Download as PDF, PPTX
Uploaded bySreeni Pamidala
Pulse 2014.mobile first.security
This document provides a summary of a presentation on IBM's MobileFirst Reference Architecture. The presentation focuses on management and security capabilities for mobile applications and devices. It discusses challenges for enterprises in developing, deploying and managing mobile apps at scale. The MobileFirst Reference Architecture provides architectural patterns, use cases and best practices for integrating mobile solutions with cloud, enterprise and SAP systems while meeting requirements for industries like banking, telecom and government. It aims to help organizations accelerate mobile project delivery.
![Soa architect summit mobile 2013_mar [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/soaarchitectsummitmobileq12013sreenimar6compatibilitymode-180117023009-thumbnail.jpg?width=640&height=640&fit=bounds)
Pulse 2014.mobile first.security
- 1. © 2013 IBMCorporation IBM MobileFirst Reference Architecture: Focus on Management and Security Session BME-1167 : Tuesday, February 26 1 PM
- 2. 2 Speakers Peter Bahrs PhD CTOWebSphere Services , Distinguished Engineer Sridhar Muppidi, CTO Identity & Access Management Distinguished Engineer Sreenivasa R. Pamidala, Lead Architect ISSW Mobile Services Executive IT Architect
- 3. 3 3 Life has gottencomplicated for Enterprises
- 4. 4 Customer Teller ATM Customer Service Manager Online /Mobile @ When a customer’s card is not returned by the ATM then… When a pending transaction will cause an account to be overdrawn then… Personal Promote overdraft protection offer Send SMS with location of nearest branch When a large payment has been requested then… Request biometric authentication Request biometric authentication Mobile is changing the way that you interact with your customers
- 5. 5 • Higher frequencyof new releases puts added pressure on teams to deliver on time and with high quality Accelerated time to market requirements • Apps typically need to leverage existing enterprise services, which must be made mobile-consumable • Enterprise wireless networks are running out of bandwidth to accommodate employee devices Connecting apps with existing enterprise systems • Consumers demand a high quality user experience where quality is influenced as much by design as it is by function Delivering high quality apps • Highly fragmented set of devices, platforms, languages, and tools complicates development, test, and operations Fragmentation and developing for multiple mobile platforms An Enterprise has 4 key mobile development & delivery challenges
- 6.
- 7. 7 Why a ReferenceArchitecture? § Provides details behind IBM MobileFirst § Accelerate mobile solutions development and deployment § Architectural patterns for integration of cloud, enterprise and SAP systems § Supports requirements from many industries including banking, telecommunications and government § Accelerate project delivery by customizing pre-populated assets § Provides framework for your Mobile Center of Excellence § Training
- 8.
- 9. 9 Use Cases 9 IBMConfidential § Organized the various lifecycle phases of a mobile application § Lifecycle Phases include, – Design & Develop – Integrate – Test – Deploy – Manage – Instrument – Obtain Insight – Scan & Certify § Each Phase has several Packages § Each Package has several Use Cases § ~63 Use Cases
- 10. 10 Architectural Decisions Subject AreaSecurity - Device Topic Security At the device (mobile Device Mgt) Design Decision IBM Endpoint Manager for Mobile Devices provides a completely integrated approach for managing, securing, and reporting on laptops, desktops, servers, smartphones, tablets, and even specialty devices such as point-of- sale terminals. DD ID SEC-002 Issue or Problem Users are becoming increasingly more reliant on their mobile device to perform day-to-day tasks, including both personal activities and business tasks. This relatively unlegislated usage of devices for both work and play makes enterprises susceptible to vulnerabilities from rogue and misbehaving applications, negligent usage or malicious attacks. The challenges include: • Potential unauthorized access of data • Insecure data, in transit or at rest • Insecure or un-patched device accessing the network • Data loss prevention (DLP) . Assumptions A mechanism must be in place to ensure that security vulnerabilities are limited Motivation Alternatives These capabilities for device protection are generally grouped under the umbrella of Mobile Device Management (MDM). MDM is most widely used in B2E scenarios, which may involve bring your own device (BYOD) policies or enterprise-provided devices. For B2C, MDM is not usually a feasible solution, as it represents an invasive technology that would not be generated by the general consumer population. Agent-based Active sync-based management Utilize device management APIs to provide native support Decision Implement an MDM for B2E but not for B2C It is a generally agreed upon best practice for enterprises wishing to implement highly secure mobile environments to deploy an MDM solution. In order for any mobile device to be eligible for use in an enterprise environment, it should be treated like any other IT resource owned and managed by the company (e.g., laptops, PCs, servers, etc.). 10
- 11.
- 12.
