Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

IBM MobileFirst Security: Mobile Application Security & Data Protection

IBM MobileFirst Security:
Mobile Application Security & Data Protection
© 2013 IBM Corporation
IBM MobileFirst Offering Portfolio
Industry Solutions
Insurance
Retail
Transport
Telecom
Government
Healthcare
Automotive
IBM & Partner Applications
Application
& Data
Application
Platform
and Platform
Data Services
Management
Devices
Security
Network
Analytics
Development & Integration Services
Strategy & Design Services
Banking
Servers
Cloud & Managed Services
3
© 2013 IBM Corporation
Mobile Security Challenges Faced By Enterprises
Achieving Data Separation &
Providing Data Protection
Providing secure access to
enterprise applications &
data
4
Multiple device platforms and variants
Multiple providers
Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Endpoint policies
Threat protection
Interrelated
Adapting to the BYOD/
Consumerization of IT Trend
Personal vs corporate
Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Data policies
Identity of user and devices
Authentication, Authorization and Federation
User policies
Secure Connectivity
Developing Secure
Applications
Application life-cycle
Static & Dynamic analysis
Call and data flow analysis
Application policies
Designing & Instituting an
Adaptive Security Posture
Policy Management: Location, Geo, Roles, Response, Time policies
Security Intelligence
Reporting
© 2013 IBM Corporation
The IBM MobileFirst approach to security
5
Device
Management
Network, Data,
and Access Security
Application Layer
Security
Security for endpoint
device and data
Achieve visibility and
adaptive security policies
Develop and test
applications
© 2013 IBM Corporation
IBM MobileFirst offerings to secure the enterprise
IBM Security Framework domains
Mobile Security Strategy and Lifecycle Management
At the Device
Manage Device & Data
IBM Endpoint Manager
for Mobile
Malware Protection
IBM Mobile Device
Security (hosted)
Application Security
IBM Worklight
Over the Network &
Enterprise
Secure Access
IBM Security Access
Manager
IBM WebSphere
Datapower
Monitor & Protect
IBM Security QRadar
For the Mobile App
Secure Applications
IBM Security AppScan
Integrate Securely
IBM WebSphere DataPower
Manage Applications
IBM Worklight
Secure Connectivity
IBM Mobile Connect
Internet
Corporate
Intranet
6
© 2013 IBM Corporation
Is The Mobile Application
Security Risk Real?
77
© 2013 IBM Corporation
A Clear and Present Danger
Mobile devices are twice as
appealing. Hackers can obtain
personal and business data.
Access has never been easier.
By the end of 2011, Android app
downloads reached
10
Billion
2x
3
Try getting a corporate app
The Security Risk is Real!
8
© 2013 IBM Corporation
Android Malware Increase Dramatically in 2011
Source: Juniper Mobile Threat Report, 2/12
Spyware and SMS Trojans Top Two
9
The Security Risk is Real!
© 2013 IBM Corporation
Mobile Computing Losses Are Real
Source: Symantec
2012 State of
Mobility Survey
“Symantec's 2012 State of Mobility Survey… polled over 6,000 organizations in 43
countries… discovered that mobile computing is the biggest IT security concern”
The Security Risk is Real!
10
© 2013 IBM Corporation
No One Is Spared
Source: Arxan State of Security in the App Economy – 2012
The Security Risk is Real!
11
© 2013 IBM Corporation
What are the Mobile
Application Security Risks?
12
© 2013 IBM Corporation
Security Risk a Function of Mobile Application Type
Mobile Web applications
Mobile Native applications
Mobile Hybrid applications
13
© 2013 IBM Corporation
Permissions May Introduce Security Risk
• Users don’t understand
• Applications over permissioned
• Permissions vary by OS & release
14
© 2013 IBM Corporation
Native Mobile Application Security Risks
Which QR code is evil?
