Presentation on theme: "Mobile Enterprise Security"— Presentation transcript:
1Mobile Enterprise Security Mark WrightSenior Systems Consultant, Global Mobility SWATSybase an SAP CompanyThursday, September 29th 2011
2Unwired Enterprise Evolution GlobalMainframeClient/ServerInternetUnwired EnterpriseREACHBRITT The development of the unwired enterprise is part of the continuous evolution of how people have accessed information on computers that goes back over 40 years.In the initial stages, computing was done by massive mainframe computers (which are still in use today). Access to the mainframe was always done locally, and required highly specialized programming skills in order to interace with the system. This is the model that drove the computer industry in the 70s and early 80s, where the dominant players were companies like Amdahl and IBM.With the introduction of PCs and local area networks, this model eventually evolved to a Client/Server paradigm, where processing power was shifted to the desktop, working primarily off a LAN, or in some instances, a campus WAN. This process began the shift of power from the system specialist to the end user through a desktop or laptop computer. This model drove the computer industry in the 80s and early 90s, and was dominated by compaies such as Wang Labs, DEC, Prime, Sun, and others.In the mid to late 90s, teh development of browsers such as Mosaic (which eventually became Netscape) allowed user-friendly access to vast amounts information resources, including educational, entertainment, and commercial applications. This lead to the rise of the internet, which now dominates our lives on multiple levels. This model is exemplified by companies such as Google and Amazon.Now that we’re in the early 10s, the next shift has started. There is the internet (or static internet), and there is the mobile internet, which is very different from its static predecessor, and is paving the road for the rise of what we call the unwired enterprise. There are over 6 billion mobile devices in use globally, and the number of smartphones, which are essentially pocket computers that make phone calls, are rising at an exponential rate. The rising popularity of smart phones, driven recently by Apples repeated success in redefining the mobile paradigm, as lead to the rise of the consumerization of IT. Employees have these cool devices they now want to use at work, as well as the need to take existing enterprise information resources and make them available to employees in a secure manner is what drives the Sybase mobility business. It is this model that will enable SAP/Sybase to become the driving force in the unwired enterprise.**Map to SAP Progression**LocalComputer CentricHuman Centric
3Transform the enterprise Two Stages of MobileMobile 1.0Mobile 2.0BRITTIn the initial stage of mobility entering the enterprise, which we refer to as Mobile version 1.0, companies focused on extending the reach of enterprise applications to mobile devices. The lowest hanging fruit in this instance was enabling access through a mobile device, which is still a very popular application. Other basic workflow-centric applications such as management approval of expense reports, field service requests, etc. Have also made their way into the market. In all cases, this is basically an extension of communications-centric applications to mobile devices.The real opportunity here is that essentially any application or data resource that is touched by an employee sitting at a computer at their desk can be mobilized. The scope of opportunity here is effectively the same as taking all brick and mortar businesses and moving them on-line. Mobilizing enterprise applications will have a profound, permanent, and transformative effect on how enterprises interact with their customers, prospects, and human resources.Extend the enterpriseTransform the enterprise
4Mobility is The New Standard 75%of all US workers will be mobile by 201335%% of global workforce that will be mobile information workers by 2013BRITTThe current business processes assume a worker tied to his desktop. This is no longer true. Majority of workers, not just road warriors, are mobile now. (Note:- Use the statistics that makes most sense for your region from below). As more workers become mobile, you need to ask yourself three fundamental questions:At a fundamental level, why do we exist as an organization? How can mobility solutions help us do what we do better?What are the five highest-priority services we deliver to the business? How can we deliver them better, faster, and/or cheaper by mobilizing them?What simple tasks do business and IT users do frequently at a PC? How would the organization benefit if instead they could do them anywhere at any time?***Stats***The worldwide mobile worker population is set to increase from million in 2008,accounting for 29% of the worldwide workforce, to 1.19 billion in 2013, accounting for34.9% of the workforce. Key highlights across the regions include: The United States has the highest percentage of mobile workers in its workforce,with 72.2% of the workforce mobile in This will grow to 75.5% by the end ofthe forecast period to million mobile workers. The United States will remainthe most highly concentrated market for mobile workers with three-quarters of theworkforce being mobile by 2013. Asia/Pacific (excluding Japan) represents the largest total number of mobileworkers throughout the forecast, with million mobile workers in 2008 and734.5 million in 2013. Western Europe's mobile workforce, at 96.5 million for 2008, accounts for roughlyhalf of its total workforce. The mobile worker population in this region willexperience healthy growth of 6% compound annual growth rate (CAGR) to reach129.5 million mobile workers for 2013. Japan will grow by a CAGR of 3.3% to reach a mobile worker penetration rate of74.5% of its workforce being mobile by 2013, for a total of 49.3 million mobileworkers. The rest of the world (ROW) includes Central and Eastern Europe, Middle East,and Africa (CEMA), Latin America, and Canada. It has the lowest penetration ofmobile workers at 13.5% for 2008, but still represents a significant opportunity at125.7 million mobile workers. It will grow at a CAGR of 4% to reach millionmobile workers by 2013.Source: “W o r l d w i d e M o b i l e W o r k e r P o p u l a t i o n – F o r e c a s t ”, IDC