- 13. 13 Device Views 13 IBMConfidential ! !
- 14. 14 Services and DataViews User Model User Data User interacts with: Consumable, Flat, only what user needs to know. Canonical or Domain Model Data Built up from various Data Sources. Rich, correlation,Connectivity REST App Maps • Domain/Canonical Data Models - Rich - Focus on backend coordination. • User Model - User’s view of the Data - Consumable across channels - Flatter - Channel Constraint aware. - REST Architecture 14
- 15. 15 Monitoring Views Web Server App Server OS Agent WASAgent OS Agent HTTP Agent Web Response Time Agent HTTPPacketSniffing Robotic Response Time Agent Passive network packet capture observes real end- user transactions. Simulated Device Transactions helps detect problems before they become customer impacting. Legacy Backend 1 Legacy Backend 2Mobile Clients Transaction Tracking for end-to-end transaction monitoring 15
- 16. 16 Management Views 16 IBMConfidential
- 17. 17 Analytics Views –Discover “why”customers succeed or fail –Automatically detect customer struggles, obstacles or issues –Drill down into actual user behavior, complete with gestures –Translate customer feedback into actionable improvements –Correlate customer behavior with network and application data
- 18.
- 19. 19 API Management Views MobileEnvironment ESB API Management Environment Mobile/API Gateway Manager Tier Assembly Tier Analytics Tier User Cloud Data EIS MDM Adapters Analytics (Consumer) Mobile Device Mobile App API Call Web App (Consumer) API Call
- 20.
- 21.
- 22.
- 23. 23 Mobile devices are shared more often Mobile devicesare used in more locations Mobile devices prioritize the user Mobile devices are diverse . Mobile devices have multiple personas • Personal phones and tablets shared with family • Enterprise tablet shared with co- workers • Social norms of mobile apps vs. file systems • Work tool • Entertainment device • Personal organization • Security profile per persona? • OS immaturity for enterprise mgmt • BYOD dictates multiple OSs • Vendor / carrier control dictates multiple OS versions • A single location could offer public, private, and cell connections • Anywhere, anytime • Increasing reliance on enterprise Wi-Fi • Conflicts with user experience not tolerated • OS architecture puts the user in control • Difficult to enforce policy, app lists Mobile devices: Unique security challenges
- 24. 24 Protect the DeviceProtect the Content Protect the Application Protect the Transaction • Manage the mobile enterprise with BYOD, BYOA, secure e-mail and document sharing • Secure file and document sharing across devices and employees including integration with SharePoint • Instrument applications with security protection by design • Identify vulnerabilities in new, existing or purchased applications • Secure mobile transactions from customers, partners and suppliers SECURITY INTELLIGENCE Correlate mobile security events with broader infrastructure including log management, anomaly detection and vulnerability management for for proactive threat avoidance IT Operations Line-of-Business Application Developer Security Specialist Imperatives to securing the mobile enterprise • Mitigate security risk across devices, applications, content and transactions • Comprehensively understand enterprise security across all endpoints • Comprehensive enterprise mobility management CISO / CIO Chief Information Security Officer Chief Information Officer
- 25. 25 IBM Security capabilitiesfor the mobile enterprise Protect the Device Protect the Application Protect the Transaction Solutions to manage a diverse set of mobile devices from corporate owned assets to BYOD and do it all easily from the cloud. Developer solutions to secure applications by design early in the development process. Protect enterprise data in both the applications you build and the applications you buy. Solutions to protect mobile transactions with customers, business partners, and temporary workers that are not part of your enterprise mobile management framework. SECURITY INTELLIGENCE A unified architecture for integrating mobile security information and event management (SIEM), log management, anomaly detection, and configuration and vulnerability management. SECURITY INTELLIGENCE Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Protect the Application Protect the Transaction Protect the Device DATA Personal and Consumer Enterprise
- 26. 26 IBM Security capabilitiesfor the mobile enterprise Protect the Device & Content Protect the Application Protect the Transaction MaaS360 Secure Mail MaaS360 Secure Document Sharing MaaS360 Secure Browser IBM Security AppScan MaaS360 Application Security IBM Security Access Manager IBM WorkLight IBM Security Access Manager IBM Trusteer Mobile SDK SECURITY INTELLIGENCE IBM Security QRadar SECURITY INTELLIGENCE Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection DATA Personal and Consumer Enterprise Protect the Application Protect the Transaction Protect the Device
- 27. 27 At the device:Powerful Mobility Management with The Essentials • SMS, email, URL enrollment • Email, calendar, contact profiles • VPN and Wi-Fi settings • Device feature configuration • Policy updates & changes • Inventory management • Compliance reporting Advanced Management • Mobile app management • Document sharing • Event-based policies • Proactive expense controls • BYOD privacy settings • Shared device support • Self service portal 27 Location-based policies Device Enrollment, Acceptable Use Enterprise App Catalog OTA Configuration
