View
3.707
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Mobile Application Security presentation at IBM Innovate Conference with Raj Balasubramanian
Citation preview
IBM Innovate 2012 Mobile Application Security Foundation & Directions
Raj Balasubramanian
Product Architect, IBM Mobile Foundation
IPI2478
Dirk Nicol
Product Manager, IBM Mobile Foundation
© 2012 IBM Corporation 2
The Premier Event for Software and Systems Innovation
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise,
or legal obligation to deliver any material, code or functionality. Information about potential
future products may not be incorporated into any contract. The development, release, and
timing of any future features or functionality described for our products remains at our sole
discretion.
Performance is based on measurements and projections using standard IBM benchmarks
in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
© 2012 IBM Corporation 3
The Premier Event for Software and Systems Innovation
61% of CIOs put mobile as priority
increased productivity with mobile apps 45%
10 Billion devices by 2020
Mobile is transformational
© 2012 IBM Corporation 4
The Premier Event for Software and Systems Innovation
Build mobile applications
Connect to, and run backend systems in support
of mobile
Manage mobile devices, services and applications
Secure my mobile business
Manage & Secure
Build & Connect
IBM strategy addresses client mobile initiatives
Extend & Transform
Extend existing business capabilities to mobile devices
Transform the business by creating new opportunities
© 2012 IBM Corporation 5
The Premier Event for Software and Systems Innovation
Build & Connect Extend & Transform
A deeper look at Manage & Secure capabilities
Manage & Secure Key Capabilities
• Mobile lifecycle management
• Device analytics and control
• Secure network communications & management
Manage mobile devices, services and applications
Secure my mobile business
© 2012 IBM Corporation 6
The Premier Event for Software and Systems Innovation
Mobile Devices: Unique Management & Security Challenges
Mobile
devices are
shared more
often
Mobile
devices are
used in more
locations
Mobile
devices
prioritize the
user
Mobile
devices are
diverse .
Mobile devices
have multiple
personas
Personal phones
and tablets
shared with family
Enterprise tablet
shared with co-
workers
Social norms of
mobile apps vs.
file systems
Work tool
Entertainment
device
Personal
organization
Security profile
per persona?
OS immaturity for
enterprise mgmt
BYOD dictates
multiple OSs
Vendor / carrier
control dictates
multiple OS
versions
A single location
could offer public,
private, and cell
connections
Anywhere,
anytime
Increasing
reliance on
enterprise WiFi
Conflicts with user
experience not
tolerated
OS architecture
puts the user in
control
Difficult to enforce
policy, app lists
© 2012 IBM Corporation 7
The Premier Event for Software and Systems Innovation
Mobile Risks
Top 10 Mobile Risks 1. Insecure Data Storage
2. Weak Server Side Controls
3. Insufficient Transport Layer Protection
4. Client Side Injection
5. Poor Authorization and Authentication
6. Improper Session Handling
7. Security Decisions Via Untrusted Inputs
8. Side Channel Data Leakage
9. Broken Cryptography
10. Sensitive Information Disclosure
Source: OWASP Mobile Security Project
© 2012 IBM Corporation 8
The Premier Event for Software and Systems Innovation
Challenges of Enterprise Mobility
Achieving Data Separation & Providing Data Protection
Data separation: personal vs corporate
Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Data policies
Adapting to the BYOD/ Consumerization of IT Trend
Multiple device platforms and variants
Multiple providers
Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Endpoint policies
Threat protection
Providing secure access to enterprise applications &
data
Identity of user and devices
Authentication, Authorization and Federation
User policies
Secure Connectivity
Developing Secure Applications
Application life-cycle
Vulnerability & Penetration testing
Application Management
Application policies
Designing & Instituting an Adaptive Security Posture
Policy Management: Location, Geo, Roles, Response, Time policies
Security Intelligence
Reporting
© 2012 IBM Corporation 9
The Premier Event for Software and Systems Innovation
So How do I Protect My Mobile Initiatives?
