meeting mobile and byod security challenges

with Digital Certificates

Meeting Mobile and BYOD SecurityChallengesWho should read this paperWho should read this paper

This white paper is written for enterprise executives who wish tounderstand what digital certificates are and why they are invaluable formobile and Bring Your Own Device (BYOD) security on wired and wirelessnetworks. The paper also illustrates the benefits of adopting Symantec™Managed PKI Service and provides real-world use cases.

WH

ITE PAPER

:M

EETING

MO

BILE A

ND

BYO

D SEC

UR

ITYC

HA

LLENG

ES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Content

Safeguarding Networks in an Increasingly Mobile World. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Digital Certificates Address Today’s Business Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

The Challenge of Digital Certificates – Managing the “I” in PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Symantec Managed PKI Service: A Proven, Scalable, Cost-Effective Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Symantec Managed PKI Service Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Meeting Mobile and BYOD Security Challengeswith Digital Certificates

Safeguarding Networks in an Increasingly Mobile World

Today, businesses and their IT managers must balance the desire to give employees the freedom to use a range of devices, including ones

they own (BYOD), to access company network resources against the very real threats those devices pose to the health and safety of the

network and its data assets.

The huge growth of wireless and mobile devices such as tablets and smart phones in business communications poses a significant challenge

because these devices are easily lost, stolen or compromised. Only by implementing a solution that can identify and monitor them as trusted

components can IT managers allow wireless and mobile devices to access network resources.

But there is no going back. Today, 75 percent of North and South American employees and 1.0 billion workers worldwide routinely work

outside traditional office environments and need to access a corporate network using mobile devices. The worldwide number is expected to

jump to 1.3 billion by 2015, accounting for an eye-opening 37.2 percent of the total workforce. (“Worldwide Mobile Worker Population

2011-2015 Forecast,” IDC, December 2011)

Digital Certificates Address Today’s Business Security Needs

Best practice security requires IT to verify that users and devices can be trusted to access the company network and its applications and

data. Even if IT strictly limits the applications available to users, authenticating users is still a priority.

Digital certificates offer a much stronger form of authentication than employing shared secret passwords or access control lists (ACLs). In

fact, global enterprises, government organizations, and digitally connected communities recognize digital certificates as the gold standard

for highly secure and trusted authentication, digital signatures and encryption.

Digital certificates provide a stable, scalable, and highly secure method of authenticating devices and users. They not only verify the identity

of the individual, they can also verify the legitimacy of the device and secure the transport of information across a LAN, wireless LAN (WLAN),

public WAN like the Internet, or a mobile cellular network.


1

Digital certificates protect

information assets in the following

ways:

• Authentication - Validates the identity

of machines and users.

• Encryption - Encodes data to ensure

that unauthorized users or machines

cannot read transmitted content.

• Digital signing - Provides the electronic

equivalent of a hand-written signature;

also enables organizations to verify the

integrity of data and determine whether

it has been tampered with in transit.

• Access control – Works with third-party

applications to determine what type of

information a user or application can

access and what operations can be

performed upon access; also called

authorization.

• Non-repudiation - Ensures that

transactions, communications and data

exchanges are legally valid and

irrevocable.

Digital certificates easily integrate into existing environments, readily interoperating with virtual

private networks (VPNs), virtual desktop integration (VDI), policy control platforms, email

software, web browsers, wireless access points, and Mobile Device Management (MDM)

platforms. MDMs are used by many organizations to manage mobile devices accessing their

networks. Although MDMs are not required components of a mobile device strategy, they do offer

certain advantages such as onboarding and offboarding capabilities, device and application

security, digital certificate delivery, and full and selective remote wipe capabilities.

The Challenge of Digital Certificates – Managing the “I” in PKI

Taking advantage of the many benefits of digital certificates requires a Public Key Infrastructure

(PKI). Common misconceptions are that a PKI is made up solely of certificate enrollment software

and hardware, and that all PKIs (free, open source, and commercially available) are equally

suited to meet the modern enterprise’s needs. In reality, the software can provide the underlying

platform and tools, but it takes significantly more to build a stable, scalable and secure

Infrastructure.

