securing mobile apps: new approaches for the byod world

The information and images contained in this document are of a proprietary and confidential nature. The disclosure, duplication, use in whole, or use in part, of the document for any purposes other than client evaluation without the written permission of Apperian, Inc. is strictly prohibited.

© Apperian, Inc. 2012. All Rights Reserved.!

Securing Mobile Apps: New Approaches for the BYOD World!

Presented by:Cimarron Buser!Apperian, Inc.

Page!

Today’s Webinar

2!

Twitter: #AppSecurity

Direct Messages: “Chat Box” in Webinar Session

Q&A At the End of the Presentation

Page!

About Apperian

Top tier investors

Company to Watch

Experienced team Strong customer base

Award winning product

2012 Product Finalist

3!Copyright © 2012, Apperian, Inc.

Page!

Agenda!

  Challenges for Mobile Apps and Security

  Security in Context: Mobile Enterprise Strategy

  Many Options: MDM, MEAP, MAM, MSSS …

  Specific Approaches: Virtualization, Sandboxes, Wrappers, and SDKs

  Moving Forward: Balancing and Managing Mobile Risk

Mobile Device & App Security


Page!

Challenges for Mobile Security

5!Page!

  “BYOD”

  Consumerization of IT

  Single personal/work device

  Increased mobility

I want quick and easy access to business apps

and data!

Users IT

  Need a solution now!

  Security is still #1

  Have to mobilize workforce

How do I securely

deploy and manage devices

and apps?

Dev

  Need App examples

  Lack of IT Apple or Android experience

  Smartphone SDKs not built for enterprise

How do I make an

enterprise-grade app?

Copyright © 2012, Apperian, Inc.

Page!

Challenge: Where do users get the Apps?

6!

  Consumer app focus   Apps and updates are “optional”   Personal iTunes or Gmail account based

iTunes App Store or Google Market

Private “App Catalog” approach   Enterprise “in-house” app focus   Apps and updates “mandatory”   Corporate directory authenticated

6!Page! 6!Copyright © 2012, Apperian, Inc.

Page!

Security in Context: Mobile Enterprise Strategy

7!

Source: The Enterprise Mobility Foundation


Page!

Security in Context: How Big is the Threat?!

  Mobile is “attack surface” that can be exploited

  Unmanaged devices, networks, OS’s, apps data flows and storage

  Mobile Risk exists and past “events” sound scary

  Since 2001 $25B+ in loss (PC/Win based)

  Mobile anti-virus and anti-malware emerging

  But so far, no “major” similar events in mobile

  However – SMS fraud is still a problem…


Congratulations!!! You won R1,000,000.00 in the on-going Chevron UK bonanza. Claim code: CHVUKB/SA/10. Call Elizabeth on 0835161978 from 9am to 4pm for claim.

Page!

Enterprise Mobile Apps

R U Ready?

Page!

Many Options: But it’s Alphabet Soup!

  The Acronyms:

  MDM: Mobile Device Management

  MEAP: Mobile Enterprise Application Platform

  MAM: Mobile Application Management

  MSSS: Mobile Security Software Suite

  The Approaches:

  Virtualization, Wrappers, SDKs, Sandboxes…


Mobile Device & App Security Options

Page!

Many Security Touch Points

11!

Visibility

User

App

Partition

Agent

Device

OS

Network

Policy Monitoring GRC

Auth-n/z Education Policies

SDK Wrapper Middleware

VM Container Partition

AV Firewall Blacklist

VPN Location Encryption

Sandbox Profiles APIs

Carrier Wi-Fi Bluetooth


Page!

Anatomy of an iOS Device Security Posture

Remediation

Auth-n/z

App Container

MDM

Device Profiles

Device Encryption

App Sandbox

Limited access to files, preferences, network, hardware and other Apps.

Apps & Data at rest and in use protected via HW encryption.

Control security settings for VPN, Wi-Fi, email and authentication.

Manage settings, ensure compliance policies, remotely wipe and delete.

Remotely wipe devices, track lost or stolen devices, ensure deletion of data.

Manage access and authorize users based on enterprise credentials.

Secure container with App content based on user role, SDK extends to Apps.

Same capabilities available to all


Page!

MDM - Mobile Device Management!


MDM focuses on device-based security, provisioning and control of mobile devices. Additional features may provide

TEMS, Device Inventory, and app lists (part of MAM)

•  MDM is useful for organizations requiring a high level of control over Corporate Liable devices due to regulatory requirements, or where the risk of users accessing “non approved” information is high.

•  Microsoft Exchange Server provides security with device management features via ActiveSync, including security profile (e.g., user must have PIN code or specific type and length), and device “wipe” and “lock”

•  Apple IOS supports a protocol called “MDM” that allows IOS devices to register with a central server, and thereafter receive specific commands to perform tasks, e.g., “device wipe”, install security profiles, or send back device status without user intervention.

