

Session 1269

@chrispepin

[email protected]

22 © 2013 IBM Corporation

Mobile enterprise is a business imperative

• Turn mobile into a profit-generating

platform and attract new customers

• Improve employee productivity, attract

and retain top talent

• Enterprises that don’t embrace mobile risk

being left behind

• Social, cloud and analytics compliment

mobile


Mobile security risks are significant…

FrequencyNever Rare Often Frequently

Lim

ited

Massiv

e

Loss/Theft/ Seizure

Based on Gartner, Mobile Security Risks, interviews with members of ISS

xForce, and Corporate Executive Board. e.g. Industry (not IBM only) view

Blue Tooth Slurping

Man in the Middle Attack

Impact

III

IIIIV

Roving Bug/Illegal

Malware/ Spyware/ Grayware

Location Logging & Tracking


…and involve more than just the device

Manage deviceSet appropriate security

policies • Register •

Compliance • Wipe • Lock

Secure DataData separation •

Leakage • Encryption

Application

SecurityOffline authentication •

Application level controls

Secure AccessProperly identify mobile

users and devices • Allow

or deny access •

Connectivity

Monitor & ProtectIdentify and stop mobile

threats •

Log network access,

events, and anomalies

Secure

ConnectivitySecure Connectivity from

devices

Secure ApplicationUtilize secure coding

practices • Identify

application vulnerabilities •

Update applications

Integrate SecurelySecure connectivity to

enterprise applications and

services

Manage

ApplicationsManage applications and

enterprise app store

Device Network Mobile Applications


Video

IBM Mobile Security - Confidently enable productivity, business agility and

a rich user experience

http://www.youtube.com/watch?v=jTaLpb96ims

http://www.youtube.com/watch?v=jTaLpb96ims


• Application sandboxing

• Signed code controls

• Remote device or data wipe

IBM prediction

Mobile computing devices should be more

secure than traditional user computing

devices by 2014”


A four-pronged approach to mobile security

Strategy

PolicyEducation

Technology


A mobile enterprise starts with a strategy

• Defining the business problem and success criteria

• Personas and use cases

• Mobile infrastructure readiness

• Processes and governance model

Strategy

Enterprises need at least two strategies: B2E and B2C


Written mobile policy is essential

• Terms and conditions‒ What devices, OS’s and versions are

allowed

‒ Passcode, device wipe, allowed

applications

• Corporate owned devices as well as

BYOD; data privacy

• Human resources, legal, procurement

and reimbursement

Policy

A comprehensive policy for PCs, smartphones and tablets is recommended


Employees are the weakest security link

• Identifying cybersecurity threats

• Protecting corporate and client data

• Safeguarding devices

• Data and security incident reporting

• Build a “culture of security”

Published guidelines, online education and social interaction is recommended

Education


Technology monitors and enforces security policy

• Mobile Device Management (MDM)

• Data Loss Prevention (DLP)

• Containerization, virtualization, encryption

• Anti-malware

• Network access control

One size doesn’t fit all

Technology


Us

er

typ

e

Manager

Regular Employee

I.T. Staff

Contractor

Guest

Corp

ora

te L

apto

p

Pers

onal Lapto

p

iPad/iP

hone

Andro

id D

evic

e

Internet + Email + Intranet

Internet + Email

Internet only

In addition to restricting

access based on user and

device type, additional

conditions may also be

leveraged such as:

Access method (wired,

wireless, or VPN

Access location

(company premises,

home office, or remote

location)

Application type (data,

voice, video)

Network access policy is the first line of defense


Onboard Device 1

A simple and intuitive method of on-boarding the device.

Automatically provisioning the device’s settings and checking to

make sure the device hasn’t be compromised in any way or

present any risk.

Invoke a policy2

Automatic policy decisions

and enablement.

Taking in all of the

information about the context

of the user and device and

enabling the appropriate

policy.

Unified policy enforcement.

Apply the policy across the

global organization, over

wired, wireless and remote,

and across all of the major

mobile device operating

systems.

Enforce policy 3

Network access control workflow


Do I have enough

IP addresses?

