Photo  by  Marc_Smith  -­‐  Crea3ve  Commons  A8ribu3on  License    h8p://www.flickr.com/photos/49503165485@N01   Created  with  Haiku  Deck  

Big Data Driven Security for BYOD

BYOD Success Kit

Table of Contents

•  Securing Data in Motion

•  Security Data at Rest

•  Big Data Driven Security

•  Conclusion

2

Securing Data In Motion

Workspot leverages your Existing IT Infrastructure

•  Workspot leverages your existing VPN appliance

•  Supports: Cisco, Juniper, F5, and SonicWall

•  Supports the authentication mechanism – AD+RSA

•  Supports all internal SSO providers including CA Siteminder, and Oracle IdP

•  Supports cloud identity integration – Okta, Ping Identity, and SAML 2.0 vendors

4

•  No Data

Center Installation

•  100% Cloud

Controlled Architecture

Workspot is 100% Cloud

5

6

§  Workspot Control has been architected to be a control plane. When the user is performing workflows on the device using Workspot, all the data flows back and forth directly between the client and the business applications (e.g., Exchange, SharePoint, Salesforce.com). If the applications are behind the firewall, then they go back to the corporate network. If the applications are external, then the traffic directly goes to the external application.

§  Separation between control and data planes is very critical for a number of reasons: •  Security: Data flows directly between the client and the applications; it

does not flow through our control service •  Availability: Since Workspot is not in the data path, the availability of

applications is independent of the availability of our service •  Performance: Since we are not in the data path, there is nothing to

impede the end user experience

Control vs. Data Plane Separation

BYOD Success Kit

Workspot Client Architecture

Device

Applications

User Experience

Data

Virtual File System

Viewers Encryption

HTML(5) Engine Collection Agent

Virtual Network

SSO VPN

•  Workspot Client is mobile virtualization technology

•  The client includes

a virtual file system and a virtual network stack

7

Workspot protects Data in Motion

Device

Applications

User Experience

Data

Virtual File System

Viewers Encryption

HTML(5) Engine Collection Agent

Virtual Network

SSO VPN

•  Full L4-7 Control • Custom HTTP stack with

OpenSSL VPN termination to any SSL-VPN appliance • We support Cisco, Juniper,

SonicWall, and F5 • Workspot-level VPN – only

Workspot is on the corporate network • Control over Blacklist/

whitelist URL

8

9

We store the following information in Workspot Control: §  Configuration: We store configuration information about the VPN, e.g., public

URL address, whether it uses RSA or not. §  User Configuration: First Name, Last Name, Email Address, etc. §  Application Configuration: Application URLs, whether or not it is behind the

firewall, etc. §  Performance Data: For each network access, we store the amount of time it took

to fetch a response from the application (e.g. SharePoint), the device used (e.g. iPad3), the network used (e.g., AT&T), and the location (e.g., California).

§  Activity Data: We track different kinds of activity on the device, e.g., Open/Close Workspot, Open/Close Application (e.g., SAP), Open/Close Document, and View/Print Page of Document. All activity data is anonymized.

  Our current policy is to retain this data for a period of one year.  

Data Retention Policy

Workspot Policy Engine

Policies App/User/Geo/Device

Network & Security Policies -  Trusted WLAN networks -  Whitelist and blacklisted

addresses -  Single sign-on Behavior -  Passcode Length and

Complexity -  Offline Data Retention -  RSA Token Usage -  VPN Configuration

Workspot Control

10

Securing Data at Rest

Workspot protects Data at Rest

Device

•  Secure container on an un-managed device

•  All enterprise assets fully encrypted in memory before touching the file system

•  Multi-level encryption •  Each file is encrypted

using its own key •  Each key is encrypted

using a master key •  Master key is encrypted

using a PIN which is not stored

•  FIPS validated AES-256

Applications

User Experience

Data

Virtual File System

Viewers Encryption

HTML(5) Engine Collection Agent

Virtual Network

SSO VPN

12

13

Device Posture Check As soon as the Workspot Client is started, it conducts a posture check to determine whether the device has been jail-broken. An evolving set of checks to verify supported versions and platforms are performed, and only when the device is determined to be secure is the Workspot Client launched Secure Offline Access with PIN When a user taps on Workspot Client on their device, they are prompted for a PIN. The PIN is validated against client master secret (CMS). If the CMS can be decrypted then the PIN is deemed valid; otherwise the PIN is invalid. The Workspot Client will allow up to 5 invalid PIN entries after which Workspot Client will wipe all the data on the device.

