d2s5vi - ISACA Bangalore Chapter

Transcription

Oversee security, risk and compliance
© 2013 IBM Corporation
USAGE NOTES TO SPEAKER …
  This is a capability-based thought leadership presentation specifically designed to not pitch
ANY IBM offerings but rather to focus on one of the eight mobile buying needs IBM has
researched and strategically aligned its mobile portfolio around. The goal of this presentation
is to raise awareness and interest to then be followed up with one of the IBM MobileFirst
presentations. All decks are available via the link in the speaker notes.
1. 
2. 
3. 
4. 
5. 
6. 
7. 
8. 
Transform strategy and operations
Build and deploy multi-platform mobile applications
Optimize mobile experience to build loyalty
Leverage analytics to turn information into insights
Extend enterprise to mobile with data, service, and application integration
Manage and optimize mobile devices, data, and expenses
Support BYOD and a smarter workforce
Oversee security, risk and compliance
  If you have questions on specific content in this deck or need enablement, please contact
Lauren Kovach (lkovach@us.ibm.com)
  If you have any questions on general IBM MobileFirst content/messaging, please contact
Tracy B Clark (tbclark@us.ibm.com)
2
Agenda
3
1
The possibility of thinking mobile, first
2
Mobile security trends
3
Mobile security best practices
4
How ‘mobile first’ enterprises excel in mobile security
IBM examines the challenges of delivering mobile security for
today's always-connected workforce
4
Agenda
5
1
2
3
4
Enterprises need confidence to put mobile first…
6
A clear and present danger
Mobile devices are twice as
appealing. Hackers can obtain
personal and business data.
Access has never been easier.
By the end of 2011, Android app
downloads reached
10
Billion
2x
3
Try getting a corporate app
The Security Risk is Real!
7
Android malware increase dramatically
Source: Juniper Mobile Threat Report, 2/12
Spyware and SMS Trojans Top Two
8
No one is spared
Source: Arxan State of Security in the App Economy – 2012
9
Mobile devices: Unique security challenges
Mobile
devices are
shared more
often
•  Personal phones
and tablets
shared with family
•  Enterprise tablet
shared with coworkers
•  Social norms of
mobile apps vs.
file systems
10
Mobile
devices have
multiple
personas
•  Work tool
•  Entertainment
device
•  Personal
organization
•  Security profile
per persona?
Mobile
devices are
.diverse
•  OS immaturity for
enterprise mgmt
•  BYOD dictates
multiple OSs
•  Vendor / carrier
control dictates
multiple OS
versions
Mobile
devices are
used in more
locations
•  A single location
could offer public,
private, and cell
connections
•  Anywhere,
anytime
•  Increasing
reliance on
enterprise WiFi
Mobile
devices
prioritize the
user
•  Conflicts with
user experience
not tolerated
•  OS architecture
puts the user in
control
•  Difficult to enforce
policy, app lists
Agenda
11
1
2
3
4
Steps to consider when securing the mobile enterprise
IBM Security Framework domains
Mobile Security Strategy and Lifecycle Management
Over the Network &
Enterprise
For the Mobile App
Enroll
Register owner and services
Authenticate
Properly identify mobile users
Develop
Utilize secure coding practices
Configure
Set appropriate security
policies
Encrypt
Secure network connectivity
Test
Identify application
vulnerabilities
At the Device
Monitor
Ensure device compliance
Monitor
Log network access and
events
Reconfigure
Add new policies over-the-air
Control
Allow or deny access to apps
De-provision
Remove services and wipe
Block
Identify and stop mobile
threats
Monitor
Correlate unauthorized activity
Protect
Defend against application
attacks
Update
Patch old or vulnerable apps
Internet
Corporate
Intranet
12
Why take an integrated approach to mobile security?
Speed time to deployment of enterprise
mobile apps and updates, while improving quality
Reduce help desk calls, device and service lifecycle
costs
Less total infrastructure for lower hardware, admin costs
Enhance end-to-end security to help prevent loss of
intellectual property and regulated data
Improve WiFi network management for greater reliability,
employee productivity, and minimize business interruptions
13
A holistic approach to securing the mobile environment
14
1. Device
Management
2. Network, Data,
and Access Security
3. Application
Layer Security
Security for endpoint
device and data
Achieve visibility and
adaptive security policies
Develop and test
applications
1. Device Management
Where to begin? Develop a greater understanding of Mobile Security
Intelligence
Identifying Sources of Security Events: Organizations can choose to collect
security events from a variety of sources to gain broader awareness of evolving threats – i.e.
from mobile devices to access requests to mobile apps
Enumerating Reports: Defining templates of reports that will enable security
professionals to quickly gain visibility of how well their security posture is performing and
demonstrate compliance with corporate policies.
Detecting Anomalies & Risky Behavior: An organization needs to formulate rules
that enable it to detect new threats and behaviors that increase its risk profile and may not be
covered by existing policies or controls.
Integration to Remediation Process: Remediation makes intelligence actionable
so organizations need to plan how detection of security events can be channeled
appropriately to take corrective action.
15
Businesses are seeking a comprehensive approach to secure
corporate data on both company and employee-owned mobile devices.
350
million
2X
53%
By 2016, the number of
With both personal and
Percentage of IT executives
people who will use their
business data now on mobile
who rank mobile security
smartphones for work2
devices, they are twice
and privacy as a top
as appealing to hackers3
concern1
1 Source:
2011 IBM Tech Trends Report https://www.ibm.com/developerworks/mydeveloperworks/blogs/techtrends/entry/home?lang=en
Research, “Mobile is the New Face of Engagement,” February 2012