IP Address Management (IPAM)

Many enterprises are still managing the IP address space on their networks

manually via spreadsheets (approximately 75%), via homegrown

applications or a combination of the two1

Existing subnets and IP address pools may not be sufficiently large to

handle the increased number of connected devices

Audit and tracking capabilities need to be enhanced for mobile devices

Will my DHCP

services scale?

Dynamic Host Configuration Protocol (DHCP)

Increased scale and robustness is required to handle the influx of IP

address requests

New mechanisms for dynamically managing lease times and IP address re-

use may be required

Is my DNS ready

to support the

cloud?

Domain Name System (DNS)

Mobile applications and cloud-based services will impose a massive

increase in the use of DNS services

Network impact of mobile devices


Enterprise Needs:

Protect corporate applications and data, not just the device

Prevent data leakage from enterprise apps to personal apps and

public cloud-based services

Enforce advanced security features such as file-level encryption

Centrally administer and enforce permissions and policies

Ability to remotely wipe all work-related applications and data

Personal Needs:

Maintain full control over personal apps and data

Enterprise policies do not apply when the device is not connected

to the enterprise network and corporate applications are not in use

Selective wipe ensures that personal data remains untouched

Simple to switch between personal and work functions

Separating personal and work data


Virtualized Devices & Virtual Desktop Infrastructure (VDI)

Mobile Device Management Secure Container

MDM

EnterpriseContainer

Management Server

Enterprise Device

Personal Device

Manage device security policies (password, encryption, etc.)

MDM controls enterprise access (WIFI / VPN / email)

Wipe and “selective wipe”enterprise data and apps

Create a “secure container”

Replace the default mail / calendar / contacts

Allow organizations to write apps that run in the container; encryption

Virtualize the device OS

Create a virtualized “enterprise device” and “personal device”

Virtual Enterprise Desktop

Virtual application delivery

Enterprise Desktop

Multiple approaches to achieving data separation


Virtualized applications

Storage

Servers

VDI Infrastructure

Virtual application streaming

Virtual application streaming approach

Pros: No on device storage of confidential data, access to legacy applications

Cons: No offline access, end-user experience


Mobile Enterprise Management solutions

• Moving beyond Mobile Device Management (MDM)

• Microsoft Exchange ActiveSync is NOT the answer

• Connected cloud and on-premise solutions

• What devices do I need to manage?

• What features do I need?


IBM is a mobile enterprise

• 435,000 employees worldwide; 50%

mobile

• BYOD isn’t new at IBM and includes

smartphone, tablets as well as

laptops

• 120,000 employees leveraging

smartphones and tablets; 80,000

BYOD

• 600,000 managed laptops/desktops;

30,000 BYOD

IBM's BYOD program

"really is about supporting

employees in the way they

want to work. They will

find the most appropriate

tool to get their job done. I

want to make sure I can

enable them to do that, but

in a way that safeguards

the integrity of our

business.“

- IBM CIO Jeanette Horan


Video

IBM Mobile Technology – A Personal Journey

http://www.youtube.com/watch?v=0sEaLyLjFag

http://www.youtube.com/watch?v=0sEaLyLjFag


Mobile @ IBM

• Legal

Personally owned device terms

and conditions

• Policy

Same overriding security policy for

all endpoints (laptop, mobile, other)

• Technical controls

Detailed security settings per

platform (“techspecs”)

Formal

Mandatory Digital IBMer Security

Training

Casual

IBM Secure Computing Guidelines

Targeted w3 articles

Social

Secure Computing Forum

Secure Computing Blog Posts

Developer

Secure Engineering guidelines

Mobile app security guidelines

Endpoint Management

(overall control)

Anti-malware

(malicious app protection)

Network access control

& Application level security

(data protection)

Containerization / Virtualization

(data protection, data privacy, end user acceptance)

Mobile as primary

Personas

(13 inside IBM)

BYOD policy

(Windows, Linux, Mac, smartphones, tablets)