5Consumer Mobility has hit critical mass There are More Mobile Phones than Toothbrushes (5B vs 2.2B)There are more mobile phones then toothbrushes in the world. (Humor: Rumor is that RIM is introducing a new model called BlackBerry Brush)
6Mobility Is Not Just About Road Warriors Anymore ExecsLine of Business ManagersTask and Business UsersContactsApproval RequestsField ServiceTime & ExpenseDashboardsApprovalsCalendarsCRMScheduling & DispatchMobility is being adopted across the entire enterprise – from task & business users to execs and line of business managers. Although their mobility needs may differ, a single platform can be used to address both application creation and device management, as well as security needs, which helps to reduce both complexity and cost.What resonates with this chart (which was used in the March launch of our relationship with SAP), is that we’re not talking about a certain type of application or device, or role within the enterprise, we’re talking about the mobility means within the enterprise, which should be dealt with from a cross-functional infrastructure perspective.The bottom layer is where Sybase has been historically strong, our acquisition by SAP has put us in the ideal position to expand up.An example of our ability to delvier a solution at the LOB layer would be a southern California entertainment company does 1M approvals per year using mobile devices, which not only saves significant time, but has saved then millions in air far reduction. We can do a pilot like this w/in two weeks.If you ask yourself three fundamental questions I mentioned before, you will realize that mobility can help drive the metrics in right directions for all your business processes for all types of users and not just road warriors-Execs, LOB Managers, Task and Business Users, and even your consumers and ecosystem.Let’s take a simple example….Approval Workflows. Workflows that need human approval to proceed often get stuck in mail boxes of approvers as this workflows assume that approver is at his desktop and can log into appropriate desktop application to approve. The reality is most approver are mobile and need to be able to approve the request right from their mobile device without ever having to log into desktop application. Mobilizing approval workflows can drastically cut down the process time with immediate positive impact on all aspects of your business.Consumers and EcosystemMobile E-CommerceMobile MarketingSelf-Service
7Key Trends in 2011 and Beyond Increasing demand for enterprise applicationsConsumerization of IT with Employee-owned DevicesMomentum of Managed Mobility ServicesBRITTSo what are the key trends affecting mobility?First, the consumerization of IT. There is a trend towards companies allowing employees to have (that is, pay for) their own devices. It gives employees the opportunity to get what thye really want, and saves IT the capital expense of buying all their employees a device. Because it is popular with both sides of the equation, we expect this trend to continue and accelerate.Momentum of Managed Mobility Services; the cost effectiveness of managed services, which has been in play for several years, is now extending to applications that are accessed by mobile devices, and because it combines tow compelling technologies (managed services and mobility), we expect this trend to also continue and accelerate.The demand for enterprise applications is exemplified by the rise in corporate apps stores, with Apple leading the way, and others such as RIM, Microsoft, and Google moving up as fast as they can.The demand for integrated solutions is a function of the complexity inherent in having a broad number of devices accessing back end systems. This will be addressed in more detail in a few minutes.And finally the shift in the development paradigm for mobile applications, which is a function of the availability of mobile middleware, which shields end-users from the complexity of back-end systems, coupled with the simplification inherent in using object coding to creat process workflow, which effectivley takes application creation ouf of the hands of programmers, and shift the focus to IT and business analysts.Introduction of new device typesForrester: BB – 74%, WinMo – 40%, Apple – 17%, Palm – 15%, Nokia – 4%, Android – 2%... (Technology Populism, 7/09)Employee-owned devicesForrester: 46% provide some level of support for personally owned devices (Technology Populism, 7/09)Increasing demand for integrated solutions versus point productsShifts in Development Paradigm and Ecosystem
8Enterprise Mobility Trends and Drivers 10B Apple App Store downloads55M Tablets in 2011, 208M by 201411B smart phones and 1.2B mobile workers by 20132Mobility driversShift to cloud computingConsumerization of ITIncreasing sophistication of devices, OSs, applications, and networksBusiness demandLessons learnedSecurity and device management are a must have and the first stepA device-agnostic mobility strategy is criticalNew business scenarios are coming!1- Gartner 2 – IDC Forecast
9MOBILITY COMPLEXITY but What Does This Mean? is the new edge we will use to connect to our worldMOBILITYof developing and managing applications, data, and clients, has dramatically increased.COMPLEXITYbutBRITTEnterprise Mobility is about corporations having the ability to take anything they want to do down to this new edge, and how their Customers, Partners, and Employees will connect. It’s an evolution, that is now becoming a much more intimate experience for the end user.For Sybase/SAP, it’s our biggest opportunity: the opportunity to provide Enterprises the ability to deliver their value closer to the consumer, while mitigating the complexity inherent in the new model.