3 Kathleen Bela and Danielle Hamel, Risky Business: Survey Shows Smartphone Security Concerns Running High,
http://www.juniper.net/us/en/company/press-center/press-releases/2010/pr_2010_10_26-10_02.html
2 Forrester
16
Device Management and BYOD challenges
17
What are we worried about? (mobile device risks)
Impact
Massive
Based on Gartner, Mobile Security Risks, interviews with members of ISS
xForce, and Corporate Executive Board. e.g. Industry (not IBM only) view
II
I
Roving
Bug/Illegal
Man in the
Middle Attack
Location
Logging &
Tracking
Blue Tooth
Slurping
Malware/
Spyware/
Grayware
Limited
Loss/Theft/
Seizure
IV
Never
III
Rare
Frequency
Often
Frequently
Control Category I: Focus on risks for all mobile devices used by IBMers for IBM business
purposes
Control Category II: Focus on risks for targeted populations of IBMers (ex. SVPs)
18
Today’s enterprises must not only embrace mobility but have a clear
strategy to address security requirements.
You need to:
  Extend the current workplace IT security
control to mobile devices
  Recognize unique characteristics of mobile
phones in considering security measures
  Choose a security solution that can sustain
changes-of-device technologies and
security threats
  Educate employees: this is as important as
technology in creating a smart, security-rich
mobile environment
19
2. Mobile Network, Data and Access Security
Where to begin? Achieve visibility and adaptive security policies
Centralized User Management: Assembling singular view of all the mobile users
across one or more mobile apps enables for consistent user governance and reduces
redundancy and complexity of access control embedded in each app.
Segmenting Mobile Users: Segmenting mobile users based on access privileges
allows for better management through tiered access. This practice assists in anomaly
detection.
Enumerating Context Attributes: Selection of the contextual attributes that can
influence risk when accessing applications and content will facilitate a granular risk
assessment of each user interaction.
Defining Access Policies to Govern Risk: Codification of access policies for
applications and content allows for greater consistency and logic testing. Externalizing these
policies from applications improves the flexibility of the security posture.
.
20
Context influences risk
Derive
Uniqueness of
Interaction
Compute risk
Adapt
Authentication
processes
Dynamically
control
authorization of
specific
transactions
  Mobile affords many attributes that pertain to the user’s context allowing for unique
identification of a specific interaction (i.e. location, network, time, device properties etc)
  Risk of the unique interaction can be computed based on established policies
  The risk score can be utilized to select the authentication processes best suited for that
interaction
  The risk score can also be employed to control authorization for specific transactions
during that interaction and deliver education to the user on security best practices in
context
21
Unique requirements for secure mobile access
Mobile users prioritize user
experience and make device
decisions based on their preferences
Imposing access security controls and methods that
are unsuited for mobile can either lead to noncompliance or non-participation
Mobile devices are most often used
outside the corporate network and
consumers may employ a wide variety of
networks to access their accounts
The integrity of the user’s transactions or
communication can be compromised while they are
interacting with mobile apps
22
Mobile devices are shared and can
have multiple personas
Authenticating and authorizing just the user
OR just the device might not provide
necessary levels of controls on data and apps
The context in which mobile
devices can change dramatically
from one session to the next
The context can significantly influence the risk of the
interaction and without proper consideration can
lead to data loss or leakage
Need for intelligence…
Targeted attacks at individuals,
organizations or specific regions are
growing in sophistication and
frequency
Emerging threats are evolving, and
new sets of vulnerabilities being
uncovered
The development of counter measures is inhibited by a lack of awareness of the attack
since it may require monitoring across various security solutions
Increased governmental
regulation and competitive
pressures
The penalties for security breaches are not only
monetarily expensive but it could result in the
loss of trust relationships with customers,
partners and employees
23
The dynamic mobile ecosystem is
inherently social and consumer
oriented with each new capability
introducing new interaction
mechanisms
User behavior deemed risky from an enterprise
security perspective might be practiced without
awareness
3. Application Security
Where to begin? Instituting a Safe Mobile App Development
Culture
Establish a Security Standard:
Mobile app development can be undertaken by
different parts of the organization or even outsourced, therefore a security quality standard
has to be defined which all development efforts can adhere to.
Segregate Security Logic from Business Logic:
Security requirements will
have less variation than business logic and requires different set of skills. Security features
can be developed and leveraged across multiple apps.
Analyze Security Applications:
Mobile apps need to be assessed for their risk
exposure – sensitivity of data, usage scenarios etc. This aids in prioritizing and investment of
security rigor employed in safeguarding it.
App Management Policies:
Active management of applications is required to
respond when mobile apps are compromised. This includes defining the update process,
conditions when the app will be locked and situations when data stored locally by an app are
wiped.
24
Mobile security challenges faced by enterprises
  Personal vs corporate
Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Data policies
!"#$%&$’()*+,+)-%.+/+01’)2 )  
3/1&$4$’()*+,+)3/1,%"01’)   
 