Single-purpose PKI solutions are typically deployed using open source programs or are what

many believe to be “free” programs included in larger server software packages. The most

common occurrence of a single-purpose PKI in an organization is what is referred to as a “Project

PKI.” This is not a true enterprise PKI, but a collection of public key cryptography tools utilized

together to meet a project’s deadlines and operational constraints. More often than not, the `I` in PKI is not considered as a fundamental

design requirement to avoid the costly impact on the project. Such practices lead to the creation of multiple Project PKIs, each with their own

set of unique requirements.

The most well-known, and purportedly easy to deploy, example of a single-purpose PKI solution is Microsoft® Active Directory™ Certificate

Services. It is more sophisticated than a loose collection of tools, including such basic certificate lifecycle management capabilities as auto-

enrollment, but beneath the veneer of simplicity lie a number of hidden weaknesses. Platform specific software such as Microsoft Active

Directory Certificate Services provides a basic platform and set of tools that can perform basic PKI functions, but the reality is there are many

critical PKI aspects that cannot be addressed without complex supporting infrastructure:

• Single-purpose PKI solutions generally have either limited or single platform support. This ignores the reality that the modern enterprise

network is an increasingly heterogeneous and mobile environment that must support a variety of devices and operating systems.

• Single-purpose solutions lack the automation and full lifecycle management features of purchased enterprise solutions. In addition, most

single-purpose solutions lack the self-service options that allow select employees to request and manage certificates for unique needs.

• Furthermore, although small-scale PKI solutions can easily provide certificates for their own employees, they are usually not in a position

to issue certificates that are automatically trusted outside the organization—thereby posing challenges, such as lack of trust, that are

crucial for enabling applications such as secure email or digital document signing.

• Without proper planning, a single-purpose PKI lacks the ability to deliver the reliability required across mission-critical security

applications.

• Finally, as a company grows, it is forced to deploy multiple single-purpose PKIs. The resulting expense and overhead makes it a costly

choice in the long run.


2

A secure, enterprise-scale PKI is a combination of hardware, software, facilities, people, policies, and processes employed to create, manage,

store, distribute, and revoke digital certificates. Building an on-premise PKI requires managing the purchase, deployment, expiration and

renewal of digital certificates for multiple servers, email, purposes and users—often in many different locations and from many different

vendors—which can lead to critical application outages if reliability is not rock solid.

The following figure illustrates the various aspects of building a PKI infrastructure:

Implementing all the components that make up a robust, secure PKI is time-consuming and costly and requires that the organization accept a

certain amount of risk in the event there is a breach or the root certificate is compromised. Managing internal digital certificates for

identities, devices and machines can further compound the challenge.

Symantec Managed PKI Service: A Proven, Scalable, Cost-Effective Solution

Symantec Managed PKI Service enables organizations of any size to cost effectively deploy and control certificate lifecycle processes for all

devices, from desktops to cell phones, and from fully owned and managed devices to wide open BYOD situations, with a level of security that

other PKI solutions, especially in-house PKI solutions, cannot begin to match.

Because it is cloud-based, Symantec Managed PKI Service economically fits a range of business needs, from tens to tens of thousands of

devices. The figure below shows how the service handles multiple network security applications.


3

Convenient for Users No Matter What Device They Choose

Mobility and BYOD offer companies the opportunity to improve efficiency, increase workplace effectiveness and accomplish things faster.

However, these trends pose very real dangers in lost or stolen devices, data loss and malware infecting the corporate network. The challenge

is to balance the multiple lines of defense IT understandably erects to safeguard the company network with user demands for more

convenience.

Fortunately, Symantec’s digital certificates can be used to securely authenticate users and their devices without the need for hardware

tokens, additional programming, or a MDM because it includes automated enrollment capabilities. In addition, once the digital certificate is

installed, the second factor of the authentication process is completely transparent to users. Unlike “free” single-purpose solutions,

Symantec Managed PKI does not require laptop users to configure usage by application or by browser, and client software automatically

stays current through Symantec’s Live Update™ feature.

