best practices for mobile enterprise security and the importance of endpoint management
DESCRIPTION
With the rapid growth of smartphones and tablets in the enterprise, CIOs are struggling to secure mobile devices and data across a wide range of mobile platforms. Attend this session to learn best practices around defining a mobile security policy, educating employees about safe computing practices, and deploying a secure technology framework. We'll discuss the benefits of endpoint management solutions like IBM Endpoint Manager in the context of a comprehensive enterprise deployment encompassing smartphones, tablets, PCs and servers.TRANSCRIPT
© 2013 IBM Corporation
Best Practices for Mobile Enterprise Security and the Importance of
Endpoint Management
Chris Pepin
Mobile Enterprise Executive
IBM Mobile Enterprise Services
Session 1269
@chrispepin
22 © 2013 IBM Corporation
Mobile enterprise is a business imperative
• Turn mobile into a profit-generating
platform and attract new customers
• Improve employee productivity, attract
and retain top talent
• Enterprises that don’t embrace mobile risk
being left behind
• Social, cloud and analytics compliment
mobile
33 © 2013 IBM Corporation
Mobile security risks are significant…
FrequencyNever Rare Often Frequently
Lim
ited
Massiv
e
Loss/Theft/ Seizure
Based on Gartner, Mobile Security Risks, interviews with members of ISS
xForce, and Corporate Executive Board. e.g. Industry (not IBM only) view
Blue Tooth Slurping
Man in the Middle Attack
Impact
III
IIIIV
Roving Bug/Illegal
Malware/ Spyware/ Grayware
Location Logging & Tracking
44 © 2013 IBM Corporation
…and involve more than just the device
Manage deviceSet appropriate security
policies • Register •
Compliance • Wipe • Lock
Secure DataData separation •
Leakage • Encryption
Application
SecurityOffline authentication •
Application level controls
Secure AccessProperly identify mobile
users and devices • Allow
or deny access •
Connectivity
Monitor & ProtectIdentify and stop mobile
threats •
Log network access,
events, and anomalies
Secure
ConnectivitySecure Connectivity from
devices
Secure ApplicationUtilize secure coding
practices • Identify
application vulnerabilities •
Update applications
Integrate SecurelySecure connectivity to
enterprise applications and
services
Manage
ApplicationsManage applications and
enterprise app store
Device Network Mobile Applications
55 © 2013 IBM Corporation
Video
IBM Mobile Security - Confidently enable productivity, business agility and
a rich user experience
http://www.youtube.com/watch?v=jTaLpb96ims
66 © 2013 IBM Corporation
• Application sandboxing
• Signed code controls
• Remote device or data wipe
IBM prediction
Mobile computing devices should be more
secure than traditional user computing
devices by 2014”
77 © 2013 IBM Corporation
A four-pronged approach to mobile security
Strategy
PolicyEducation
Technology
88 © 2013 IBM Corporation
A mobile enterprise starts with a strategy
• Defining the business problem and success criteria
• Personas and use cases
• Mobile infrastructure readiness
• Processes and governance model
Strategy
Enterprises need at least two strategies: B2E and B2C
99 © 2013 IBM Corporation
Written mobile policy is essential
• Terms and conditions‒ What devices, OS’s and versions are
allowed
‒ Passcode, device wipe, allowed
applications
• Corporate owned devices as well as
BYOD; data privacy
• Human resources, legal, procurement
and reimbursement
Policy
A comprehensive policy for PCs, smartphones and tablets is recommended
1010 © 2013 IBM Corporation
Employees are the weakest security link
• Identifying cybersecurity threats
• Protecting corporate and client data
• Safeguarding devices
• Data and security incident reporting
• Build a “culture of security”
Published guidelines, online education and social interaction is recommended
Education
1111 © 2013 IBM Corporation
Technology monitors and enforces security policy
• Mobile Device Management (MDM)
• Data Loss Prevention (DLP)
• Containerization, virtualization, encryption
• Anti-malware
• Network access control
One size doesn’t fit all
Technology
1212 © 2013 IBM Corporation
Us
er
typ
e
Manager
Regular Employee
I.T. Staff
Contractor
Guest
Corp
ora
te L
apto
p
Pers
onal Lapto
p
iPad/iP
hone
Andro
id D
evic
e
Internet + Email + Intranet
Internet + Email
Internet only
In addition to restricting
access based on user and
device type, additional
conditions may also be
leveraged such as:
Access method (wired,
wireless, or VPN
Access location
(company premises,
home office, or remote
location)
Application type (data,
voice, video)
Network access policy is the first line of defense
1313 © 2013 IBM Corporation
Onboard Device 1
A simple and intuitive method of on-boarding the device.