 Confidentiality leaks
– Private conversations leaked to
public
– Private contact information
leaked to public
– Location leaked to public
 Integrity violations
– Corruption of local databases
– Fraudulent use of application
 Abuse of privileges
– Sending text messages
– Placing calls
– Surveillance of device’s user
15
•
•
QR Code contained a URL to
download malware
The malware sent SMS
messages to a premium rate
number (US $6 per message)
http://siliconangle.com/blog/201
1/10/21/infected-qr-malwaresurfaces-on-smartphones-apps/
© 2013 IBM Corporation
How Do You Determine if Your
Mobile Application is Secure?
16
16
© 2013 IBM Corporation
A mobile enterprise needs…
Prioritized security and privacy throughout
the mobile app lifecycle to protect sensitive
business systems
Mobile Security
IBM Security AppScan 8.next
What’s New
IBM Security
AppScan
 Accelerates the use of iOS in an Enterprise
setting
 Native security scanning of iOS applications
built in Objective C, Java or JavaScript
 Facilitates a "secure by design" process in
the software development lifecycle for mobile
applications
 Addresses requirements for usage in the US
Federal Government
Planned availability 1Q 2013
17
© 2013 IBM Corporation
IBM Mobile Application Security
IBM Security AppScan: app security testing and risk management
Client Challenge
Applying patches and resolving application
vulnerabilities after apps are Delivered
and Deployed is a very costly and time
consuming exercise
Key Capabilities
• Test Native application
• Test Web-based application
18
• Leverage AppScan for vulnerability
testing of mobile web apps and web
elements (JavaScript) of hybrid mobile
apps
• Vulnerabilities and coding errors can be
addressed in software development and
testing
• Code vulnerable to known threat models
can be identified in testing
• Security designed in vs. bolted on
© 2013 IBM Corporation
Security Flaws More Costly than Functional Flaws
Unbudgeted Costs:
Damage to Enterprise
1,000,000x
Security Flaw






Customer notification
Government fines
Litigation
Reputational damage
Brand erosion
Cost to repair
Functional Flaw
10x
1x
Development
19
Test
Deployment
© 2013 IBM Corporation
How Do You Develop Secure
Mobile Applications?
20
20
© 2013 IBM Corporation
A mobile enterprise needs…
Secure Mobile Application Development
IBM Worklight
Develop, deliver and deploy security-rich mobile apps to
streamline business activities while also delivering a rich
user experience
Mobile Security
Client Challenge
Efficiently and securely, create and run
HTML5, hybrid and native mobile apps
for a broad set of mobile devices
Key Capabilities
• Integrated secure access to backend
application resources
• Secured by design - develop secure
mobile apps with best practices,
code obfuscation
• Protect mobile app data with
encrypted local storage for data,
offline user access, app authenticity
validation, and policy enforcement
• Maximize mobile app performance
with analytics, remote disabling of
apps
21
© 2013 IBM Corporation
Securing Mobile Applications vs. Mobile Devices
Application-Level
Security
App takes care of itself:
Mobile Device
Management
Device-level control:
• Authentication
• Password protection
• File encryption
• File-system encryption
• Remote administration
• Managed apps
• Adaptive functionality
• Jailbreak detection
Applicable in all scenarios,
including BYOD and
consumer-facing contexts
Requires consent of user to
have enterprise manage
entire device
The device may be secure – but not your data!
