extended systems
TRANSCRIPT
extended systems
redefining business through mobility
OneBridge Mobile SecureOverview on Security25th February 2005
extended systems
Agenda
• Overview of Market• Product Offering • Upcoming Releases
– OBMS 1.5– OBMS 2.0– OBMS 2.5
• Credant Relationship• Competitive Differentiators
extended systems
Device trendsStand alone devices
– The GPS market is powering standalone PDA sales in Europe, and it's a market that is driven by price. Medion has been very successful in this arena, and it's now joined by Mitac and, more recently, Yakumo and Anubis. PalmOne is attempting to fight back with Zire 72- and Zire 31-based GPS bundles. Latest devices from PalmOne is the treo 650 & T5
smart phones.– Shipments totalled 1.85m units during the same period, up 38 per cent on
Q3 2003's 1.34m total, info from IDC
– RIM's Blackberry managed to grab almost seven per cent of the smart phone market, this is up by 300 percent due an order in the UK from Vodafone.
Applications– More than email, Service management, Sales management, Bespoke
Healthcare etc…
extended systemsCan you keep a Secret ?
Why do Organisations protect data ?
extended systems
@RISK: The Consensus Security Vulnerability AlertFebruary 24, 2005 Vol. 4. Week 8 -- Third Party Windows Apps
05.8.1 - fallback-reboot Remote Denial of Service05.8.2 - WebConnect Multiple Remote Vulnerabilities05.8.3 - SD Server Directory Traversal Vulnerability05.8.4 - Bontago Game Server Remote Nickname Buffer Overrun05.8.5 - Xinkaa WEB Station Directory Traversal05.8.6 - Arkeia Network Backup Agent Remote Unauthorized Access05.8.7 - PuTTY, PSFTP and PSCP Multiple Remote Integer Overflow Vulnerabilities05.8.8 - TrackerCam Multiple Remote Vulnerabilities -- Linux05.8.9 - OpenLDAP SlapD Remote Denial of Service -- Unix05.8.10 - Information Resource Manager Authentication Unspecified Vulnerability05.8.11 - Arkeia Type 77 Request Remote Buffer Overrun05.8.12 - GProFTPD GProstats Remote Format String Vulnerability05.8.13 - glFTPD ZIP Plugins Directory Traversal -- Cross Platform05.8.14 - UnAce Archive Directory Traversal05.8.15 - Mono Multiple Cross-Site Scripting Vulnerabilities05.8.16 - PHPBB Arbitrary File Disclosure Vulnerability05.8.17 - cURL/libcURL NTLM Authentication Buffer Overflow05.8.18 - cURL/libcURL Kerberos Authentication Buffer Overflow05.8.19 - ZeroBoard Multiple Cross-Site Scripting Vulnerabilities 05.8.20 - Tarantella Enterprise/Secure Global Information Disclosure05.8.21 - Bidwatcher Remote Format String Vulnerability05.8.22 - Yahoo! Messenger Download Dialogue Box File Name Spoofing05.8.23 - Gaim Multiple Remote Denial of Service Vulnerabilities05.8.24 - WebCalendar SQL Injection05.8.25 - PaNews Cross-Site Scripting -- Web Application05.8.26 - MediaWiki Multiple Unspecified Remote Vulnerabilities05.8.27 - iGeneric iG Shop Multiple SQL Injection Vulnerabilities05.8.28 - phpBB Arbitrary File Deletion Vulnerability05.8.29 - PHPBB Multiple Vulnerabilities 05.8.30 - Biz Mail Form Unauthorized Mail Relay Vulnerability05.8.31 - vBulletin Arbitrary PHP Script Code Execution05.8.32 - Verity Ultraseek Cross-Site Scripting05.8.33 - Mambo Open Source Remote File Include05.8.34 - INL Ulog-php Multiple SQL Injection Vulnerabilities05.8.35 - paNews Remote PHP Script Code Execution05.8.36 - PMachine Pro Remote File Include Vulnerability05.8.37 - NewsBruiser Comment System Security Restrictions Bypass05.8.38 - Skull-Splitter Guestbook HTML Injection
05.8.39 - BibORB Multiple Input Validation Vulnerabilities 05.8.40 - paFaq SQL Injection Vulnerability
05.8.41 - MercuryBoard Forum Cross-Site Scripting05.8.42 - ELOG Web Logbook Multiple Remote Vulnerabilities -- Network Device05.8.43 - Gigafast EE400-R Router Multiple Remote Vulnerabilities05.8.44 - Thomson TCW690 Cable Modem Multiple Vulnerabilities
extended systems
Why we use security!!!!!!!