 
 
 
 
 
Multiple device platforms and variants
Multiple providers
Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Endpoint policies
Threat protection
Interrelated
!4+.0’(),1),#%)567*8)
91’:;< %/$=+01’)1>)?@)@/%’4)
  Identity of user and devices
Authentication, Authorization and Federation
User policies
Secure Connectivity
3/1&$4$’():%";/%)+""%::),1)  
%’,%/./$:%)+..A$"+01’:)2 )4+,+)   
25
*%&%A1.$’()-%";/%)
!..A$"+01’:)
 
 
 
 
*%:$(’$’()2 )?’:0,;0’()+’)
!4+.0&%)-%";/$,B)31:,;/%)
  Policy Management: Location, Geo, Roles, Response, Time policies
  Security Intelligence
  Reporting
Application life-cycle
Static & Dynamic analysis
Call and data flow analysis
Application policies
Security risk a function of mobile application type
Mobile Web applications
Mobile Native applications
Mobile Hybrid applications
26
Native mobile application security risks
Which QR code is evil?
  Confidentiality leaks
–  Private conversations leaked to
public
–  Private contact information
leaked to public
–  Location leaked to public
  Integrity violations
–  Corruption of local databases
–  Fraudulent use of application
  Abuse of privileges
–  Sending text messages
–  Placing calls
–  Surveillance of device’s user
27
• 
• 
QR Code contained a URL to
download malware
The malware sent SMS
messages to a premium rate
number (US $6 per message)
http://siliconangle.com/blog/
2011/10/21/infected-qrmalware-surfaces-onsmartphones-apps/
The anatomy of a mobile attack often begins with a legitimate
application.
1.  A legitimate
developer
creates an
application.
2.  The legitimate
developer uploads
the application to
an application
store or website.
3.  A malicious
developer
repackages the
application with
malware.
4.  The malicious developer
uploads the repackaged
application to an
application store where
mobile users can
download for free.
5.  A mobile user
downloads the
application
containing the
malware.
6.  The malicious developer
can control the phone
remotely, access the
user’s sensitive
information or even infect
enterprise servers.
Source: U.S. Government Accountability Office analysis of studies and security reports. September 2012,
"Better implementation of controls for mobile devices should be encouraged"
28
Agenda
29
1
2
3
4
Mobile Device (BYOD) Security:
CenterBeam Delivers 98 percent
policy compliance across all
enterprise devices - server, desktop
and mobile
Challenges
CenterBeam’s endpoint management services are
delivered under a utility-based computing model, in
which companies pay per-node on a monthly basis.
As a result, the more efficient and effective
CenterBeam is in delivering its services, the more
successful the company is.
Solution
CenterBeam uses IBM Endpoint Manager to deliver
enterprise-class patch management, software
distribution, lifecycle management, and security and
compliance services across PCs, servers and
mobile devices. The software is implemented with
CenterBeam’s proprietary self-healing agent
technology to help the company confirm nearly 98
percent policy compliance.
Benefits
“With our old solution, we had two engineers managing 2,500
endpoints. Now we need only one engineer managing 20,000
endpoints and we have 98 percent compliance against our
policy baselines. "
—Shahin Pirooz, Executive Vice President, Chief Technology
Officer, CenterBeam
30
 Increased policy compliance by more than 20
percent (from 80 percent to 98 percent)
 Supported a tenfold increase in number of
endpoints under management with only one
engineer
 Helped clients mitigate risk and strengthen
endpoint security
Mobile Network Security:
Challenges
A European Bank delivers secure
mobile Internet banking
 Extend secure access to banking applications to
mobile customers
 Enhance productivity of employees to perform
secure banking transactions via mobile devices
Solution
 IBM Security Access Manager Reverse Proxy
(WebSEAL) authenticates requests made via
HTTPS from hybrid mobile applications to backend services
 A custom certificates-based authentication
mechanism implemented to secure back-end
banking application
Benefits
 Reduce operation complexity and cost with a
single, scalable infrastructure to secure access
to various back-end services from multiple
mobile applications
  Customizability of authentication mechanism
empowers the bank to guarantee the security of
its customers
31