10Mobility Is Not in the Future, It Is Now Smart phones and tablets are the dominant computing devices45%74%Enterprises are building mobile applications todayof companies as a priority will implement mobile enterprise apps in 2011of retailers in the United States are planning for m-commercesmart phones and tablets are the dominant computing devicesEnterprises are building mobile applications todayMobile commerce is a prominent marketplace and competitive edge for retailers58%Shopping on the mobile web will reach$119 billionexpect to support up to 4 different mobile operating system platformsby 2015
11Interesting market stats 113 Smart Phones are lost every minute!Approximately 1.3 million mobile phones are stolen EACH YEAR, just in the UKMore than one in three data breaches last year involved a mobile deviceMajor US corporations lose by theft ,985 USB memory sticks, 1,075 smartphones, and 640 laptops, EVERY WEEK120,000 cell phones are left in Chicago taxi cabs EACH YEARIn the US, 113 cell phones are lost EVERY MINUTE
1254% report at least one security breach in the last year Mobile “Insecurity”61% report that business use of smartphones is their TOP SECURITY CONCERN54% report at least one security breach in the last year33% report using data encryption on mobile devicesIndustry experts say that by 2013 there will be 1.2 billion mobile workers worldwide.(1)They also report that by 2013, 75 percent of all U.S. workers will be mobile(2), meaning those workers will use a mobile device for at least 20 percent of their work.Another survey reveals that 36 percent of cell phone owners have either lost a phone or had one stolen.(3)Do the math and you’ll realize that these facts suggest in the near future, nearly 25 percent of all workers will have lost a mobile device that could provide access to confidential information. It’s no wonder that mobile device security is a top concern for businesses today.So, why haven’t organizations been more aggressive about securing their mobile devices? There are a number of reasons:The speed with which new generations of mobile devices have come into the workplace has caught many businesses unprepared;Work groups and employees are driving today’s business mobility, not corporate IT policy makers. This has resulted in a piecemeal approach to mobile security;Today’s mobility is complicated by workers using their own devices for both work and personal purposes.Security is further complicated by the increasing diversity of mobile devices in the work place;Easy access and a proliferation of mobile applications makes security management appear to be a daunting task.Many companies have not implemented a comprehensive mobile security strategy because they believe it will be too costly and cumbersome. Meantime, mobility continues to become a larger part of daily business operations. And the costs related to security breaches are high. In 2009 the average per-incident cost of a data breach was $6.75 million. (5)Most companies have security policies. The challenge they face is a two-part problem:Adapting security policies to a mobile work environment;Deciding what kind of technology they need to manage devices and enforce policies.The first step in building a mobile security strategy is to understand the nature of the threat.----- Meeting Notes (04/13/ :17) -----billion mobile workrsprecent will be mobile, using mobile devices 20% of the time36% lost or stolenMath = 25% lost or stolen with confidential informationWhy orgs not aggressive - ask audience1. Speed of mobile devices2. Work Groups/employees not IT driving business mobility3. Personally owned devices4. Mobile diversity5. Easy access and proliferation of applications6. Too costly and cumbersomeAverage per incident in 2009 was 6.75 millionChallenge in security policy:Adapting to mobileDeciding what kind of technology to manageUnderstand threat33% report requiring advanced authentication for corporate network access
13What users are looking for Simplicity and Ease of UseAccess to personal data,photos, movies, appsAccess to work andwork apps/systemsRich Web browsingFreedom of device choice
14What it is IT looking for To protect corporate assets fromloss and theftTo ensure corporate security policiesare enforced on devices that haveaccess to the network and dataThe ability to remotely delete corporatedata on the deviceEnforce device configurations such aspassword, network settings, etc.Asset tracking capabilities
15Understanding Mobility Risks and Remedies Four areas of vulnerability in mobile business operations:!Lost or stolen devicesUnauthorized data accessRisks arising from combining personal and work use in one deviceGaps in device management and policy enforcementIndirect costs associated with a security breaches are often far greater than the direct costs of mitigating damages. Beyond costs of data remediation and possible fines for compliance rule violations, security breaches can cost companies their competitive advantage. They can embarrass companies or key people in those companies, creating bad publicity and legal problems. They can cause a loss of customer and partner confidence. Ultimately security breaches can damage a company’s brand and its ability to do business.As mobility becomes a more important part of routine operations, companies who are developing a mobility strategy must address the issue of mobile security. To do that, it’s important to understand the vulnerabilities.Broadly speaking, there are four areas of vulnerability in mobile business operations:Lost or stolen devicesUnauthorized data accessRisks arising from combining personal and work use in one deviceGaps in device management and policy enforcementNow, I’ll pass the conversation over to Matt Carrier who will take a look into each of these four areas in more detail.
16Lost and stolen devices User authentication at the device levelRemote lock and wipeData encryptionData fadingData backup Mobile devices are easy to lose, and that is not going to change. Lost devices account for a significant amount of lost data.In spite of the amount of data lost through stolen devices and the ease with which these devices are lost, in many cases nothing is done to actually protect data on mobile devices. The same study that found more than one third of cell phone owners in the U.S. had a lost or stolen phone also revealed another startling fact. Almost 90 percent of those people had no way to either remotely lock their devices or remotely wipe data from them. Additionally, more than half of smartphone users did not use any password protection on their phones.(7)These facts suggest four capabilities that should be at the heart of any mobile security strategy:User authentication at the device level – This requires mobile workers to have password logins in order to access company applications and data.Remote lock and wipe – This enables companies to remotely disable mobile devices so no one can use them, and to remotely wipe data from devices.Data Encryption – If the loss of a device is not immediately discovered, any business data it contains should be encrypted.Data Fading – if a user does not log into the network within a certain amount of time, the device will delete its own data. Data Backup – Data stored on a mobile device should be automatically backed up so that can be easily restored to a replacement device.
