Like the smartphone before it, the tablet is blurring the line between consumer toy and enterprise workhorse. Developed to be intuitive, sleek, and fun, consumer technology like the tablet has plenty of immediately apparent advantages over what a corporation would traditionally choose for its employees. It is no wonder, then, that these consumer tools leak over the corporate boundaries—despite the security flaws that come with something designed to play games and read restaurant reviews instead of analyze customer data.

This crossover isn’t a surprise when you remember that enterprise users are consumers in their spare time. Once they are comfortable with a tool, they want to use it for whatever the task at hand may be. With the increase in mobile and remote workers, enterprise boundaries have become more porous, allowing non-secured devices access to resources that would formerly have been tucked securely behind a firewall.

This poses a dilemma for enterprise IT decision-makers: how to promote user productivity by allowing tablets, without creating a gaping hole in security. In short, they need to somehow marry consumer simplicity and enterprise security.

MDM is Not the Only Answer

In response to this dilemma, the Mobile Device Management (MDM) segment of the security industry has embraced security and policy management for handheld devices such as tablets and smartphones. Many enterprises are coming to accept that they must allow mobile devices onto their networks, and they are likewise resigned to deploying third-party MDM as a necessary evil to manage these devices. As a result, recent years have seen an explosion in the number of vendors offering MDM to support the mobile trend.

Consumer Technology: at Home in the EnterpriseHowever, the security features offered by MDM, mainly consisting of the ability to remotely lock or wipe a device, do not meet the more stringent expectations enterprises have formed over years of PC use. The subset of security capabilities offered by MDM is much smaller, therefore making the sharing of sensitive data to mobile devices more impractical and potentially dangerous.

Know What You Have

When deploying tablets in the enterprise, shouldn’t you expect every bit as much functionality as you had when you were only handling PCs? Incorporating tablets into the enterprise fleet doesn’t have to mean compromising the security precautions enterprises have worked to establish. It doesn’t even mean moving away from familiar technology (i.e. Microsoft Active Directory). Extending PC security to enterprise tablet deployments is as simple as knowing what tools are at your disposal.

First, it’s critical to know the importance of hardware. In PCs, the Trusted Platform Module (TPM) is an industry-standard security chip soldered directly onto the motherboard and shipping on most business-class PCs today (over 600 million to date). Embedded hardware such as TPMs serve a critical enterprise security function by storing credentials in the security of hardware, thus acting as a root of trust and eliminating man-in-the-middle and software attacks that would be able to compromise other common authentication tools. Layering authentication tools such as embedded hardware and biometrics (i.e. fingerprints) provides high assurance that only authorized users are accessing sensitive resources.

Embedded hardware security also ships on a number of tablets that have been designed with the enterprise in mind. Wave’s solution supports all versions of TPM and all Windows 8 Pro tablets, convertibles and hybrids.

MANAGING TABLETS IN THE ENTERPRISE

Solution Brief

According to a ReadWrite Mobile article citing Forrester Research, a majority of information workers would choose a Windows tablet over other options (32%, as opposed to 26% for iOS), achieving the goal of happy users and a secure enterprise. http://readwrite.com/2013/02/04/200-million-workers-want-windows-8-tablets-not-ipads

WAVE SYSTEMS CORP. SOLuTION BRIEF – Managing Tablets in the Enterprise

When managed by Wave’s management solution, embedded hardware security functions as an “enterprise SIM” and can ensure that only known devices (whether PCs or tablets) are authenticating to the network. SIM cards, or subscriber identity modules, are hardware chips that have been used by mobile phone networks for more than a decade to assure that the right services are provided to the right users, among other things. This model can be extrapolated to other kinds of networks, allowing enterprises to know and control which devices are connecting to their network. This assurance is further strengthened by adding a second authentication factor such as a fingerprint. Let’s say, for instance, that an enterprise chooses to deploy Windows 8 Pro tablets managed by the Wave solution. The enterprise will be able to:

Secure WiFi

Instead of using a password to sign on to Windows and then another to sign on to WiFi, users can authenticate to the hardware embedded in their machines and this hardware will automatically provide credentials to sign them on to the enterprise WiFi using 802.1x. This better secures enterprise wireless by requiring the stronger, hardware-based credentials of the device, but it also streamlines user experience, increasing employee productivity. By completely foregoing the SSID password, nobody can gain access to enterprise-wide WiFi by stealing a device and extracting the credentials.

Secure DirectAccess

Microsoft’s DirectAccess provides password-free network connectivity without traditional VPN, and has the advantage of being integrated into the Windows platform. Using Wave’s management solution, enterprises can store DirectAccess credentials on embedded hardware, strengthening the security of their DirectAccess program and providing full access to any internal resources without interfering with a seamless user experience.

Secure VPN

Wave’s management solution can also secure traditional VPN, storing credentials in the embedded hardware and allowing IT to secure network resources against unauthorized devices. By securing and automating VPN authentication this way, enterprises don’t have to worry about token or smartcard deployment, and can immediately detect theft or loss.

Use Virtual Smart Cards

Securing credentials in embedded hardware can be used to replace deployments of smartcards. By using hardware embedded in the machine itself to authenticate to the network, the need to regularly re-deploy smartcards is eliminated, and users aren’t required to carry another piece of technology.

Protect against APTs from the BIOS up

Embedded hardware can also be used to store secure measurements of an endpoint’s pre-boot health. Wave software monitors these measurements for unauthorized changes that can indicate the presence of malware such as an APT. When malware attacks pre-operating system components like the BIOS, it can go unnoticed by anti-virus software—but Wave Endpoint Monitor can detect unauthorized changes to pre-boot before the malware has a chance to cause damage.

Protect Sensitive Data

Self-encrypting drives (SEDs) automatically encrypt all data written to the drive, moving encryption into hardware for a faster operating system and more secure data. They are available from all major drive manufacturers and can be easily deployed and managed by Wave from a central console. Tablet users can take advantage of external SEDs to secure data, provide audit logs for compliance, and integrate with enterprise-wide encryption management policies. For organizations not yet ready to deploy SEDs but looking to take advantage of hardware security, Wave supports Microsoft’s native encryption solution, BitLocker. To prevent data slipping through the cracks, Wave’s Safend Data Protection Suite offers comprehensive data leakage prevention tools, from mapping to port control to content inspection. And for information shared in the Cloud (Dropbox, Twitter, Google +, etc.) enterprises can use public sharing infrastructure while taking back control over content with Scrambls for Files.

The same functionality can likewise protect enterprise PCs – and be managed from the same console. The result? A fleet of devices that combine security and management best practices with a seamless, fluid end-user experience.

Wave Systems Corp. 480 Pleasant Street, Lee, MA 01238 (877) 228-WAVE • fax (413) 243-0045 www.wave.com

Copyright © 2014 Wave Systems Corp. All rights reserved. Wave logo is trademark of Wave Systems Corp. All other brands are the property of their respective owners. Distributed by Wave Systems Corp. Specifications are subject to change without notice.

03-000352/version 1.02 Release Date: 07-22-2014