--University of California at San Diego Computers Compromised AgainAgain
(18 January 2005)
For the third time in one year, computers containing information
belonging to at University of California San Diego students and alumni
have been breached. The university has been phasing out the use of
Social Security numbers as identifiers, but these computers were among
the last that still contained this data. While there is no evidence
that the data has been used to steal identities, those whose personal
information was compromised have been informed in compliance with
California law. The intruder used the servers to store music and video
files.
http://www.nbcsandiego.com/education/4103051/detail.html
SANS NewsBites Vol. 7 Num. 4
extended systems
Ebay:- in the news again
--eBay Sellers Offering eMail Addresses, Spam Tools
(20 January 2005)
Despite eBay's recent effort to protect its customers from spam, sellers
on the auction site are offering millions of email addresses and
spamming tools. Certain lots have been removed from the site, but Steve
Linford of anti-spam organization Spamhaus believes eBay should pay
closer attention to what is sold on its site and be a leader in the
fight against spam.
SANS NewsBites Vol. 7 Num. 4
extended systems
USA rules OK!
--US Considers Reviewing IBM/Levono Deal for National Security Risks
(25 January 2005)
The Committee on Foreign Investments in the United States is
considering launching an investigation into whether IBM's proposed sale
of IBM's PC business to Chinese computer manufacturer Levono Group Ltd.
poses a threat to national security. Some have expressed concern that
Chinese computer experts could use an IBM facility to conduct
industrial espionage.
SANS NewsBites Vol. 7 Num. 4
extended systems
Stolen?
Somebody placed an advertisement on eBay that advertised a Blackberry RIM "sold as is." A Seattle computer consultant sent in a bid of US$15.50. His bid was accepted, making him the new owner of the pager-size wireless pocket communicator with 4 MB of memory.
He soon discovered that he was the of a Senior Vice President’s of a Merchant Banks Blackberry. It contained a hoard of corporate data, names & address’s, phone numbers, and other very confidential information.
It was then auctioned on Ebay for an serious amount of cash…..
extended systems
Security Policies: the Options !
Trust Everyone all of the Time
•Easiest to in force but impractical
•One bad apple can ruin the whole barrel
Trust No One at Any Time
•Most restrictive, but also impractical
•Difficult for staff positions
Trust some of the people some of the time!
•Exercise caution on the amount of trust given
•Access is given out as needed
•Technical controls need to ensure trust is not violated
extended systems
The need for a “Win-Win” policy
People view policies as:
An impediment to productivity
Measures to control behaviour
People have different views about needs for security controls
People fear policies will be difficult to follow & implement
Policies will affect everyone within the organisation
Tension!!!
Users… its stopping me working!
Systems support : how do the controls work, will we be effected?
Management: concerned about costs v protection!
extended systems
Explosive growth of mobile computing has increased productivity and introduced new opportunities for business
New threats and management issues abound — lack of tools to manage and secure
Difficult to determine who is using mobile devices
Priceless enterprise data is being synchronized and stored on devices
Data travels well beyond the safety of the firewall
Sensitive information travels over public networks
Mobile devices are too easily lost or stolen
what customers are experiencing
extended systems
PDAs are very prone to loss and theft. Gartner estimates more than 250,000 cell phones and PDAs were lost at airports alone last year.
SANS Institute reports studies show up to 30% loss rate for PDAs.
Tom Walsh of Enterprise Security says, "Robbers net about $85 per holdup and are caught 80% of the time. Information thefts average $800,000 in value and are caught 2% of the time.”
Information on employee PDAs can often provide access to your network, customers and confidential information.
Company reputation: responsibility to customers/clients.
why be concerned aboutdata security?
extended systems
1995 EU Data Protection Act Directive 95/46/EC
Multinationals operating across the EU cannot assume the native individual Countries Data Protection laws will be mirrored across Europe.