Secure endpoint
device and data
Secure access to enterprise applications and data
Develop, test and deliver safe applications
Internet
WiFi
Telecom Provider
Web sites
Mobile apps
Security Gateway
Corporate Intranet & Systems
Achieve Visibility and Enable Adaptive Security Posture
Begin by taking a holistic view of Mobile Security
© 2012 IBM Corporation 10
The Premier Event for Software and Systems Innovation
Spectrum of Mobile Security Requirements
Data, Network & Access Security App/Test
Development Mobile Device
Management
Device Platforms 30 device Manufacturers, 10 operating platforms
i.e. iOS, Android, Windows Mobile, Symbian, etc
Mobile Application Platforms & Containers
Mobile Device
Management
Acquire/Deploy
Register
Activation
Content Mgmt
Manage/Monitor
Self Service
Reporting
Retire
De-provision
Secure Mobile
Application
Development
Vulnerability
testing
Mobile app
testing
Enforced by tools
Enterprise
policies
Mobile Applications i.e. Native, Hybrid, Web Application
Mobile Device Security Management Device wipe &
lockdown Password
Management Configuration
Policy Compliance
Mobile Information Protection Data encryption
(device,file & app)
Mobile data loss prevention
Mobile Threat Management Anti-malware Anti-spyware Anti-spam Firewall/IPS Web filtering Web Reputation
Mobile Network Protection Secure
Communications (VPN)
Edge Protection
Mobile Identity& Access Management Identity
Management Authorize &
Authenticate Certificate
Management Multi-factor
Mobile Security Intelligence
Mobile devices are not only computing platforms but also communication devices, hence
mobile security is multi-faceted, driven by customers’ operational priorities
© 2012 IBM Corporation 11
The Premier Event for Software and Systems Innovation
Mobile App Security: Defending the Software
Consistently apply and enforce best practices during Development
Perform vulnerability
analysis during Testing
Provide or employ a secure channel for
delivering apps
Employ a secure runtime environment to safeguard
app data
Perform checks to validate the integrity of apps
As threats evolve recognize required updates and establish a
process for pushing them to users
© 2012 IBM Corporation 12
The Premier Event for Software and Systems Innovation
Mobile Security Enabled with IBM Solutions
Internet
IBM WorkLight Runtime for safe mobile apps
• Encrypted data cache
• App validation
IBM Endpoint
Manager for Mobile Configure, Provision, Monitor
• Set appropriate security
policies
• Enable endpoint access
• Ensure compliance
Secure Data & the Device
IBM Security Access
Manager for Mobile Authenticate & Authorize users and
devices
• Standards Support: OAuth,
SAML, OpenID
• Single Sign-On & Identity
Mediation
IBM Mobile Connect Secure Connectivity
• App level VPN
Protect Access to Enterprise
Apps & Data
Achieve Visibility & Enable
Adaptive Security Posture
IBM QRadar System-wide Mobile Security Awareness
• Risk Assessment
• Threat Detection
Build & Run Safe Mobile Apps
IBM WorkLight Develop safe mobile apps
• Direct Updates
IBM AppScan for Mobile Vulnerability testing
• Dynamic & Static analysis of Hybrid
and Mobile web apps
IBM DataPower Protect enterprise applications
• XML security & message
protection
• Protocol Transformation &
Mediation
© 2012 IBM Corporation 13
The Premier Event for Software and Systems Innovation
The Difference Between Secure Apps and Device Management
Mobile Device
Management
Device-level control:
• Password protection
• File-system encryption
• Managed apps
• Jailbreak detection
Requires consent of user to have
enterprise manage entire device
Application-Level
Security
App takes care of itself:
• Authentication
• File encryption
• Remote administration
• Adaptive functionality
Applicable in all scenarios,
including BYOD and consumer-
facing contexts
© 2012 IBM Corporation 14
The Premier Event for Software and Systems Innovation
Worklight Runtime Architecture
Worklight Server
Authentication
JSON Translation
Server-side
Application Code
Adapter Library
Client-side
App Resources
Direct Update
Mobile
Web Apps
Unified Push
Notifications
Sta
ts A
gg
reg
ation
Device Runtime
Ap
plic
atio
n C
od
e
Cross Platform Technology
Security and Authentication
Back-end Data Integration
Post-deployment control
Diagnostics
© 2012 IBM Corporation 15
The Premier Event for Software and Systems Innovation
Mobile Application Security Objectives
Protect data on the device