22
© 2013 IBM Corporation
Mobile Application Security Objectives
Protect data on
the device
Enforce security
updates
•
•
•
•
• Be proactive: can’t rely
on users getting the
latest software update
on their own
Malware, Jailbreaking
Offline access
Device theft
Phishing, repackaging
Streamline
Corporate
security approval
processes
• Complex
• Time-consuming
23
Provide robust
authentication
and authorization
• Existing authentication
infrastructure
• Passwords are more
vulnerable
Protect from the
“classic” threats
to the application
security
• Hacking
• Eavesdropping
• Man-in-the-middle
© 2013 IBM Corporation
Protecting Data on the Device
Malware, Jailbreaking
Device theft
Offline access
Phishing, repackaging
Protecting data
on the device
Encrypted
offline
cache
Offline
authentication
Secure
challengeresponse on
startup
App
authenticity
testing
Compatibility
with jailbreak
detection libs
• Encrypted offline cache
• Offline authentication using password
• Extended authentication with server using secure challenge response
• App authenticity testing: server-side verification mechanism to mitigate
risk of Phishing through repackaging or app forgery
• Compatibility with various jailbreak and malware detection libraries
24
© 2013 IBM Corporation
Enforcing Security Updates
Can’t rely on users
getting the latest
software update on
their own
Enforcing
security
updates
Remote
disable
25
• Remote Disable: shut down specific
versions of a downloadable app,
providing users with link to update
• Direct Update: automatically send
new versions of the locally-cached
HTML/JS resources to installed
apps
Direct
update
© 2013 IBM Corporation
Authentication and Authorization
Authentication
integration
framework
Data
protection
realms
Device
Provisioning
Providing robust
authentication and
authorization
• Very flexible framework for simplifying
integration of apps with enterprise
identity & access management solutions
• Manages authenticated sessions with
configurable expiration
• Open: e.g., custom OTP as
anti-keylogger mechanism
Need to integrate with existing
authentication infrastructure
Authenticate users when offline
Mobile passwords are more
vulnerable (keyboard more
difficult to use, typed text is
visible)
26
• Server-side services grouped into
separate protection realms for different
authentication levels
• Secure device ID generated as part of
extensible provisioning process
© 2013 IBM Corporation
Worklight Features Mapped to Security Objectives
Protecting data on the
device
Encrypted
offline cache
Offline
authentication
Secure
challengeresponse on
startup
App
authenticity
testing
Compatibility
with jailbreak
detection libs
Remote
disable
Direct
update
Mobile
platform as a
trust factor
Auth
integration
framework
Data
protection
realms
Device
provisioning
Proven
platform
security
SSL with
server
identity
verification
Code
protection
Streamlining
Corporate security
processes
27
Enforcing security
updates
Providing robust
authentication and
authorization
Application
Security
© 2013 IBM Corporation
A mobile enterprise needs…
Load Balancing, Protection At The Gateway
IBM DataPower Appliance
Delivers optimized and secure mobile app experience
Mobile Security
Client Challenge
Mobile applications place new
availability and security demands
on application resources.
Key Capabilities
Internet
High
availability
application
gateway
DataPower
28
Application
Server
Cluster
 Satisfy complex routing &
scaling requirements
 Message protection / validation
and XML firewall
 Supports open standards
applicable to mobile ex. OAuth
 App authentication and
authorization
 Synergy with IBM Security
Access Manager to deliver
context aware user access
security
© 2013 IBM Corporation
Key Takeaways
Mobile Security
Mobile application security risks, concerns, and
threats are real
Mobile security risks are superset of traditional
web-based application security risks
Don’t wait – be proactive!
Consider mobile application security solutions
to help…
• Develop secure applications to protect your data
• Detect security risk and vulnerabilities
29
© 2013 IBM Corporation
Three ways to get started with IBM MobileFirst
1
2
3
30
Read our latest security article on Wired,
"Crafting a Mobile Security and Management Posture"
http://bit.ly/VKTIld
Learn more:
ibm.com/mobilefirst
twitter.com/IBMMobile (#IBMMobile)
facebook.com/IBMMobile
Talk with your IBM representative or Business
Partner to find the right next step for you
© 2013 IBM Corporation
Learn more at: www.ibm.com/mobilefirst
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have
the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
31
© 2013 IBM Corporation
Related documents
IBM China/Hong Kong Limited
IBM China/Hong Kong Limited
IBM - Satya College of Engineering and Technology
IBM - Satya College of Engineering and Technology
Lesson 1 - Computer Technology
Lesson 1 - Computer Technology
Industrial Engineers Aug. 11, 2006
Industrial Engineers Aug. 11, 2006
Download