17Unauthorized data access !Mobile application provisioning and settings Remote configuration updates Event and activity monitoring and logging Unauthorized access through virus or malware infected devices Antivirus software and firewall protection Remote provisioning of software patches and security updates Enforce security policies related to application downloads Activity monitoring and trackingThis threat involves apparent authorized use of mobile devices to gain unauthorized access to data. This is not strictly a mobility issue. These same threats come from any client computing system in an organization. Mobility management tools offer ways to extend standard security polices to the mobility environment.There are three principle ways mobile devices can act as portals for unauthorized access to proprietary information:An unauthorized user accesses data with a lost or stolen phone – User authentication, remote lock and wipe, data encryption, and data fading protect against this threat.Authorized users gain unauthorized access to, or make inappropriate use of, proprietary information – This is a threat common to any client system in the organization. The added risk in a business mobility environment comes from some of the very benefits mobility provides: any time any place access, and convenience.Security best practices, including group policies and access restriction policies, will help regulate access to proprietary information in a business mobility environment. However a mobile security strategy can provide some additional controls, including:Mobile application provisioning and settings – Organizations control what data specific mobile applications can access, and they control who can run those applications. This provides a layer of “hard” control over access to proprietary information.Remote configuration updates – The ability to remotely adjust software and device settings “over the air” ensures enforcement of established policies.Event and activity monitoring and logging – Activity monitoring and logging can quickly identify security issues.Unauthorized access through virus or malware infected devices – Mobile devices are increasingly the targets of viruses and malware. Some malicious programs invade a network through an infected mobile device . Others reside on the mobile device, passively “snooping” for data. Infections often come from application downloads or messages.Virus and malware threats change rapidly, and they are on the rise. McAfee reports that the number of new malware applications targeting mobile devices increased 46 percent in 2010.(8)Tools and strategies used to defend against these threats are similar to those used to protect desktop systems which have long been targets of malicious software. These include:Antivirus software and firewall protection – Antivirus software designed specifically for mobile devices protects them from attack, and firewall protection prevents malicious code from spreading through the network. Remote provisioning of software patches and security updates – This enables organizations to deploy updated security fixes across all mobile devices, regardless of their location.Enforce security policies related to application downloads – Companies need to have policies and practices that control how applications are downloaded for business use.Activity monitoring and tracking – Activity monitoring and tracking can identify unusual activity patterns that point to malicious software attack.
18RISKS Related to personal and business use on the same device Segregating business functions on the mobile deviceRemote data wipeData fadingAccording to a recent Forrester Research report, almost half of U.S. and European businesses surveyed are embracing the notion of allowing personally owned devices access to a secure corporate network. One-quarter of businesses surveyed do provide full support to at least some personal devices, and another 21 percent provide at least limited support.There are significant advantages to businesses that allow their workers to use one mobile device for both work and personal purposes.Workers who can work with their preferred devices are more likely to use mobile business applications simply because it is easier for them to do so. Also, allowing employees to work with their own devices significantly reduces the company’s hardware refresh costs.However there are risks as well. Companies are rightfully concerned about any liability they may have if workers use their phones inappropriately. Also, what happens to all that data if an employee leaves the company or sells their old phone on eBay?A mobile security strategy that includes policies and device management tools can provide controls to address these issues.Segregating business functions on the mobile device – Mobile security management tools enable companies to designate which applications and data on the devices business related and therefore under their control.Remote data wipe – This enables organizations to enforce device decommissioning policies. For instance, if an employee leaves the company, their device can be selectively wiped of only business applications and data. This would happen without affecting “personal use” functionality. The same capability works to enforce policies so that all business information is removed from any device when it is taken out of service.Data Fading – devices not connected to the network will automatically loose their data after a period of time.
19Gaps in device management and policy enforcement A single security management platform – This provides a common security management console capable of supporting all the device types and applications that make up a dynamic business mobility environmentSecurity policies are only as good as an organization’s ability to enforce them, and today’s business mobility presents a challenging enforcement environment. Several factors contribute to this:Mobile devices are rarely physically present when it comes time to secure them;Most large companies support a number of different devices types such as smartphones, tablets, laptops, PDAs and others. Many these devices run on different operating systems, and new types of mobile devices are regularly coming to market.As business mobility becomes a more significant part of routine operations, companies are supporting larger numbers of mobile applications, each with its own data access capabilities and security protocols.In an effort to monitor devices and enforce security policies, many organizations have adopted a patchwork collection of management and security tools. This approach is an invitation to inconsistent levels of protection.A single security management platform – This provides a common security management console capable of supporting all the device types and applications that make up a dynamic business mobility environment.
20! SUMMARY Risk Remedies Data lost due to lost or stolen devices User authentication at the device levelRemote lock and wipeData encryptionData fadingData backupUnauthorized user accesses data with a lost or stolen phoneSame as aboveAuthorized user gains unauthorized access to, or makes inappropriate use of, proprietary informationSecurity policiesMobile application provisioning and settingsRemote configuration updatesEvent and activity monitoring and loggingUnauthorized access through virus or malware infected devicesAnti virus software and firewall protectionRemote provisioning of software patches and security updatesEnforce security policies regarding application downloadsActivity monitoring and trackingRisks arising from combining personal and work use in one deviceSegregating business functions on the mobile deviceRemote data wipe!Summary of previous slides.
21IT needs to make the rules Security. Anyone who uses their personal smartphone at work should be required to install mobility management software that enforces passwords, encrypts data and can remotely erase corporate information on lost or stolen devices.Permissible content. Storing pirated or objectionable content on a personal device that’s utilized for business should be strictly forbidden. “If you use it for work, it’s a work asset and should be governed by workplace rules of conduct,”Choice of plan. Companies that cover work-related voice and data charges should make using the corporate mobile plan mandatory. That way the expenses they underwrite will always be based on low group rates.Phone number ownership. Employees who leave your firm should take their smartphone with them—but leave the phone number behind. The last thing you want to do is make it easy for your customers to reach ex-employees who now work for a competitor. Of course, setting guidelines alone is just a starting point. You should also provide thorough training, get written agreement from employees to abide by the rules and punish workers who break them.