- 28. 28 Calculate & CommunicateRisk Score Rogue Apps Jailbreak / Root Security Patches Infected Pharming App Integration Wi-Fi Feeds Consult with Pinpoint ATO Close app based on risk score Restrict login, adding payees Limit Transfer Automated Take Action Uninstall Malware App Guided Manual Mitigation Change Configuration Scan for risk factors Scan Device Mobile Fraud Protection using Trusteer SDK Adaptive Protection Known crime logic Unknown crime logic User’s Mobile Device Tag with Persistent ID ATOID
- 29. 29 Secure Transactions withIBM Security Access Manager Identity-aware application access on the mobile device Strong Authentication, mobile SSO, session management for secure user interactions Context-based access and stronger assurance for transactions Transparently enforce security policies for mobile applications Enforce security polices without modifying the applications Context: User trust, Device risk, Transactional Context DataApplications On/Off-premise Resources Cloud Mobile IBM Security Access Manager Internet Manage consistent security policies Safeguard mobile, cloud and social interactions
- 30. 30 Leveraging DataPower, SecurityAccess Manager and Worklight to address Mobile Security requirements ISAM Proxy DataPower ServicesIdentity Propagation Risk / Context Decision Engine Auth. Authz. ISAM Policy Server Context based Access & Federation Identity propagation & Context based access External Metadata LDAP Bus. DataBus. Data metadataCredentials Applications Portal / Apps Process Server / ESB PEPs Worklight ServerWeb SSO REST. SOAP, JMS,MQ Id. Propagation. REST. SOAP, JMS,MQ Services Adapters Mobile App. App. Interaction http(s) User Interaction http(s) Worklight Runtime Session Token http(s)
- 31. 31 Security – Forthe Mobile Application 31 IBM Confidential IBM Security AppScan Worklight Server Authentication JSON Translation Server-side Application Code Adapter Library Client-side App Resources Direct Update Mobile Web Apps Unified Push Notifications StatsAggregation Device Runtime • Cross Platform Technology • Security and Authentication • Back-end Data Integration • Post-deployment control and Diagnostics Built-in application security with IBM Worklight ü Application authenticity verification ü Monitor/Patch newly discovered application vulnerabilities Include security within mobile app development lifecycle with IBM Security AppScan ü Follow secure coding practices, and provide testing infrastructure to identity application vulnerabilities during development
- 32. 32 Protecting Worklight Appwith Arxan § Instrumenting an app with Guards enables the app to protect itself from hacking attacks § Guards are embedded directly inside the application and appear as normal code – protection goes wherever the app goes § Efficient and seamless insertion of pre-defined Guards for the minimum mobile app integrity needs to make apps self- defending and tamper-resistant before deployment • Jailbreak/root detection • Application verification against compromise, malware, or exploits insertion • Tamper-resistance for Worklight SDK (security-sensitive libraries) “Best Security Software” Unprotected app (exposed to integrity attacks) Protected app (tamper-resistant & self-defending) Arxan Guarding Instrumentation
- 33. 33 Mobile Security MaturityModel Optimized Mobile Security Intelligence Risk Assessments, New Threat Detection, Active Monitoring Integrated management of multiple devices Device Security policy management Prevent loss or leakage of sensitive information Risk / Context based Access Threat Detection on inbound network traffic Context / Risk based document collaboration / creating / viewing Enforce restrictions on copy/paste Multi-factor context aware access and offline access Granular security policy definition and enforcement Enable data sharing based on policy Proficient Endpoint Protection with Anti-malware White/black list apps Detection of Jailbreak/rooted devices Prevent copy and paste of email, calendar, contacts and intranet data Application level VPN Secure document creation and viewing Document Collaboration with secure file sync / collaboration App Management – provisioning/updates/disabling Separation of corporate apps from personal apps Application validation Basic Update management Device lock / Device wipe Device Registration Segregated secure access corporate email, calendar, contacts and browser User /device authentication and single sign-on Connectivity to social networks Secure instant messaging Enforcing encryption of data within an app App Vulnerability Testing and Certification Driver BYOD Data Separation Mobile Collaboration Mobile App. Security
- 34. 34 Thank you forjoining us
- 35. © 2013 IBMCorporation © 2014 IBM Corporation IBM Security Systems 35 www.ibm.com/security © Copyright IBM Corporation 2014. THE INFORMATION IN THESE MATERIALS ARE PROVIDED "AS IS" WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. These materials are current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, ibm.com and other IBM products and services are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.