Symantec Managed PKI Service also works with industry-leading MDM products from MobileIron®, AirWatch®, and Fiberlink as well as

Symantec™ Mobile Management to seamlessly handle content security on mobile devices. With or without a MDM, enrollment is essentially

the same for laptop, desktop and mobile users. Symantec Managed PKI Service provides special localizable and custom branded enrollment

pages for end-user registration and certificate renewal.

One commonly overlooked security benefit of the Symantec Managed PKI Service is that because it is a cloud-based service, the validation

server is hosted outside the firewall; this means there is no need for security compromises, such as firewall holes that in-house solutions

require to authenticate mobile devices. With Symantec Managed PKI Service the organization is not required to accept any additional security

risks to support mobile devices; and suppliers, partners, contractors, visitors, and temporary employees can be given access to defined areas

of the network to perform their jobs without compromising the corporate core.


4

Delivering Non-Stop, Trusted Security

Another compelling reason to consider Symantec Managed PKI Service is Symantec’s worldwide reputation. The company is a global leader

in providing security, storage and systems management solutions for small businesses all the way to large global enterprises.

It is Symantec’s mission to secure and manage information against more risks at more points, more completely and efficiently than any other

company. Symantec leverages over 15 years of security expertise and over 300 million issued credentials to anticipate and respond to the

evolving threat landscape and to technology advances.

The multiple accreditations Symantec has earned from internationally recognized standards bodies such as WebTrust, International

Organization for Standardization (ISO), Federal Information Security Management Act (FISMA), and National Institute of Standards and

Technology (NIST) attest to its high security standards. Trying to duplicate the global reach, high availability and disaster recovery

infrastructure of Symantec Managed PKI Service would be prohibitively expensive for any organization for several reasons:1

• Symantec’s cloud infrastructure is operated from multiple ANSI/TIA1-942 Tier 4 data centers—the most stringent level of data

center—located physically and logically separated from its corporate network.

• Fully redundant fault-tolerant subsystems and compartmentalized security zones are controlled by biometric access restriction methods.

All IT equipment is dual-powered and served by multiple independent distribution paths. Cooling and power infrastructures are

independently dual-powered.

• Cryptographic keys are generated on dedicated Federal Information Processing Standard (FIPS2) 140-2 compliant hardware security

modules and stored in an encrypted format.

• Symantec employs an independent external global service to monitor its critical services and perform daily vulnerability scans. The

infrastructure undergoes multiple audits by WebTrust and PCI, among others, on an annual basis. Business continuity and disaster

recovery plans are also tested on a regular basis.

It is easy to understand why Symantec Managed PKI Service can offer a binding SLA with a 99.95 percent uptime guarantee.

Reducing Complexity while Providing Scalability and Flexibility

Symantec Managed PKI Service’s competitive edge arises from its flexibility to scale incrementally as an organization’s needs grow. Its PKI

infrastructure is designed to handle more than 100 million certificates per year, but it also designed to meet individual customer needs;

companies can add or delete certificates as needed.

Another key competitive factor is Symantec’s ability to eliminate risks to information, technology and processes independent of the device,

platform, interaction or location. For example, as a recognized industry Certificate Authority (CA), Symantec issues X.509 certificates that

support a wide range of operating systems, devices, VPN, email, web browsers, and ecosystems. Certificate profiles inherently cover common

applications such as email encryption and signing, Adobe® PDF signing, and Microsoft Exchange/ActiveSync.

Cloud-based Authentication – a Cost-Effective Solution

One of the most compelling reasons to consider Symantec Managed PKI Service is the financial one. Compared to in-house PKI functions, the

managed service is very scalable and cost effective and grows more so over time. One cost analysis demonstrated that over three years, total

1- Fact Sheet: Symantec User Authentication Solutions Infrastructure Security


5

acquisition and recurring costs for an on-premise solution for 1,000 users was more than $500,000. That is 2.5 times more than the total

cost for Symantec Managed PKI Service over that same three year period.2

Symantec Managed PKI Service achieves this impressive costs saving in several ways:

• By eliminating costly hardware and software purchase and maintenance expenses.

• By eliminating labor costs associated with the planning, building, and maintaining of a certificate management infrastructure.

• By reducing labor costs through the automation of certificate provisioning and application configuration tasks. A single staff member can

administer a managed solution.

