Embed Size (px)
DESCRIPTION
In the 3rd quarter of 2014 IBM has completed a survey among mobile security professionals looking at mobile security capabilities deployed by enterprises. Combined with IBM's mobile security framework that spans device, content, application and transactions, IBM was able to create a fact-based maturity model for enterprise mobile security. View this presentation to learn: - What are the key requirements for a mature mobile security program - What are the key current and future areas of investment for enterprises in mobile security - How IBM capabilities align with these emerging requirements View the full on-demand webcast: https://www.youtube.com/watch?v=hxJV9-5uK-8
Citation preview
© 2014 IBM Corporation
IBM Security Systems
1 © 2014 IBM Corporation
Are We There Yet? The Path Towards Securing the Mobile Enterprise
Yishay Yovel
Program Director, Fraud and Mobile Strategy
IBM Security
© 2014 IBM Corporation
IBM Security Systems
2
ABOUT THE SURVEY
Survey Respondents Demographics
Total Response: 209
Survey Respondents Demographics: Larger Enterprises
© 2014 IBM Corporation
IBM Security Systems
5
IBM MOBILE SECURITY FRAMEWORK
© 2014 IBM Corporation
IBM Security Systems
6
IBM Mobile Security Framework - Requirements
Device Security Content Security Application Security Transaction Security
Provision, manage and secure Corporate and BYOD devices
Secure enterprise content access and sharing
Develop vulnerability free, tamper proof and risk aware applications
Prevent and detect high risk mobile transactions from employees, customers and partners
Security Intelligence
A unified architecture for integrating mobile security information and event management (SIEM), log management, anomaly detection, and configuration and vulnerability management
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content Security
Application Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
© 2014 IBM Corporation
IBM Security Systems
7
THE CURRENT STATE OF AFFAIRS
Survey Respondents Demographics : Mobile Attributes
Mobile Security incidents
Enterprises see a wide range of business and technical risks spanning all pillars of the framework, malware risk is emerging
Enterprises have rolled out core device/content security capabilities, application and transaction security capabilities are emerging
© 2014 IBM Corporation
IBM Security Systems
12
DEVICE AND CONTENT SECURITY
Mobile Device, Content Management
Enterprise doc catalog
View, edit, create, & sync files across devices
Protect and contain sensitive content
Activate & manage users, devices & policies
Enterprise app catalog
Operations & servicedesk management
Secure network access for business apps
Extend content incorporate file repositories
Access intranet sites
Secure Document Sharing
Mobile Enterprise Gateway
Secure Productivity Suite
Complete set of worktools & app security
Identity & access controls
Data leak prevention & app compliance rules
Advanced Mobile Management
Enterprises deploy basic controls to address “device lost” scenario, extended requirements for “risky devices” emerging
Enterprise deploy secure containers to control enterprise content for BYOD, emerging capabilities for more granular content control
© 2014 IBM Corporation
IBM Security Systems
16
APPLICATION SECURITY
© 2014 IBM Corporation
IBM Security Systems
17 IBM and Business Partner Only
IBM Application Security capabilities
Application Security Management
Assessbusiness impact
Inventory assets
Determine compliance
Measure statusand progress
Prioritize vulnerabilities
Utilize resources effectively to identify and mitigate risk
TestApplications
StaticAnalysis
Dynamic Analysis
Mobile Application
AnalysisInteractiveAnalysis
ProtectDeployed Applications
IntrusionPrevention
DatabaseActivity
Monitoring
WebApplication
FirewallSIEM
MobileApplicationProtection
© 2014 IBM Corporation
IBM Security Systems
18 IBM and Business Partner Only
Appscan and Worklight: Integrated App development and vulnerability Scanning
Enterprises address app security for their own apps, less focused on risk from 3rd party apps and theft of their own apps
© 2014 IBM Corporation
IBM Security Systems
20
TRANSACTION SECURITY
Transaction security: New Breed of Financial Mobile Malware is coming
Transaction Security: Flagging malware infected devices, enables mobile fraud detection
Transaction security focuses on securing “flow”, limited focus on fraud risk (malware) and transaction anomalies
© 2014 IBM Corporation
IBM Security Systems
24
FUTURE AREAS OF INVESTMENT
Investments spans all pillars of the maturity model
Beyond the basics, organizations are increasing focus on App Security, emerging interest in transaction security
Most organizations will increase mobile security budgets to reap the benefits of mobile productivity
© 2014 IBM Corporation
IBM Security Systems
28
SUMMARY
© 2014 IBM Corporation
IBM Security Systems
29
Security solutions for the mobile enterprise
Device Security Content Security Application Security Transaction Security
• Enroll, provision and configure devices, settings and mobile policy
• Fingerprint devices with a unique and persistent mobile device ID
• Remotely Locate, Lock and Wipe lost or stolen devices
• Enforce device security compliance: passcode, encryption, jailbreak / root detection
• Restrict copy, paste and share
• Integration with Connections, SharePoint, Box, Google Drive, Windows File Share
• Secure access to corporate mail, calendar and contacts
• Secure access to corporate intranet sites and network
Software Development Lifecycle
• Integrated Development Environment
• iOS / Android Static Scanning
Application Protection
• App Wrapping or SDK Container
• Hardening & Tamper ResistanceIBM Business Partner (Arxan)
• Run-time Risk DetectionMalware, Jailbreak / Root, Device ID, and Location
• Whitelist / Blacklist Applications
Access
• Mobile Access Management
• Identity Federation
• API Connectivity
Transactions
• Mobile Fraud Risk Detection
• Cross-channel Fraud Detection
• Browser Security / URL Filtering
• IP Velocity
Security Intelligence
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content Security
Application Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
IBM SecurityAppScan
IBM SecurityAccess Manager
IBM Mobile Security Solutions
IBM Mobile Security Services
Security Intelligence
IBM Mobile First powered by…
IBM QRadar SecurityIntelligence Platform
Summary
• Enterprises are making investments across all pillars of the IBM Mobile Security Framework, but we are “half way there”
• Current investment focus on device and content security which supports the BYOD program
• Future investments will address the development of secure mobile applications end eventually transaction fraud risk
• Use the IBM Mobile Security Framework to build a prioritized roadmap for your investments in mobile security for your BYOD program, Employee productivity and Customer Engagement
• Follow this link: http://ibm.com/security/mobile
© 2014 IBM Corporation
IBM Security Systems
31
www.ibm.com/security
© Copyright IBM Corporation 2014. THE INFORMATION IN THESE MATERIALS ARE PROVIDED "AS IS" WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. These materials are current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, ibm.com and other IBM products and services are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