22Admit personal mobile devices How do I deny access to unauthorized users? For starters, establish a mandatory security policy requiring employees to set a strong password on their mobile device and to change it every three to six months. Mobile management systems can help IT administrators enforce such policies automatically, without the need for user involvement.What’s my plan if a personal device gets lost or stolen? Passwords alone won’t be protection enough in such cases. You’ll need mobile management software offering remote lock and remote wipe capabilities. Remote lock features enable administrators to temporarily “freeze” a device that may simply have been misplaced. Remote wipe functionality enables the IT department to erase data from a lost or stolen mobile device.How do I remove corporate data from a personal device whose owner is leaving the company? IT departments that allow enterprise data to reside on a personal device can use management tools to separate enterprise data from personal data. When an employee leaves, IT can wipe the enterprise data from that person’s device while leaving personal data unaffected. This approach makes it possible to cleanse proprietary information from an outgoing employee’s mobile device without also deleting personal applications and music.How do I keep prying eyes away from confidential files? Use mobility management software to encrypt enterprise data, both when it’s in transit to the device over a wireless network and when it’s at “at rest” in the device’s memory. Use an application platform to develop your internal applications so that you can apply your company security to that application instead of relying on 3rd parties.
23Lessen the threatBe aware of all types of threats to mobile devices, including device loss, malware, bugs, and out-of-date mobile OS softwareCreate mobile governance policies that emphasize security; educate employees on how to adhere to those rulesUse a mobile management platform that allows IT to centrally deploy, configure, and manage a fleet of multiplatform mobile devices (whether personally owned or company-purchased)Use mobile management tools that offer IT visibility into device status, so security breaches can be quickly and automatically shut downRestrict or limit known vulnerabilities, including application download, camera, Bluetooth, or Wi-FiImplement a portfolio of device security tools that include alphanumeric passcodes, authentication, encryption, and remote wipeControl download and installation of any apps that give users access to corporate information.IT wants to lessen the threat just as they do with their internal desktop machines.Be aware – Users aren’t going to tell you if they have or haven’t updated their OS. They won’t tell you if the embarrassingly lost their device in the bar just that they need a replacement ASAP. Make sure your reporting is up to date and you know what is out there.You have IT policies already for security, extend those policies to mobile. When an employee is hired, they sign a form saying that they will follow company policy. If mobile security is part of that company policy they are more likely to follow the policy if one is not in place. Make sure you educate your employees, what they don’t know can end up hurting you in the end.Visibility into a device status. They may be personally owned devices, and users may not want you to know what they have installed on it, or if they jailbroke a device, but if they want company data on that device and they can do their job more effiicient then they will be more willing to have IT looking at their device.Restrictions are tough to apply. Consider restricting certain groups form not having access to the camera, for instance a device in the warehouse that shouldn’t be able to take a picture of company owned materials. Make sure you are applying restrictions that make sense, and that you aren’t diminishing the usability of the device, as one of the reasons you are allowing mobile devices is to increase workers productivity.Passcode authentication, remote wipe, this should all go without sayThis may be the most important security policy you put into place. Network access is easy to get at times, and if employees know how to access something they will regardless of what you say they can or cannot get access to. If you create apps that give them access and you can control the application and the data in the application, users are much more likely to use that application, even if it limits their access, it will still be easier for them and they will be more likely to accept “some” shortcomings of the application.
24Mobile security as a way of life Support for a broad spectrum of mobile devicesThe platform must support strong user authenticationThe platform must support strong encryptionAble to set access restrictions and security policies for all mobile business applicationsThe platform must support strong over-the-air controls like remote provisioning, remote device configuration, remote device lock, and remote data wipeThe platform must have a depth of sophisticated security controls and activity monitoring capabilityThe platform must support (as available) antivirus software, firewall protection, including over the air distribution of patches and security updatesIn recent years, new mobile technology has inspired many business mobility initiatives. By providing better information whenever and wherever it’s needed, mobility streamlines and accelerates business process, enables businesses to deliver better service, and provides significant competitive advantages.These benefits, combined with the low cost and ease of adopting “out-of-the-box” point solutions, have resulted in many pilot programs and work-group level adoptions. One indicator of how fast mobility is entering the work place is the interest companies have in Apple’s iPad. Less than one year after the initial release of the iPad, 80 percent of Fortune 100 companies were deploying or piloting these devices, making this one of the fastest technology adoptions in business history.Many business mobility applications prove very popular with workers , and once they have them, they find they can’t live without them. Too often, however, good business mobility ideas turn into management nightmares. A few successful deployments create demand for more. Soon IT management is struggling with multiple mobile applications running on different mobile device types, each with its own set of management and configuration tools.There cannot be a coherent, reliably enforceable, mobile security strategy without a single security platform used to manage all mobile devices (tablets, smartphones, laptops, PDAs, and other devices). What are the key capabilities that a mobile security platform needs to have?Support for a broad spectrum of mobile devices – this is important because the evolution of mobile technology is accelerating. New devices with new capabilities are coming to market. New form factors more suited to specific business applications are appearing (tablets for instance). If organizations are going to avoid becoming locked into using obsolete or limited technology, they must be able to enforce their security polices across a broad spectrum of device types. This includes being able to accommodate new mobile technologies.The platform must support strong user authentication – this is the front-line defense against unauthorized use of a mobile device.The platform must support strong encryption – this is one of the most important tools for securing data on mobile devices.Able to set access restrictions and security policies for all mobile business applications – this is essential in order to uniformly manage and enforce policy, and therefore minimize vulnerabilities, for mobile business operations across an organization.The platform must support strong over-the-air controls like remote provisioning, remote device configuration, remote device lock, and remote data wipe – a necessity for controlling mobile devices which are typically widely scattered, not conveniently retrievable to a service center, and often lost or stolen.The platform must have a depth of sophisticated security controls and activity monitoring capability – this is essential to support the same level of rights access management that large organizations require of their mainstream client computer systems.The platform must support (as available) antivirus software, firewall protection, including over the air distribution of patches and security updates – this is essential for protecting all mobile devices as well as back-end server systems against malicious software attacks.Implementing an effective, platform-based mobile security strategy strengthens an organization’s compliance with rules pertaining to protection of confidential information, lowers the incidence of data breach from mobile devices, and simplifies security management.