• By minimizing operation costs. Symantec Managed PKI Service user seat (certificate) covers all devices, a potential savings of three to four

times the cost of competitive solutions that charge for each device.

Symantec Managed PKI Service Use Cases

This section of the paper takes a closer look at four customer successes with Symantec Managed PKI Service. These use cases exemplify how

Symantec’s experience and knowledge can significantly transform the way organizations secure their business.

Use Case 1: Company-Owned Mobile Device Authentication

A global Internet service provider came to Symantec with an initial need to manage 12,000 company-owned mobile devices and meet an

extremely aggressive deployment timetable.

Challenge:

• Need to authenticate company-owned Apple® iOS iPads® and iPhones®.

• Top executives pushing IT staff to deploy a solution in less than one month.

Mobile Authentication Solution:

• Symantec Managed PKI Service provides a flexible platform to issue and manage certificates for all employee mobile devices. It works with

the company’s MDM MobileIron, which provisions iOS devices, treating the Symantec digital certificates as an application or secure data

to be managed on the device.

• Mobile users are not charged for airtime during the authentication process or anytime they are on the company’s wireless network.

2- Comparing Cost of Ownership: Symantec™ Managed PKI Service vs. On-Premise Software, April 2012


6

Benefits:

• Symantec met the aggressive deadline with a flawless deployment. A quick and easy deployment reduces disruption to the organization.

and by choosing a managed service it allows the company to focus on the business problem and not building out a PKI infrastructure.

• With automated certificate provisioning and application configuration, a single administrator can handle the entire enterprise network.

Next Steps:

• Thanks to the success of the mobile device implementation, the company plans to use Symantec Managed PKI Service to authenticate its

company-owned laptops. These laptops do not require additional certificates because they use the same user certificates, adding to the

cost savings.

Use Case 2: Company-Owned Mixed Device Authentication

A Fortune 500 manufacturing conglomerate that recently changed its network architecture to support anywhere access needed a flexible, all-

in-one solution to manage the authentication of tens of thousands of company-owned laptops and mobile devices.

Challenge:

• Need to authenticate Apple iOS iPads and iPhones and Windows laptops connecting over Internet VPNs or over onsite wired or wireless

networks.

• Company cannot afford the risk of a trusted root certificate being compromised.

Mixed Authentication Solution:

• Mobile users: Symantec Managed PKI Service works with the company’s MDM, Airwatch, to manage certificate deployment, installation,

configuration and renewal on iOS devices.

• Laptop users: Symantec Managed PKI Client manages certificate deployment, installation, configuration and renewal on Windows-based

laptops.

• Email: Digital IDs for Secure Email, also included in Symantec Managed PKI Service, signs and encrypts communications in email

applications such as Outlook and Mozilla Thunderbird using Secure/Multipurpose Internet Mail Extension (S/MIME) certificates bound to

validated email addresses. The service also provides certificates that can represent an entire department or business unit.


7

Benefits:

• Authentication is fully automated and completely transparent to both laptop and mobile users; client software automatically keeps

current through Symantec’s Live Update™ technology.

• Recipients of emails from this company can trust their origin and trust that content has not been tampered with during transit.

• Symantec’s per-user seat covers all devices for each user, a potential savings of two to three times the cost of competitive solutions that

charge for each device.

Next Steps:

• The solution has been so successful that the manufacturer is looking to add digital certificates managed by Symantec Managed PKI

Service for machine-to-machine (M2M) communications in durable goods to reduce operating costs, increase revenue, and streamline

production and delivery processes.

Use Case 3: Mobile BYOD Authentication for Wireless Network Access

A Fortune 500 pharmaceutical was implementing a new wireless network on a tight schedule and needed a solid, quickly implementable

solution to manage the authentication of tens of thousands of BYOD mobile devices. The company recognized that Microsoft Active Directory

Certificate Services was not really a free solution, requiring in-house expertise to deploy, monitor and manage PKI processes successfully.

Challenge:

• Authenticate any BYOD mobile device transparently to users.

• Deploy the solution for 32,000 BlackBerrys, iPads, and iPhones in six weeks.

• Meet stringent Federal government security regulations.