Protection begins before Workspot is launched

14

Remote Wipe Workspot Control also provides IT the capability to remote wipe any data, including documents, cached objects and cookies, inside the Workspot Client. Data outside the Workspot Client is un-affected by the remote wipe operation.   Whitelist/Blacklist IT can also control which sites the user can and cannot visit from inside the Workspot client by configuring the blacklist/whitelist. We also enable dynamic blacklisting of known malicious URLs.

Protect in real-time

15

§  When an end user downloads a document inside the Workspot application, it is encrypted in-flight.

§  The file system remains in an encrypted state even when the end user is within the container.

§  Only when the end user wants to view a document, for example an Adobe Acrobat document, does the Workspot Client decrypt the selected document and present it inside a viewer that is embedded within Workspot.

§  We have tuned the embedded viewers for the best possible rendering experience. Documents are more secure, because the documents stay within the Workspot Client. As soon as the end user finishes viewing the document and closes the viewer, the document is restored to its encrypted state on the device.

§  For large documents, we only decrypt the pages of the document that are currently being viewed.

Embedded Document Viewers

Big Data Driven Security

BYOD Success Kit

§  Security must be comprehensive to meet IT Requirements q  Device q  Network q  Application q  Data ü  All of the above

§  Security must be balanced with convenience to make end users productive

§  Big Data Context Driven Risk Management can help achieve balance, e.g., credit cards

Mobile Security Needs Risk Management

17

BYOD Success Kit

Key to Risk Management is Context

What is context? Context is who is doing what, when, and from where. For example, user Adam downloaded a document at 9:00 PM from California. Or Adam took 12 seconds to access the SharePoint application from an iPhone in Chicago. Context can help you better secure your data and understand and improve the real user experience for your employees.

Context enables compliance, discoverability, and auditability Look for a solution that will help you “prove” you know what end users are doing with corporate data on the device. For example, you should know which files users are downloading. Or you should know which apps they are accessing from where?

18

BYOD Success Kit

Cloud Architecture enables Context

Device

Applications

User Experience

Data

Virtual File System

Viewers Encryption

HTML(5) Engine Collection Agent

Virtual Network

SSO VPN

•  Container is highly instrumented

•  Collects Context - who/what/when/where/how fast data in real-time

•  Uploads to

Workspot Control when network conditions permit

19

BYOD Success Kit

Workspot Collects Granular Context

20

§  Business Benefits: Discoverability, Compliance, and Auditing

§  Can be integrated with existing SIEM systems, e.g., Splunk

BYOD Success Kit

Integration with Splunk

21

§  Download Splunk Application from Workspot Control

§  Simple Integration between Splunk and Workspot w/ security keys

BYOD Success Kit

Why Adaptive Auth?

22

Today IT and InfoSec teams cannot balance the needs for convenient access from mobile devices with the requirements of information security. Workspot has granular contextual data that can balance convenience with security. §   All applications are not equally sensitive – the directory application is less

sensitive than the financials application. §  All users are not equally trusted – the CEO is more trusted than a contractor. §  All locations are not equally trusted – if a user is connected to a corporate

WLAN and is sitting in an office, then they are more trusted than somebody trying to access enterprise assets from a remote location.

Workspot can use this data to change the authentication required – making it simple when the access is trusted, and providing more challenges when the access is less trusted.  

BYOD Success Kit

Context can be used for Adaptive Auth

23

§  Context also informs us about the typical behavior of an end user – how many applications they access, where they access it from, and other information.

§  Context can be used to detect abnormal access patterns and potentially deny access to end users if we detect abnormal behavior.

§  A good analogy is a credit card swipe. Every transaction is examined for risk, and most of the time the risk threshold is low, so the end user is allowed to transact. Occasionally a higher risk is determined and the end user is then challenged or informed of potentially fraudulent activity.

BYOD Success Kit

Adaptive Auth Examples

•  High Trust Context => Aggressive Single Sign-On

–  CFO accessing Intranet from HQ

•  Medium Trust => Require RSA token

–  CFO accessing Financials from new location

•  Low Trust Context => Deny Access

-  CFO downloading lots of documents while in China

24

Big Data Driven Adaptive Auth

BYOD Success Kit

Decision Makers Criteria

26"

Criteria Mobile User

CIO Network Manager

Security Manager

LOB CFO Legal

Manage Device – Email, Wireless Settings, etc. ✔

Deliver Apps and Data ✔

End User Experience – Integrated Business Workflows ✔ ✔

Security – Leverage existing VPN and AAA ✔ ✔ ✔ ✔

Risk Management - Audit & Discoverability ✔ ✔ ✔

Risk Management – Adaptive Authorization ✔ ✔ ✔

Performance – Understand real end user experience ✔ ✔ ✔

Lowest TCO – 100% Cloud, Delivered as a Service ✔

Learn more about Workspot

27"

Email us at sales@workspot.com