25What to do next Discover mobile devices on the network. Determine the back-office systems employees want to access.Formalize user types and set policies.Get ready to take action.Add password and encryption policies plus remote wipe capabilities at a minimum.Consider separating personal data from business data.Enable users to be self-sufficient.When you leave this session, what should be the next steps.Discover how many mobile devices are on your network. How can this be done. Turn off mobile access to their corporate . In doing so IT will receive more calls then they know what to do with.Work with business units within your company. IT probably has ideas as to what they want employees to have access to, but go to your business units and find out what they need access to. This will give you a better idea of how you can secure that access and make the business units happy. Run a pilot for just one business unit giving them access to something like a purchase order approval. Give it about two-four weeks, the business units will come to you.
26Checklist of Key MovesChange your mind-set. Start viewing workplace use of smartphones as an opportunity rather than a threat.Ensure that you have firm employee guidelines in place regarding issues such as storing pirated or objectionable content on a personal mobile device, choosing voice and data plans and getting technical support.Equip your IT department to realize the productivity-enhancing potential of personal mobile devices by deploying tools it can use to “mobilize” key business processes; provide mobile access to back-end ERP and CRM systems; and create graphical, touch-friendly smartphone apps.Thoroughly examine the potential security issues associated with admitting personal mobile devices to the enterprise, and begin formulating plans for addressing them.
27What Is Afaria? Afaria allows IT administrators to centrally MANAGE, SECURE and DEPLOYmobile data, applications and devices.To complement the recommended best practices in the previous slides, Sybase offers its Afaria product.Afaria is a mobile device management and security solution that allows IT administrators to centrally manage, secure and deploy mobile data, applications and devices. Regardless of the type of workers you are looking to mobilize or what type of device they are using, Afaria allows for the management and control of those devices from the day that they are first deployed all of the way through to the day that they are decommissioned.
28MANAGING AND SECURING THE DEVICE LIFECYCLE ManageAssign group membership and policiesConfiguring device for connectivityOTA delivery of management clientInitial application deploymentSecureEstablish security policiesInitialize power-on passwordInstall and encrypt data on deviceInstall & configure AV, firewall, port/peripheral controlsThere is good reason to look at overall mobile security from a device life-cycle perspective. This is because different points in the life cycle provide practical opportunities to enforce security policies.All mobile devices have pretty much the same life cycle, which can be broken down into these phases:Provision Phase – This is the time when a device is first brought into business service. Whether it is a business issued device or a personal device that is being enabled for business use, this is the best time to configure for security through the rest of the device’s service life. Device “initialization” could include segregating business and personal functions, installing antivirus software, provisioning with a basic set of business applications, provisioning with data, setting up password protection, and performing other kinds of start-up tasks. This can all be done remotely using over-the-air controls.Provisioning"How do you want the device to look in order to access corporate resources?"1. The device shall be provisioned with appropriate security policies and configurations.Description: In order to access enterprise data, be it Exchange or other, the device needs to be correctly configured. There are basically two options (other than Afaria)- Have the Admin do it. I'd budget about 30 minutes of time for each device, and you'll also want to factor in double shipping. Device gets shipped to admin and then to user rather than direct to user. Typically speaking the admin needs to keep some sort of manual record keeping process to indicate when and with what the device has been provisioned. He'll need to unpack the device, provision it and re-package it for shipping. The first two steps (unpacking and charging) would have to be done by the user, but re-packaging is extra.- Let the User do it. In this scenario, you send out some sort of documentation (which has to be created) directing the user to configure the device himself. Sometimes this works, sometimes it doesn't. Either way you're basically "trusting" the user to do what you ask him. He's likely to do these things for the stuff he wants, but less likely to do it for the things he's less thrilled about. There's no reporting, auditing or verification whatsoever that the device is successfully configured. An alternate approach is to use something like Exchange to do some basic configuration, but this usually only results in a password for the device.2. The user of the device shall have, at a minimum, access to all applications appropriate for his position. Preferably, these applications will be downloaded and installed without any interaction from the user.Description: Each user should have access to only the applications that they need in order to do their job. This is going to be a factor of all the functional units that they are a part of. With Afaria, applications can be assigned to groups, and they are either automatically installed or made available through the application portal. Without it, the whole process of making applications available and restricting their use is manual. Some of it can be handled by putting authentication in the application, but even that requires work and most companies would prefer an application not even be on a remote device if the user shouldn't have access. Again, without Afaria there is no reporting, auditing than an application has been installed.3. Devices that have had their security protocols disabled shall not be granted any access.Description: Particularly for the iOS world, "compromised (or jail broken) devices" are the biggest security risk. These are devices that have had their security model broken. Without Afaria, there's no real ability to detect these devices and keep them from accessing corporate resources. It's hard to quantify this number, it's really more an assessment of risk in allowing corporate Intellectual Property to be accessed remotely with no security mechanisms.Production Phase – Once a mobile device is properly configured, it is ready for business use. At that point it becomes an operational matter to keep the mobile device updated with the latest security and software patches, install new applications as required, and monitor usage. Using over-the-air controls to perform these functions more effectively manages and protects data during the device’s serviceable life.Decommission Phase – This is the point when a device is retired from service. It could happen when it’s time to replace the device with a newer model, or when an employee leaves the organization, or if a device is lost or stolen. Decommissioning involves removing all business data, applications, and functionality from the device. This can also be done remotely through over-the-air controls. It’s possible to configure devices so they wipe their own business data and functionality under certain circumstances, for instance if they fail to log into a company network for a prolonged period of time.28