• Malware, Jailbreaking
• Offline access
• Device theft
• Phishing, repackaging
Streamline Corporate security approval processes
• Complex
• Time-consuming
Enforce security updates
• Be proactive: can’t rely on users getting the latest software update on their own
Provide robust authentication and authorization
• Existing authentication infrastructure
• Passwords are more vulnerable
Protect from the “classic” threats to the application security
• Hacking
• Eavesdropping
• Man-in-the-middle
© 2012 IBM Corporation 16
The Premier Event for Software and Systems Innovation
IBM WorkLight: Security By Design
Enforcing security updates
Remote disable
Direct update
Providing robust authentication and
authorization
Authentication integration framework
Data protection
realms
Coupling device id with
user id
Streamlining Corporate security
processes
Mobile platform as a trust factor
Application Security
Code obfuscation
SSL with server
identity verification
Proven platform security
Jailbreak and malware detection
App authenticity
testing
Protecting data on the device and in transit
Encrypted offline cache
Offline authentication
Secure connectivity
© 2012 IBM Corporation 17
The Premier Event for Software and Systems Innovation
IBM WorkLight: Security By Design
Enforcing security updates
Remote disable
Direct update
Providing robust authentication and
authorization
Authentication integration framework
Data protection
realms
Coupling device id with
user id
Streamlining Corporate security
processes
Mobile platform as a trust factor
Application Security
Code obfuscation
SSL with server
identity verification
Proven platform security
Jailbreak and malware detection
App authenticity
testing
Protecting data on the device and in transit
Encrypted offline cache
Offline authentication
Secure connectivity
Integration point with VPN solutions (i.e. IBM Mobile Connect)
Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile)
Integration point with User Security solutions
(i.e. IBM Security Access Manager for
Mobile)
© 2012 IBM Corporation 18
The Premier Event for Software and Systems Innovation
App
authenticity
testing
Encrypted
offline
cache
Offline
authentication
Secure
challenge-
response on
startup
Protecting data on the device
Encrypted offline cache
Offline authentication using password
Extended authentication with server using secure challenge response
App authenticity testing: server-side verification mechanism to mitigate
risk of Phishing through repackaging or app forgery
Compatibility with various jailbreak and malware detection libraries
Malware, Jailbreaking
Device theft
Offline access
Phishing, repackaging
Compatibility
with jailbreak
detection libs
Protecting data
on the device
© 2012 IBM Corporation 19
The Premier Event for Software and Systems Innovation
Enforcing security updates
Enforcing
security
updates
Remote
disable
Direct
update
Remote Disable: shut down
specific versions of a
downloadable app, providing
users with link to update
Direct Update: automatically
send new versions of the
locally-cached HTML/JS
resources to installed apps
Can’t rely on users
getting the latest
software update on
their own
© 2012 IBM Corporation 20
The Premier Event for Software and Systems Innovation
Authentication and Authorization
Providing robust
authentication and
authorization
Authentication
integration
framework
Data
protection
realms
Device
Provisioning Very flexible framework for simplifying
integration of apps with existing
authentication infrastructure
Manages authenticated sessions with
configurable expiration
Open: e.g., custom OTP as
anti-keylogger mechanism
Server-side services grouped into
separate protection realms for different
authentication levels
Secure device ID generated as part of
extensible provisioning process
Need to integrate with existing
authentication infrastructure
Authenticate users when offline
Mobile passwords are more
vulnerable (keyboard more
difficult to use, typed text is
visible)
© 2012 IBM Corporation 21
The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 1 – Unauthenticated Session
Worklight Server
Access denied because
session is unauthenticated or
expired
1. Call protected Procedure
2. Request Authentication
Session:
• Created on first access from client
• Identified using session cookie
• Associated data is stored on the server
© 2012 IBM Corporation 22
The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 2 – Authentication