Automatically provisioning the device’s settings and checking to
make sure the device hasn’t be compromised in any way or
present any risk.
Invoke a policy2
Automatic policy decisions
and enablement.
Taking in all of the
information about the context
of the user and device and
enabling the appropriate
policy.
Unified policy enforcement.
Apply the policy across the
global organization, over
wired, wireless and remote,
and across all of the major
mobile device operating
systems.
Enforce policy 3
Network access control workflow
1414 © 2013 IBM Corporation
Do I have enough
IP addresses?
IP Address Management (IPAM)
Many enterprises are still managing the IP address space on their networks
manually via spreadsheets (approximately 75%), via homegrown
applications or a combination of the two1
Existing subnets and IP address pools may not be sufficiently large to
handle the increased number of connected devices
Audit and tracking capabilities need to be enhanced for mobile devices
Will my DHCP
services scale?
Dynamic Host Configuration Protocol (DHCP)
Increased scale and robustness is required to handle the influx of IP
address requests
New mechanisms for dynamically managing lease times and IP address re-
use may be required
Is my DNS ready
to support the
cloud?
Domain Name System (DNS)
Mobile applications and cloud-based services will impose a massive
increase in the use of DNS services
Network impact of mobile devices
1515 © 2013 IBM Corporation
Enterprise Needs:
Protect corporate applications and data, not just the device
Prevent data leakage from enterprise apps to personal apps and
public cloud-based services
Enforce advanced security features such as file-level encryption
Centrally administer and enforce permissions and policies
Ability to remotely wipe all work-related applications and data
Personal Needs:
Maintain full control over personal apps and data
Enterprise policies do not apply when the device is not connected
to the enterprise network and corporate applications are not in use
Selective wipe ensures that personal data remains untouched
Simple to switch between personal and work functions
Separating personal and work data
1616 © 2013 IBM Corporation
Virtualized Devices & Virtual Desktop Infrastructure (VDI)
Mobile Device Management Secure Container
MDM
EnterpriseContainer
Management Server
Enterprise Device
Personal Device
Manage device security policies (password, encryption, etc.)
MDM controls enterprise access (WIFI / VPN / email)
Wipe and “selective wipe”enterprise data and apps
Create a “secure container”
Replace the default mail / calendar / contacts
Allow organizations to write apps that run in the container; encryption
Virtualize the device OS
Create a virtualized “enterprise device” and “personal device”
Virtual Enterprise Desktop
Virtual application delivery
Enterprise Desktop
Multiple approaches to achieving data separation
1717 © 2013 IBM Corporation
Virtualized applications
Storage
Servers
VDI Infrastructure
Virtual application streaming
Virtual application streaming approach
Pros: No on device storage of confidential data, access to legacy applications
Cons: No offline access, end-user experience
1818 © 2013 IBM Corporation
Mobile Enterprise Management solutions
• Moving beyond Mobile Device Management (MDM)
• Microsoft Exchange ActiveSync is NOT the answer
• Connected cloud and on-premise solutions
• What devices do I need to manage?
• What features do I need?
1919 © 2013 IBM Corporation
IBM is a mobile enterprise
• 435,000 employees worldwide; 50%
mobile
• BYOD isn’t new at IBM and includes
smartphone, tablets as well as
laptops
• 120,000 employees leveraging
smartphones and tablets; 80,000
BYOD
• 600,000 managed laptops/desktops;
30,000 BYOD
IBM's BYOD program
"really is about supporting
employees in the way they
want to work. They will
find the most appropriate
tool to get their job done. I
want to make sure I can
enable them to do that, but
in a way that safeguards
the integrity of our
business.“
- IBM CIO Jeanette Horan
2020 © 2013 IBM Corporation
Video
IBM Mobile Technology – A Personal Journey
http://www.youtube.com/watch?v=0sEaLyLjFag
2121 © 2013 IBM Corporation
Mobile @ IBM
• Legal
Personally owned device terms
and conditions
• Policy
Same overriding security policy for
all endpoints (laptop, mobile, other)
• Technical controls
Detailed security settings per
platform (“techspecs”)
Formal
Mandatory Digital IBMer Security
Training
Casual
IBM Secure Computing Guidelines
Targeted w3 articles
Social
Secure Computing Forum
Secure Computing Blog Posts
Developer
Secure Engineering guidelines
Mobile app security guidelines
Endpoint Management
(overall control)
Anti-malware
(malicious app protection)
Network access control
& Application level security
(data protection)
Containerization / Virtualization
(data protection, data privacy, end user acceptance)