Not all fifteen Member States, (for example Belgium), have instated a "Data Protection Officer / Commissioner" to help ensure data protection law compliance,
One theme consistent throughout the survey was that all countries have the capability to impose sanctions for non compliance.
Germany & Italy (started Jan 2004), stricter than the main directive.
Initial requirement: All fifteen member states to implement by 25th October 1998
extended systems
Enterprises cannot control what data the users can sync onto their device
According to a recent PDA usage survey on mobile technologies:
– 85% Business Calendar
– 80% Business Contacts
– 35% Documents
– 33% Passwords
– 32% E-mail
what kind of data are your employees likely to keep on their devices?
extended systems
Enable secure access anytime, anywhere
Maximizes the protection of mobile information and limits legal exposure
Reduces cost of ownership by securing the mobile enterprise with centrally managed, policy-based security
Reduces threat of unauthorized access to business information
Easily detects and governs diverse mobile devices
Protects the enterprise, wireless access and mobile devices
Meet regulatory and audit requirements
Limit risk from device loss, theft or attack
Control mobile device usage and synchronization
Secure priceless enterprise mobile data
Business Mandates Benefits
Deploy new solutions that address mobile device “disconnected mode”
Deliver cost-effective solution to deploy, support and manage diverse types of mobile devices
Maximizes the protection of mobile information and limits legal exposure
Architected to address the unique requirements of mobile computing
Addressing Business Mandates
extended systems
Protect WirelessAccess
Protect the
Enterprise
Protect Mobile
Devices
Take control ofmobile device usage
Enable productivityfrom anywhere
Limit risk fromloss, theft andattack
business imperative — secure the mobile ecosystem
extended systems
Tablet PC
Laptop
PDA
Smartphone
OneBridge Sync Server(s)
GroupwareServer(s)
OneBridge Groupware
Adapter(s) /Listener(s)
OneBridge DMZ Proxy Server(s)
OneBridge Desktop Connector
DMZ
OneBridge Client
OneBridge Security Evolution
Multi-tier Public Keys to authenticate users
Power-On Password to provide basic security to devices
Over-the-Air Security to protect data transmission enables via RSA
On-Device Encryption to lock down data enabled via Credant
extended systems
LAN/WAN
OBMS ShieldOBMS Shield
•Provides robust on-device Provides robust on-device policy enforcement - policy enforcement - access control, data access control, data encryption and user encryption and user authorizations. authorizations.
Maximizes the protection of mobile business information.
OBMS AdministrationOBMS Administration
•Centralized specification of policy for Centralized specification of policy for your PDAsyour PDAs
•Save and load different policy sets for Save and load different policy sets for different groups within your organizationdifferent groups within your organization
•Create installable Shield images for Create installable Shield images for PPC, Palm, Smartphone or SymbianPPC, Palm, Smartphone or Symbian
•Integrated in OneBridge Software Integrated in OneBridge Software Deployment functionalityDeployment functionality
Designate corporate security policy for mobile Devices
Architecture OneBridge Mobile Secure
extended systems
Robust on-device encryption of corporate data on the device
Centralized management of devices and data security policies
Ability to receive updated email and data – even while device is locked – via our LiveConnect functionality
Self-service and administrator-assisted password recovery options available
OneBridge Mobile Secure overview
extended systems
What is OBMS?Protects mobile devices and applications
– Authentication required to access data on device
– data encryption
– on-device restrictions
– administrator device and data recovery
Broad platform support for diverse mobile hardware and operating systems for PDAs and smartphones
Easy to administer – centrally-defined security policies for consistency across all mobile users
Shield provides industry-leading depth of security policies
Flexible and cost-effective implementation with upgrade paths to enterprise-wide solutions