Mobile BYOD Authentication Solution:

• Symantec Managed PKI Service works with the company’s MDM, MobileIron, which manages certificate deployment, installation,

configuration and renewal on iOS devices.

• Symantec Managed PKI Service works with the auto-enrollment server to deploy certificates to all Windows laptop users.


8

Benefits:

Symantec Professional Services had the knowledge and expertise to meet the aggressive deadline, deploying the solution flawlessly in less

than one month.

• Users noticed no change in connectivity or response time. Outsourcing eliminated the need to hire six to ten full-time temporary PKI

engineers to develop the solution in-house.

• Authentication is fully automated and completely transparent to both laptop and mobile users; client software automatically keeps

current through Symantec’s Live Update™ technology.

• Symantec Managed PKI Service meets top federal regulations, including NIST4 SP800-53, which specifies security controls for information

systems in U.S. federal government executive agencies. It is also FIPS-201 cross-certified with the U.S. Federal Bridge Certification

Authority for personal identity verification (PIV) for smart cards.

Next Steps:

• Thanks to the success of the BYOD mobile device implementation, the company is considering Symantec Managed PKI Service for

authenticating BYOD PCs. The PCs will use the same user certificates, adding to the cost savings.

Use Case 4: Bring Your Own Everything (BYOE) Authentication

This Fortune 500 insurance company decided to allow users to access its network with whichever devices they choose. The long-time

Symantec customer needed to meet an extremely aggressive deadline to deploy the authentication solution.

Challenge:

• Need to authenticate a range of devices for 15,000 users.

• Need to ensure that no data or resources leave the corporate network.

• Company cannot afford the risk of a trusted root certificate being compromised.

• Executives pushing IT staff to deploy a solution in less than 6 weeks.

All-in-One Authentication Solution:

• Symantec Managed PKI Service integrates with the company’s VLAN web page to manage the certification enrollment process. Users

requesting network access are directed to the web page to request and receive certificates.

• Symantec PKI Client handles certification installation and configuration for laptops, notepads and non-iOS mobile devices. Symantec

Managed PKI Service uses native iOS protocols Over-the-Air (OTA) and Simple Certificate Enrollment Protocol (SCEP) to provision Apple

devices such as iMac® laptops, iPads and iPhones.


9

Benefits:

• Symantec met the aggressive deadline with a flawless deployment. The company can continue to rely on Symantec’s over 15 years of

certificate security expertise and ongoing leadership to protect their data and resources.

• Users determine which devices they prefer to use without corporate constraints, improving productivity. After initial enrollment, the

certification process is seamless and transparent for all users, which significantly reduces IT time.

• VDI separates and secures network applications and resources so no data leaves the corporate environment.

Next Steps

More information can be found about Symantec Managed PKI Service on the web: http://www.symantec.com/business/verisign/managed-

pki-service

A free trial of Symantec Managed PKI Service is also available: http://www.symantec.com/business/theme.jsp?themeid=free-trial

The full-featured trial includes all the Symantec Manager PKI deployment options, ranging from a fully cloud-based deployment to a hybrid

Enterprise Gateway deployment. The trial is limited to 90 days and up to 100 users.


10

http://www.symantec.com/business/verisign/managed-pki-service

http://www.symantec.com/business/verisign/managed-pki-service

http://www.symantec.com/business/theme.jsp?themeid=free-trial

About Symantec

Symantec protects the world’s information, and is a

global leader in security, backup, and availability

solutions. Our innovative products and services

protect people and information in any environment

– from the smallest mobile device, to the enterprise

data center, to cloud-based systems. Our world-

renowned expertise in protecting data, identities,

and interactions gives our customers confidence in

a connected world. More information is available at

www.symantec.com or by connecting with

Symantec at go.symantec.com/socialmedia.

For specific country offices

and contact numbers, please

visit our website.

Symantec World Headquarters

350 Ellis St.

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2013 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.7/2013 21307003


http://www.symantec.com

http://www.symantec.com/social-media

meeting mobile and byod security challenges

Software

mobile devices

mobile worldtoday

mobile cellular network

digital signatures

device byod security

range of devices

mobile worker population2011

byod securitychallengeswho