Key mobile technology in use inside IBM

• IBM Endpoint Manager

• IBM Lotus Notes Traveler

• BlackBerry Enterprise Server

• IBM Sametime Mobile

• IBM Connections Mobile

• IBM Worklight

• IBM Mobile Connect

Technology


IBM Endpoint Manager

Endpoints

Patch

Management

Lifecycle

ManagementSoftware Use

Analysis

Power

Management

Mobile

Devices

Security and

Compliance

Core

Protection

Desktop / laptop / server endpoint Mobile Purpose specific

Systems Management Security Management

Server

Automation

Continuously monitor the health and security of all enterprise computers in real-

time via a single, policy-driven agent


IBM Endpoint Manager components

Single intelligent agent

• Continuous self-assessment

• Continuous policy enforcement

• Minimal system impact (<2% CPU, <10MB RAM)

Single server and console

• Highly secure, highly available

• Aggregates data, analyzes and reports

• Manages up to 250K endpoints per server

Flexible policy language (Fixlets)

• Thousands of out-of-the-box policies

• Best practices for operations and security

• Simple custom policy authoring

• Highly extensible/applicable across all platforms

Virtual infrastructure

• Designate IBM Endpoint Manager agent as a relay

or discovery point in minutes

• Provides built-in redundancy

• Leverages existing systems/shared infrastructure


Endpoint Management

Systems

Management

Security

Management

Common agent

Unified console

Single

management

server

Managed = Secure

Desktops, Laptops,

& ServersSmartphones

& Tablets

Purpose-specific

Endpoints

Implement BYOD with

confidence

Secure sensitive data,

regardless of device

Handle multi-platform

complexities with ease

Minimize administration

costs

IBM Endpoint Manager addresses key business needs


Benefits of IBM Endpoint Manager

“Organizations…would prefer to use the same tools across PCs, tablets and smartphones,

because it's increasingly the same people who support those device types”

– Gartner, PCCLM Magic Quadrant, January 2011

Although at some level mobile is unique, the devices are just another form of endpoints in your

infrastructure. This means whichever technologies you procure should have a road map for

integration into your broader endpoint protection strategy.

– Forrester, Market Overview: Mobile Security, Q4, 2011

Reduces Hardware & Administration Costs

• “Single pane” for mobile devices, laptops, desktops, and servers

• Single Endpoint Manager Server scales to 250,000+ devices

• Unified infrastructure/administration model reduces FTE requirements

Fast Time-to-Value

• Enterprise-grade APIs enable integration with service desks, CMDBs, etc (Integrated Service Management)

• Cloud-based content delivery model allows for rapid updates with no software upgrade or installation required


What’s New in IBM Endpoint Manager?

Integration with Enterproid’s Divide container technologies

for iOS and Android

Web-based administration console for performing basic

device management tasks with role-based access control

Integration with BlackBerry Enterprise Server for integrated

support of BlackBerry v4 – v7 devices

Enhanced security with support for FIPS 140-2 encryption

and bi-directional encryption of communications with

Android agent

IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequent

feature enhancements without the difficulty of performing upgrades


Application Security Objectives

IBM Worklight Security

Application Security Design

• Develop secure mobile apps using

corporate best practices

• Encrypted local storage for data

• Offline user access

• Challenge response on startup

• App authenticity validation

• Direct Update of application

• Remote disable (of applications per

device and version)

• Enforcement of organizational

security policies


Key messages

• There are mobile security challenges

but there are also solutions

• Endpoint management is a required

component but not the only solution you

will need

• There are no one size-fits-all mobile

solutions

• The mobile landscape continues to

evolve – be flexible and embrace

change


1 Learn more:

ibm.com/mobilefirst

Sign up for the IBM Mobile workshop

Email us at -- [email protected]

2

3

Join the conversation:

twitter.com/IBMMobile (#IBMMobile)

facebook.com/IBMMobile

Three ways to get started with MobileFirst


Questions?

Chris Pepin

Mobile Enterprise Executive

IBM Global Technology Services

[email protected]

@chrispepin


Legal Disclaimer

• © IBM Corporation 2013. All Rights Reserved.

• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are

subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing

contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and

conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or

capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to

future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by

you will result in any specific sales, revenue growth or other results.

Best practices for mobile enterprise security and the importance of endpoint management

Technology

Transcript of Best practices for mobile enterprise security and the importance of endpoint management