Mobile as primary
Personas
(13 inside IBM)
BYOD policy
(Windows, Linux, Mac, smartphones, tablets)
2222 © 2013 IBM Corporation
Key mobile technology in use inside IBM
• IBM Endpoint Manager
• IBM Lotus Notes Traveler
• BlackBerry Enterprise Server
• IBM Sametime Mobile
• IBM Connections Mobile
• IBM Worklight
• IBM Mobile Connect
Technology
2323 © 2013 IBM Corporation
IBM Endpoint Manager
Endpoints
Patch
Management
Lifecycle
ManagementSoftware Use
Analysis
Power
Management
Mobile
Devices
Security and
Compliance
Core
Protection
Desktop / laptop / server endpoint Mobile Purpose specific
Systems Management Security Management
Server
Automation
Continuously monitor the health and security of all enterprise computers in real-
time via a single, policy-driven agent
2424 © 2013 IBM Corporation
IBM Endpoint Manager components
Single intelligent agent
• Continuous self-assessment
• Continuous policy enforcement
• Minimal system impact (<2% CPU, <10MB RAM)
Single server and console
• Highly secure, highly available
• Aggregates data, analyzes and reports
• Manages up to 250K endpoints per server
Flexible policy language (Fixlets)
• Thousands of out-of-the-box policies
• Best practices for operations and security
• Simple custom policy authoring
• Highly extensible/applicable across all platforms
Virtual infrastructure
• Designate IBM Endpoint Manager agent as a relay
or discovery point in minutes
• Provides built-in redundancy
• Leverages existing systems/shared infrastructure
2525 © 2013 IBM Corporation
Endpoint Management
Systems
Management
Security
Management
Common agent
Unified console
Single
management
server
Managed = Secure
Desktops, Laptops,
& ServersSmartphones
& Tablets
Purpose-specific
Endpoints
Implement BYOD with
confidence
Secure sensitive data,
regardless of device
Handle multi-platform
complexities with ease
Minimize administration
costs
IBM Endpoint Manager addresses key business needs
2626 © 2013 IBM Corporation
Benefits of IBM Endpoint Manager
“Organizations…would prefer to use the same tools across PCs, tablets and smartphones,
because it's increasingly the same people who support those device types”
– Gartner, PCCLM Magic Quadrant, January 2011
Although at some level mobile is unique, the devices are just another form of endpoints in your
infrastructure. This means whichever technologies you procure should have a road map for
integration into your broader endpoint protection strategy.
– Forrester, Market Overview: Mobile Security, Q4, 2011
Reduces Hardware & Administration Costs
• “Single pane” for mobile devices, laptops, desktops, and servers
• Single Endpoint Manager Server scales to 250,000+ devices
• Unified infrastructure/administration model reduces FTE requirements
Fast Time-to-Value
• Enterprise-grade APIs enable integration with service desks, CMDBs, etc (Integrated Service Management)
• Cloud-based content delivery model allows for rapid updates with no software upgrade or installation required
2727 © 2013 IBM Corporation
What’s New in IBM Endpoint Manager?
Integration with Enterproid’s Divide container technologies
for iOS and Android
Web-based administration console for performing basic
device management tasks with role-based access control
Integration with BlackBerry Enterprise Server for integrated
support of BlackBerry v4 – v7 devices
Enhanced security with support for FIPS 140-2 encryption
and bi-directional encryption of communications with
Android agent
IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequent
feature enhancements without the difficulty of performing upgrades
2828 © 2013 IBM Corporation
Application Security Objectives
IBM Worklight Security
Application Security Design
• Develop secure mobile apps using
corporate best practices
• Encrypted local storage for data
• Offline user access
• Challenge response on startup
• App authenticity validation
• Direct Update of application
• Remote disable (of applications per
device and version)
• Enforcement of organizational
security policies
2929 © 2013 IBM Corporation
Key messages
• There are mobile security challenges
but there are also solutions
• Endpoint management is a required
component but not the only solution you
will need
• There are no one size-fits-all mobile
solutions
• The mobile landscape continues to
evolve – be flexible and embrace
change
3030 © 2013 IBM Corporation
1 Learn more:
ibm.com/mobilefirst
Sign up for the IBM Mobile workshop
Email us at -- [email protected]
2
3
Join the conversation:
twitter.com/IBMMobile (#IBMMobile)
facebook.com/IBMMobile
Three ways to get started with MobileFirst
3131 © 2013 IBM Corporation
Questions?
Chris Pepin
Mobile Enterprise Executive
IBM Global Technology Services
@chrispepin
3232 © 2013 IBM Corporation
3333 © 2013 IBM Corporation
Legal Disclaimer
• © IBM Corporation 2013. All Rights Reserved.
• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.