– Ease of implementation
– Multiple deployment options
extended systems
OneBridge Mobile Secure Features
Centrally-defined user authentication provides:– Pin, Password and Question/Answer: length, strength, number of retries, expiry, history– Timeouts – inactivity– Self-service password reset via question/answer– Administrator recovery – different between Group and Enterprise– Fail-safe action if under attack - extend retry timeout or wipe device (remove all data)
On-device data encryption:– Built in PIM applications: email (including attachments), calendar, contacts– Other applications, including custom applications– Blowfish 128, 3DES, AES128, AES256 (notebook/tablet)
Port Controls– Infrared– Bluetooth– External Storage– Network
Application Controls– Any application can be disabled , including cameras– Useful for customizing devices for specific business applications
extended systems
OneBridge Mobile Securekey differentiators
Ease of implementation and support– Easily map security, management and control to meet diverse IT and regulatory
compliance requirements– Minimize costs and maximize existing investments by integrating with existing
enterprise directories– Over-the-air distribution of shield and policies for mobile devices
Reduced cost of ownership– Single administrative package to centrally manage all mobile devices– Self-service password reset
Best of breed solution– Ability to push data to the device even when locked – Leverages Credant Mobile Security Platform
Robust security– Policy-based on-device security enforcement– Mutually authenticated synchronization– Automatic fail-safe action if mobile device is lost or stolen ensures valuable
information is protected
extended systems
OneBridge Mobile Secure Specifications
Shield Platforms– Pocket PC 2000 with ARM processor,
Pocket PC 2002, Windows Mobile 2003 and Windows Mobile 2003 Second Edition with 2MB free memory
– Palm OS 3.5 through 5.x with at least 4MB RAM and 1.5 MB free storage
– Smartphone 2003 with 1MB free main memory
Policy Editor Platforms – Windows 2000 Professional SP3– Windows XP Professional SP1
Encryption Algorithms– AES 128, Triple DES, Blowfish 128, Lite
Certifications– FIPS 140-2
extended systems
OBMS Version 1.5 New Key Features
Features– Windows Mobile 2003 (Smartphone) Shield
• Samsung i600
• Motorola MPx 220
– Full Encryption on Palm Shield
– New Devices• PalmOne Treo 650 Support
– Port and Application Blocking
– SD Card Encryption
– French, Italian, German, and Spanish Language Support
– Hotfix for OBMG to provide full functionality on Software Distribution.
Availability– Mid March GA
extended systems
OBMS Version 2.0 Key Features
Features– Fully integrated into OneBridge Admin Console (part of
OneBridge Mobile Groupware 4.5) – Ability to create Temporary Admin Passwords for Support– Symbian Shield (Authentication)
UIQ and Series 80 Devices
Availability– May 2005
extended systems
OBMS Version 2.5 Key Features
Features– Full Encryption on Symbian– Windows 32 Client
Availability– Summer 2005
extended systems
redefining business through mobility
Device Validation Process
extended systems
Development Details
Action Responsibility Duration
Deliver to Extended Systems the device specifications and documentation Client
Deliver to Extended Systems <three> SIM unlocked devices Client
Run OBMG Client test suite Extended Systems 2 weeks
Analyse results and scope the additional development work required Extended Systems 1 week
Review and agree target delivery date for OBMG Client Client and Extended Systems
Complete additional development work Extended Systems TBD
Deliver beta OBMG client to Client for evaluation Extended Systems
Deliver to Extended Systems <one> SIM unlocked device with final ROM Client
Complete OBMG Client QA Extended Systems 1 week
Deliver QA’ed OBMG client to Client Extended Systems
Sign off acceptance of OBMG Client Client
Typical Project Duration 4 weeks minimum
Certify Device
Additional Development (If required)
Conduct Testing
Provision Device
Identify Business
Case
extended systems
Device Certification QueueDevice
Dependency/ Comment Connection OS
Received Device
Device Verified