Page!

MDM – Device Management Examples!


Microsoft Exchange 2007 Server - Device Management feature

Google Apps Device Management Console

Page!

MEAP - Mobile Enterprise Application Platform!


MEAPs provide “tools and client/server middleware for mobile (targeting any sort of mobile application) and

multichannel (highly device/OS- and network-adaptive) thick (offline) enterprise application development”*

•  MEAPs are used by some organizations that require an integrated development environment.

•  MEAPs are attractive to companies that want to deploy an enterprise-wide solution across many different device types, using central logic for large, complex apps

•  MEAP Sandboxes enable multiple applications within a single “native app” sandbox, thereby providing control over the application from a single dashboard

* Source: Gartner Group

Page!

MEAP - Example!


Source: Antenna Software: AMP Platform

Page!

MAM - Mobile Application Management!


MAM focuses on the role-based security, provisioning and control of mobile apps in an organization with capabilities that may

include device inventory, reporting/tracking, and user compliance.

•  MAMs are useful for organizations providing “in-house” apps to users on either CL or IL devices. For example, if a user leaves an organization or group, apps and data belonging to the organization can be de-provisioned, without resorting to a full “device wipe”

•  MAM solutions are typically used in mixed (CL/IL) environments or where BYOD policies are implemented.

•  Apple and Android supports over-the-air delivery of apps than enable apps and profiles to be delivered from a server

Page!

MAM - Example!


Source: Apperian, Inc. – EASE App Catalog

Page!

MSSS - Mobile Security Software Suite!


MSSS focuses on providing a complete “suite” of solutions that may include antivirus, personal firewall, VPN, encryption, anti-

spam, and remote monitoring and control services.

•  MSSS solutions extend traditional “enterprise” protections for the PC environment to mobility. Services can include remote back up and restore, lost and stolen device location, as well as data wipe.

•  MSSS can also send an alert when “security” events occur, e.g., when a SIM card has been removed or replaced.

•  MSSS capabilities are beginning to overlap or be subsumed by MDM or built-in OS solutions (e.g. iCloud) and certain features, such as anti-virus, are not necessarily viewed as critical… yet

Page!

Approaches to Data/App Security!


•  Virtualization allows a device to having a different “partition” or “persona” that provides two or more virtual device modes; apps built for these modes may require an SDK or Wrapper

•  SDKs provide direct support to native app developers for authentication, authorization, reporting/tracking and other services to provide for app and data security enforcement

•  Wrappers offer the promise of “wrapping” an existing mobile app without the need to re-compile or change code; the resulting app can then be managed centrally

•  Sandboxes allow a single or multiple apps to live within a “sandbox” and be logically separated from other apps but managed centrally

… Application Developers may use one or more of these approaches to address security issues, or use “do it yourself” methods

* Source: ISO

Page!

Mobile Security Solutions

21!

“Holy Grail Solution” ��

App and Data Management

Dev

ice

Man

agem

ent

MDM

Mobile Iron ��Air Watch BoxTone

MAM

Apperian ��AppCentral

Partnerpedia

Wrappers

Mocana Arxan

MPSS

Symantec McAfee

RSA

Device Mgmt

MS Exchange ��Google DM

Apple Profile Mgr

Virtualization (OS)

VMWare Horizon AT&T Toggle

MEAP (Sandboxes)

Antenna Sybase Pyxis

GOOD


Page!

Moving Forward: Balancing Risk and Objectives!

22!

Security Objective Risk Low Medium High

Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Unauthorized disclosure of information … to organizational operations, organizational assets, or individuals

limited adverse effect

serious adverse effect

severe or catastrophic adverse effect

Integrity Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.

Unauthorized modification or destruction of information … to operations, organizational assets, or individuals.




Availability Ensuring timely and reliable access to and use of information.

Disruption of access to or use of information or an information system .. on organizational operations, organizational assets, or individuals




Source: Adapted from “Standards for Security Categorization of Federal Information and Information Systems” (FIPS PUB 199)


Page!

Moving Forward: Making a Plan!

  Make Security part of overall Strategy

  Focus on “high impact” areas

  Establish Basic Policies & User Agreement

  “Best Practices” including encryption for data in transit and data at rest

  Basic security policy for PINs, registration (“Find Me”) and enabling wipe for company and user

  Have Plan in Place for Data Breach

  Event reporting protocol

  Specific steps and actions

  Measure and Monitor 23!Copyright © 2012, Apperian, Inc.

Page! 24!

Q&A

www.apperian.com

Additional Questions?

Contact Cimarron Buser

[email protected]

securing mobile apps: new approaches for the byod world

Technology