surviving the mobile phenomenon: securing mobile access with risk-based authentication
TRANSCRIPT
© 2015 IBM Corporation
Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authentication
Jason Hardy
WW Market Segment Manager, Mobile Security
Jason Keenaghan
Program Director, Access Management & Cloud IAM
IBM Mobile Security
2© 2015 IBM Corporation
Enterprise mobile trends
“Enterprise mobility will continue to be one of the hottest topics in IT,and high on the list of priorities for all CIOs.”
Ovum
“IT organizations will dedicate at least 25% of their software budget
to mobile application development, deployment, and management by 2017.”IDC
The number of smartphone users worldwide will surpass
2 billionin 2016
eMarketer
Mobile downloadswill increase to
268 billionby 2017
Gartner
3© 2015 IBM Corporation
As mobile grows, so do security threats
“With the growing penetration of mobile devices in the enterprise, security testing
and protection of mobile applications and data become mandatory.” Gartner
“Enterprise mobility… new systems of engagement. These new systems help
firms empower their customers, partners, and employees with context-aware
apps and smart products.”Forrester
Arxan
Top mobile devices and apps hacked
97%Android 87%
iOS
38 new threats every minute
and six every second
McAfee
4© 2015 IBM Corporation
What concerns does this create for the enterprise?
Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity”
32% are concerned about
fraudulent transactions
Only 18% can detect
malware / jailbreaks
50% say content and data leakage
are their top security concern
60% use secure containers
for data security
57% say a lost or stolen
device is top concern
60% use passcodes
for device security
52% worry about
application vulnerabilities
Only 23% have
tamper-proofing capabilities
5© 2015 IBM Corporation
MobileFirst
Protect (MaaS360)
AppScan, Arxan, Trusteer M;
bile SDK
IBM Mobile Security Framework
AirWatch, MobileIron, Good,
Citrix, Microsoft, MocanaHP Fortify, Veracode, Proguard CA, Oracle, RSA
• Manage multi-OS BYOD environment
• Mitigate risks of lost and compromised devices
• Separate enterprise and personal data
• Enforce compliance with security policies
• Distribute and control enterprise apps
• Build and secure apps and protect them “in the wild”
• Provide secure web, mobile, API access and identify device risk
• Meet authentication ease-of-use expectation
Extend Security Intelligence
• Extend security information and event management (SIEM) to mobile platform
• Incorporate mobile log management, anomaly detection, configuration and vulnerability management
Manage Access and Fraud
SafeguardApplications and Data
Secure Content and Collaboration
Protect Devices
6© 2015 IBM Corporation
IBM Security Access
Manager
IBMDataPowerGateway
IBMBigFix
IBMMobileFirst
Platform
Executing a strategy with IBM Mobile Security
IBM MobileFirst
ProtectMaaS360
IBMSecurity AppScan
ArxanApplication Protection
for IBMSolutions
IBMQRadarSecurity
Intelligence Platform
IBMSecurity Trusteer
IBMMobile
Security Services
© 2015 IBM Corporation
Securing mobile access with risk-based authentication
8© 2015 IBM Corporation
IBM Identity and Access Management helps secure the digital identities for an open enterprise
Identity Management Access Management
Threat-aware Identity and Access Management
Directory Services
• Identity Governance and Intelligence
• Identity Lifecycle Management
• Privileged Identity Control
• Adaptive Access Control and Federation
• Application Content Protection
• Authentication and Single Sign On
Datacenter Web Social Mobile Cloud
Software-as-a-
Service
On Premise
Appliances
Cloud Managed /
Hosted ServicesPlatform-as-a-
Service
9© 2015 IBM Corporation
Take back control of Access Management
Consumers Employees Partners &
Contractors
Enterprise Applications Cloud Workloads SaaS Applications
ISAM
10© 2015 IBM Corporation
Adopt a graded trust posture to help achieve secure transactions & risk-based enforcement
Consumer / Employee
Applications
Manage consistentsecurity policiesConsumers
EmployeesBYOD
Security Team ApplicationTeam
DataApplications
On/Off-premiseResources
Cloud Mobile
Internet
Fraud & Threat-aware application access across multiple channels
Strong Authentication, SSO, session management for secure
B2E, B2B and B2C use cases
Context-based access and stronger assurance for transactions
from partners and consumers
Transparently enforce security access
policies for web and mobile applications
Enforce security access polices without
modifying the applications
Access Management
11© 2015 IBM Corporation
Enforce risk-based access and strong authentication for transactions
Reduce risk associated with mobile user and service transactions
Example: transactions performed in the user‘s state of residence can proceed with normal authentication
User attempts to transfer funds in another state or another country – requires an OTP for stronger authentication and additional identity assurance
User attempts transaction
from unexpected locationStrong authentication
challengeTransaction completes
12© 2015 IBM Corporation
IBM Security Access Manager supports five main context domains for adaptive access control
Identity:Groups, roles, credential attributes, organization
Endpoints:There are various unique attributes (device fingerprint).
Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, device model & UUID
Environment:Geographic location, network, local time . . . etc
Resource / Action:The application being requested and what is being done.
Behavior:Analytics of user historical and current resource usage.
User activity monitoring, specific business activity monitoring
13© 2015 IBM Corporation
Common requirements for strong authentication and context-aware access from mobile customers
Improved end user experience:
– Eliminate usernames and passwords for mobile devices users
– Situation awareness and graded trust
Step-up authentication for additional identity assurance:
– Unknown device
– High-risk or infected device
– High-value transactions
Risk-elevation factors:
– IP reputation
– Geo-political location
– Behavioral anomalies (e.g., time of day)
Continuous authentication:
– Soft biometrics
– User presence detection (e.g., motion, WiFi networks, Bluetooth devices)
14© 2015 IBM Corporation
Additional sources of context appear as policy information points
IBM Security
Access Manager
Servers Databases Applications APIs
Fiberlink
MaaS360
LDAP
Server
Trusteer
Mobile &
Pinpoint
Malware
Detection
Server
Connection
Policy Information Point Users
Managed mobile device contextMalware / fraud indicators
User AttributesContext from external DB
or service
15© 2015 IBM Corporation
Simplify fraud protection
ISAM
Automatically protect users and organizations from fraud with strong authentication
Risk-based access controls built around malware and fraud risk score from
Trusteer
– High risk transactions can be prompted to change behavior (e.g. open secure browser) or
perform step-up authentication
ISAM adds Trusteer fraud protection to applications without requiring any code
changes on the protected applications themselves
Protected
ApplicationsUsers
Fraud Context
and Risk Score
QRadar
Security
Intelligence
Fraud and
Access Context
16© 2015 IBM Corporation
Remove barriers to mobile productivity
Enable more convenient and secure access to enterprise resources from mobile
MaaS360 App
Username
Password
Sign In
Enterprise Web
Applications
Single Sign-on
User
Authenticates
to MaaS360
MaaS360-enabled
enterprise mobile apps
Allows users to easily access enterprise resources with minimal authentication
friction
Utilizes existing access management infrastructure to prevent the need for
application changes while enabling access from mobile devices
Risk-based access controls can utilize context from MaaS360 in access
decision (e.g., compliance state, jail broken status, ownership status, etc.)
SaaS
Applications
ISAM
17© 2015 IBM Corporation
Implementation pattern for providing advanced API security
IBM API Management provides developer portal, API analytics, and development
acceleration for ISAM integration on DataPower Gateway appliances
IBM DataPower Gateway provides API runtime policy enforcement point and integration to
other dynamic decision engines (e.g., ISAM)
IBM Security Access Manager provides advanced mobile/API security capabilities for
enhanced protection of API resources.
DataPower is the API Gateway for IBM API Management to secure & integrate API traffic
DataPower
“API Gateway”IBM
MobileFirst
Mobile
Application
DMZ Trusted ZoneInternet
APIm
ISAM Module
ISAM
1
3
42
Define Policies
Invoke API
Consult Decision Engine
Invoke Backend
Service
18© 2015 IBM Corporation
IBM architecture for risk-based access with strong authentication
Easy to deploy, easy to manage, and highly scalable virtual and physical appliances
ISAM
Proxy
Or
Data
Power
(PEP)
Policy Server (PAP)
Runtime Services (PDP)
Risk EngineAuthentication
Framework
Access Policy Authoring
Extensible Authentication & Verification Methods Extensible Context
Applications and Data
Context
SSO / FSSO / Context based Access
User on Mobile
or Desktop
Mobile
Client
Extensible Multi-modal Authentication
PEP
ISA
M
© 2015 IBM Corporation
Q&A
20© 2015 IBM Corporation
133 countries where IBM delivers
managed security services
20 industry analyst reports rank
IBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan,
North America, and Australia
Learn more about IBM Security
Visit our web page
IBM.com/Security
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security