1 Treo Ace/Treo 650* 4.2 SP1 Client (Push) Palm Yes No2 Sony Ericsson P910 4.2 SP1 Client (Push) Symbian (UIQ) Yes Yes3 Nokia 95xx Communicator* 4.2 SP1 Client (Push) Symbian (Series 80)4 Harrier / XDA III 4.2 SP1 Client (Push) WM2003 (PPC) Yes Yes5 Orange C500 Client (Push) Yes6 Dell Axim X3 BA, Group Health Client (Push) WM2003 (PPC) Yes7 Siemens SX-1 O2 SyncML Symbian (Series 60) Yes Yes8 Nokia 6230 (SyncML) 4.2 SP1 SyncML Symbian (Series 60)9 Nokia 7610 (SyncML) 4.2 SP1 SyncML Symbian (Series 60)
10 Nokia 7650 (SyncML) 4.2 SP1 SyncML Symbian (Series 60)11 Samsung i600 Client (Push) WM2003 (Smartphone)12 Sierra Wireless Voq Client (Push) WM2003 (Smartphone) Yes13 Treo 600 (Bell Mobility) Client (Push) Palm OS5 Yes
14Motorola MPx (Previously named MPx300*) Client (Push) WM2003 (PPC)
15 Motorola MPx220 Fee ($/PR) RequestedClient (Push) WM2003 (Smartphone) Yes16 Nokia Communicator 9300 Client (Push) Symbian Series 8017 PalmOne T5 Client (Push) Palm OS 5.4 Yes18 Motorola MPx200 Fee ($/PR) RequestedClient (Push) WM2002 (Smartphone) Yes19 MDA II Client (Push) WM2003 (PPC)20 Dell Axim X30 Client (Push) WM2003 (PPC)21 HP 4150 Client (Push) WM2003 (PPC) Yes22 PalmOne Zire 72 Fee (~7.5K) Client (Push) Palm23 Motorola A1000 Fee ($/PR) Client (Push) Symbian (UIQ+)24 Sony Ericsson P900 (SyncML) SyncML Symbian (UIQ) Yes25 Nokia 6820 (SyncML) Fee (~5K) SyncML Symbian (Series 40) Yes26 Nokia 6630 (SyncML) FRQ20191 SyncML Symbian Series 6027 Nokia 7250i (SyncML) SyncML Symbian (Series 40)
extended systems
“The emergence of a highly competitive new vendor, CREDANT Technologies, has raised the threshold at which other vendors can pursue leadership.”
“CREDANT went furthest by offering the most features in the fewest number of products.”
“CREDANT’s comprehensiveness of vision forced a lower comparative ranking of many incumbent vendors.”
“CREDANT’s strong first-year sales are a prelude to leadership.”
Who is Credant?
extended systems
Sales model– Territory - Global
– OEM Shield provides on-device core of Mobile Secure solution
– Ability to Resell any Credant products
– Upgrade pricing available between shield versions (e.g. Group Edition to Enterprise Edition)
Maintenance & Support– ESI provides level 1 & 2 to customers
– Credant provides level 3 to ESI
Sales Support– Credant reps are compensated for partner sales
Relationship Overview
extended systems
Competitive Comparison
Enterprise Policy Administration and Device Management
OneBridge Mobile Secure
Pointsec Trust Digital
Centrally-defined mobile user security policies X X X
Automated device detection, inventory and reporting Claimed
Secure end to end security and mobile messaging X
OTA distribution of security software X
Platforms
Palm 3.5 – 5.x X No encryption X
Symbian 2005 X
PPC 2000 X X X
PPC 2002 X X X
PPC 2002 Phone Edition X Must unlock before can use phone
Must unlock before can use phone
Windows Mobile 2003 X X X
Windows Mobile Smartphone X X
extended systems
Competitive Comparison
Mobile Device Security and Control
OneBridge Mobile Secure
Pointsec Trust Digital
Centrally defined mandatory access control X X X
Phone use without unlocking device X
On-device and removable storage data encryption X Not on Palm X
FIPS certified encryption algorithms X X
Self-Service PIN/Password Reset X
Automatic Kill Action for lost/stolen devices X X
Application Lockout X
Port Control – IR, Bluetooth, Network… X
Forgotten PIN/Password recovery – Administrator in person
X X
Forgotten Pin /Password recovery – secure challenge response over the phone
X
Ability to survive hard reset Some PPC devices
extended systems
HP raising security profile with “ HP protect Tools”
On a number of new devices HP is supplying as part of the on ROM security, a replacement from the Microsoft logon password solution.
It is also supplied by Credant.
It’s a personal version only. i.e. no central policy management
It can be turned off, and replaced by OBMSecure.
This is a big opportunity… HP are doing all the work… sell OBMSecure to these users. See the following screens..
extended systems
redefining business through mobility
extended systems
redefining business through mobility
extended systems
redefining business through mobility
extended systems
redefining business through mobility