29MANAGING AND SECURING THE DEVICE LIFECYCLE ManageTrack asset dataUpdate / repair softwareMonitoring & self-healingMaintain / modify device & app configurationDistribute & update LOB data & filesSoftware license usage and trackingScheduled and automate activitiesRemote control of devicesSecureBack-up device dataApply patch and security updatesEnforce security policiesMonitor / track security violations /threatsCompliance activity loggingThere is good reason to look at overall mobile security from a device life-cycle perspective. This is because different points in the life cycle provide practical opportunities to enforce security policies.All mobile devices have pretty much the same life cycle, which can be broken down into these phases:Provision Phase – This is the time when a device is first brought into business service. Whether it is a business issued device or a personal device that is being enabled for business use, this is the best time to configure for security through the rest of the device’s service life. Device “initialization” could include segregating business and personal functions, installing antivirus software, provisioning with a basic set of business applications, provisioning with data, setting up password protection, and performing other kinds of start-up tasks. This can all be done remotely using over-the-air controls.Production Phase – Once a mobile device is properly configured, it is ready for business use. At that point it becomes an operational matter to keep the mobile device updated with the latest security and software patches, install new applications as required, and monitor usage. Using over-the-air controls to perform these functions more effectively manages and protects data during the device’s serviceable life.ProductionA more descriptive definition might be - "How do I want the device to look during the time it's accessing corporate resources?"1. Application updates should be distributed with minimal administrative overheadDescription: This is a core Afaria strength, it's ability to deploy and update applications. It's really an extension of Provisioning:UseCase#2, but continues to highlight the challenges of managing device applications. How do they enable the update process? how do they time it? how do they ensure that an update has been delivered?2.Devices should be used in a manner that is compliant with corporate acceptable use policiesDescription: This is all about visibility into the device and its configuration, the applications that have been installed, the applications that the user has installed, how they are using the device. How does an enterprise know that the device is being used in a manner that is compliant to acceptable use policies? How do I know that they haven't installed applications that are against company policy (like those that are explicit). Lack of visibility into what's installed on a device and how it's being used adds to the risk of the device in general. If you don't know the device's profile, you don't really know that it's not being used in a way that puts your company at risk. Again, a bit hard to quantify.3.Adequate security controls should be in place to protect corporate intellectual property.Description: During the production life cycle of a device, by its nature it will have enterprise data resident on the device. Some systems for delivering the data have mechanism in place to protect that data, others don't, and others it's a bit hard to tell. Without a baseline of protection for each device, enterprise IT leaves themselves exposed to auditing requirements that they might not be able to meet.Decommission Phase – This is the point when a device is retired from service. It could happen when it’s time to replace the device with a newer model, or when an employee leaves the organization, or if a device is lost or stolen. Decommissioning involves removing all business data, applications, and functionality from the device. This can also be done remotely through over-the-air controls. It’s possible to configure devices so they wipe their own business data and functionality under certain circumstances, for instance if they fail to log into a company network for a prolonged period of time.29
30MANAGING AND SECURING THE DEVICE LIFECYCLE There is good reason to look at overall mobile security from a device life-cycle perspective. This is because different points in the life cycle provide practical opportunities to enforce security policies.All mobile devices have pretty much the same life cycle, which can be broken down into these phases:Provision Phase – This is the time when a device is first brought into business service. Whether it is a business issued device or a personal device that is being enabled for business use, this is the best time to configure for security through the rest of the device’s service life. Device “initialization” could include segregating business and personal functions, installing antivirus software, provisioning with a basic set of business applications, provisioning with data, setting up password protection, and performing other kinds of start-up tasks. This can all be done remotely using over-the-air controls.Production Phase – Once a mobile device is properly configured, it is ready for business use. At that point it becomes an operational matter to keep the mobile device updated with the latest security and software patches, install new applications as required, and monitor usage. Using over-the-air controls to perform these functions more effectively manages and protects data during the device’s serviceable life.Decommission Phase – This is the point when a device is retired from service. It could happen when it’s time to replace the device with a newer model, or when an employee leaves the organization, or if a device is lost or stolen. Decommissioning involves removing all business data, applications, and functionality from the device. This can also be done remotely through over-the-air controls. It’s possible to configure devices so they wipe their own business data and functionality under certain circumstances, for instance if they fail to log into a company network for a prolonged period of time.Decommissioning A more descriptive definition might be - "How should the device look when it stops accessing corporate resources?"1. Devices that have been report lost or stolen can be wiped remotely.Description: In the event of a lost or stolen device, enterprises should have the ability to Remote Wipe the device in order to protect their intellectual property. For devices that are running , this is usually provided as part of the system, but for devices that don't run , there is often no recourse. This results in devices that have exposure.2. Devices that are employee owned should be able to maintain personal data during separation from the enterpriseDescription: There is a massive influx of devices supplied by the individual. In this scenario, the user generally