Mobile Application Security:
AimArs Bank delivers secure
Mobile Internet banking
Background
AimArs needed to reduce operational complexity and
cost with a single, scalable infrastructure to secure
access to various back-end services from multiple
mobile apps. A customized authentication mechanism
empowered the bank to guarantee the security of its
customers while safeguarding the trust relationship with
a safe app platform that encrypts local data and delivers
app updates immediately.
Customer Needs
 Extend secure access to banking apps to mobile
customers
 Enhance productivity of employees to perform secure
banking transactions via mobile devices
 Support for iOS, Android, and Windows Mobile
Benefits
 Authenticates requests made via HTTPS from hybrid
mobile apps running on WorkLight platform to backend services
 A custom certificates-based authentication mechanism
implemented to secure back-end banking application
32
Mobile Application Security:
A health insurance provider offers
secure mobile access
Challenges
  Differentiate from competitors by offering
customers greater access by supporting
mobility
  Reduce overhead of paper-based claims
processing and call-center volume
Solution
 Requests made via HTTPS to multiple back-end
services from native device applications
protected by IBM Security Access Manager
  Authentication enforced with both Basic
Authentication and a custom implementation
through Access Manager’s External
Authentication Interface
Benefits
 Simultaneously build trust and improve user
experience with secure membership
management and claims processing
  Improve customer satisfaction and
responsiveness through secure mobile solutions
33
Three ways to get started with IBM MobileFirst - Security
1
2
3
34
Read our latest security article on Wired, "Crafting a Mobile Security and Management Posture"
http://bit.ly/VKTIld
Learn more:
ibm.com/mobilefirst
twitter.com/IBMMobile (#IBMMobile)
facebook.com/IBMMobile
Talk with your IBM representative or Business
Partner to ﬁnd the right next step for you
On ramp to mobile workshop
One day interactive workshop with an IBM Mobile expert to help enterprises plan
and develop a customized roadmap for success (no charge)
Workshop
For Line of business and IT
leaders seeking expertise and
experience in developing,
enhancing, and/or executing
their mobile enterprise
strategy.
Client Value
• Industry expertise with top
use cases and successes
• Capability assessment
including identification of
opportunities and gaps in
mobile strategy
• A detailed client report and
next steps
Highlights
• Interactive discussion to
understand client business
drivers, pains and requirements
• Overview of IBM MobileFirst
Strategy, technology & POV’s
• Industry trends & imperatives
• Structured working session to
outline next steps
To schedule a workshop, email: ibmmobile@us.ibm.com
35
36
Legal Disclaimer
•  © IBM Corporation 2013. All Rights Reserved.
•  The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
•  References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.
•  If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
•  If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
•  Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus®
Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer
to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All
product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines
Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
•  If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
•  If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
•  If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
•  If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
•  If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
•  If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
•  If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.
37

d2s5vi - ISACA Bangalore Chapter

Transcription

Similar documents

A3RMT - IBM Joint Brochure - A3 Remote Monitoring Technologies

Dianne Fodell Charlotte Informatics Talent Panel

Ponani Gopalakrishnan. Ponani Gopalakrishnan.

Services for better business – and for better world.

Hard Cards - IBM

ProBTP and Counter Fraud

Toshiba T1100 Plus (1)

Lotusphere Comes To You 20 years of Lotus Notes and a look

Eloxite Corporation

IT PROCUREMENT SITE SAVES ORGANISATIONS