has the expectation that there will be some sort of separation between enterprise data and their personal data. When they leave the company, they expect that the enterprise will remove the enterprise data but leave their data intact. If an enterprise has any sort of capabilities in this area, it's almost universally the "Remote Wipe" option. This leads to significant ill will and oftentimes isn't verifiable, meaning there is a profound lack of auditing capabilities.3. Mechanisms should be in place to protect assets in a state that is "Unknown"Description: systems generally provide some sort of "Remote Kill" capability. But there are alot of devices that are misplaced that aren't necessarily lost. Without a tool like Afaria, administrators, if they have a protective mechanism at all (like Exchange), have only one option - Remote Wipe. This can be massive overkill in the scenario where the device isn't actually lost, can lead to employee downtime as they try to restore their device and alot of ill will. Knowing this, users often won't report devices lost at all. This adds to risk of exposure. Afaria can perform a remote lock and remote unlock function, allowing for a "kinder, gentler" solution. The device is protected, but the data is intact.SecureManageDisable lost / stolen deviceReprovision / reimage deviceRemote kill / lockReplacement device-same userAccess violation lockRepurposed device“Data fading”Redeploy software assetsDisable device, network, application accessRestore data (after device kill)30
31Comprehensive Management & Security Device SecuritySoftwareDeploymentProcess AutomationFile SynchHelp DeskDevice ConfigurationDevice BackupAsset TrackingAFARIACONSOLEWe’ll start off by talking about Afaria and its full capabilities across many operating systems, then on the next three slides we’ll dive into a bit more detail specifically on iOS and Android.Afaria consists of a web based administration console that provides you a global view of your mobile workers and software deployments. This means that you can take applications and deploy, update, repair, or remove them from the device.From a device security perspective, Afaria can do a lot across each of the operating systems. Functions include remote wipe, password controls and (on a number of devices) we offer on-device data encryption. Security also means setting screen timeouts and data fading policies. This means that if the system has not heard from the device in a certain period of time you can save the data and control access to the device.Afaria also gives you a great deal of process automation capabilities across many operating systems. This provides the ability to take and monitor offline processes so if an application starts offline you can select what action to take. Through the scripting engine, there are a number of process automation capabilities that can benefit your mobile population.Afaria provides bidirectional file synchronization. We can install apps, perform a number of security controls and updates for the device, and also deliver bidirectional files synchronization to both send and receive files.Asset tracking is another important area. We see a number of organizations working towards supporting personal liable devices. Asset tracking, lets you see how many devices are accessing your corporate system, what users are assigned to, the device history, application of the data and device hardware.Afaria allows for device backup and restoration even in a personal liable situation. This means the system can backup files and the user can selectively restore it, if the admin chooses to allow it. This provides flexibility around backing up crucial documents or files on the device.Device configuration is one of the most frequent things companies benefit from within the Afaria platform. Afaria’s can allow things like deploying certificates, while controlling settings such as Bluetooth behaviors and browser behavior. It allows for control around application whitelisting or blacklisting, to deploy Wi-Fi settings, or private ATM settings. If your organization has decided to license a private network from AT&T, Verizon, or Sprint, these are all things we can help with device configuration.Last but not least, are help desk capabilities. Afaria is gathering all this information and managing this broad range of devices, but its alerting capabilities inherent to the product allow for tight integration. Users can be alerted when the device is running out of disc space, or they can be provided with proactive alerting when a user might need to be notified that an application doesn’t meet your corporate standards.Next, let's look at capabilities specific to the Android platform.31
32Managing iOS 4 Manage Device Without User Interaction Deliver and remove device policies behind the scenes through a trusted relationshipAccurate and Up to Date Asset Tracking DataDevice Information, Device Network Information ,Security Information, Installed Profile List, installed 3rd party apps, certificate list, and applied restrictionsEnterprise App DeploymentOver the Air enterprise applications delivered directly to the deviceiPhone End User ExperienceEasy provisioning processSelect and download suggested applicationsCorporate SecurityRemotely lock and wipe device or enterprise applications and dataEnsure corporate security policies are enforced on the deviceGate access to corporate assets based upon device compliance
33Managing Android Afaria client for Android Supports communication through the Relay ServerOutbound notifications from the server to initiate a client connectionDelivers enterprise in-house apps OTA to SD card in deviceCan distribute enterprise applicationsIntegrated application download logging and reporting data for accurate trackingClient-side portal for application selectionDisplays packages grouped by admin defined categoriesAllows for end-user selection and installationExtensive hardware and software inventory collectionAndroid 2.2 DevicesNative device lock, unlock and wipe options (will not rely on MS Exchange)Administrator can enforce the use of password policies and control the format, min/max length, failures before wipe, etc.Android Advanced Enterprise Security (AES)Enabling Mobile Device Management features through device firmware
34DMZ Access Control Utility ArchitectureDMZ Access Control UtilityDBA RepositoryFile SystemsFirewallFirewallWindowsiPhoneiPadAndroidWindows MobileBlackBerrySymbianOMA/DMDirectories and DatabasesAfaria Server(s)IIS ServerTCP/IPHTTPSSLReverse ProxyISA/Apache orIAS Relay ServerAdministrative Console BrowserDevice ManagementSecurity ManagementApplication Management
35IDC recognized Sybase as the leader in mobile device management INDUSTRY RECOGNITIONIDC recognized Sybase as the leader in mobile device management“Sybase holds the #1 position for the ninth consecutive year in this market at 19.7%”Sybase recognized in the LEADERS CIRCLE for Mobile Device Management Solutions for strong strategy and product offering.Sybase recognized in the LEADERS QUADRANT for Gartner’s Magic Quadrant for Mobile Enterprise Application Platforms for completeness of vision and ability to execute.Source: IDC, Worldwide Mobile Device Management Enterprise Forecast 2009 Vendor Shares Report, Doc # , August 2010* Source: The Forrester Wave™ As of April 2009* Source: Gartner, As of December 2009