Worklight Server
Process authentication data 2. Forward credentials
1. Obtain credentials from
user and device
3. If necessary:
• Consult with authentication servers
• Perform device provisioning
• Receive authentication token
• Associate token with session
© 2012 IBM Corporation 23
The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 3 – Authenticated Session
Worklight Server
Authenticated token
associated with session
1. Procedure call on
authenticated session
3. Procedure result
2. Access back-end service
using authentication
token
Session ID Auth
Tokens/State
2bd4296a3f29 Realm 1:
25487
Realm 2: ------
--
25617ff82a90 Realm 1: ------
---
Realm 2:
a6c9a
89a77921b02 Realm 1:
7b8df
Realm 2:
6a8a0
© 2012 IBM Corporation 24
The Premier Event for Software and Systems Innovation
One team creates a custom
container (“Shell Component”) for
extensive security certification
Other teams create
HTML-only “inner apps”
wrapped in that container
Worklight Studio simplifies the reuse of custom containers across the organization
© 2012 IBM Corporation 25
The Premier Event for Software and Systems Innovation
Mobile Security Enabled with IBM Solutions IBM brings together a broad portfolio of technologies and services to meet the
mobile security needs of customers across multiple industries
•Application security •Worklight
•IBM Rational AppScan
•Mobile device management •IBM Endpoint Manager for Mobile devices
•IBM Hosted Mobile Device Security
Management
•Secure enterprise access •IBM Security Access Manager
•Security Intelligence
•IBM QRadar
© 2012 IBM Corporation 26
The Premier Event for Software and Systems Innovation
Mobile Device
Hybrid Mobile Apps
Based on WorkLight
SSL SSO WorkLight Server
(WAS w/ security)
Worklight Runtime
Hybrid App. Mobile Security
Gateway
Enterprise
Applications,
Connectivity & Data
Hybrid App.
Risk Based Access
Security intelligence with mobile context
Intelligence around malware and advanced threats in mobile enabled enterprise
User identity and device identity correlation, leading to behavior analysis
Geo-fencing, anomaly detection based on device, user, location, and application
characteristics
Security Intelligence Platform
IBM Endpoint
Manager
Deployment for SSO and Security Intelligence
© 2012 IBM Corporation 27
The Premier Event for Software and Systems Innovation
IBM AppScan: Bringing Vulnerability Scanning to Mobile
Detection of Vulnerabilities before Apps are Delivered and Deployed Known vulnerabilities can be addressed in software development and testing
Code vulnerable to known threat models can be identified in testing Security designed in vs. bolted on
Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript,
HTML5) of hybrid mobile apps
© 2012 IBM Corporation 28
The Premier Event for Software and Systems Innovation
IBM Security Access Manager: Authentication & Authorization of Mobile Users and their Devices
VPN or HTTPS
Mobile Browser or Native
Applications
Application Servers (i.e. WebSphere, WorkLight)
Web Applications
Enterprise
IBM Access Manager
Access Manager Servers (e.g.,
Policy) User registries
(i.e. LDAP)
Authorization
IBM Security Access Manager for Mobile can be used to satisfy complex authentication
requirements. A feature called the External Authentication Interface (EAI) is designed to
provide flexibility in authentication.
External Authentication
Provider
Federated Identity Manager
Federated Identity Manager can be incorporated into the solution to provide federated identity management
Web Services
Authentication (i.e. userid/password,
Basic Auth, Certificate or
Custom)
© 2012 IBM Corporation 29
The Premier Event for Software and Systems Innovation
IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile Devices
Advanced management for iOS,
Android, Symbian, and Windows
Phone
Unified management automatically
enables VPN access based on
security compliance
Integration with back-end IT
management systems such as
service desk, CMDB, and SIEM
Security threat detection and
automated remediation
Extends IBM’s existing 500,000
endpoint deployment
Desktop / laptop /
server endpoint
Mobile
endpoint
Purpose-specific
endpoint
Security
management
Systems
management
Common
management agent
and console
Near-instant
deployment of
new features
IBM Endpoint Manager
© 2012 IBM Corporation 30
The Premier Event for Software and Systems Innovation
IBM Qradar: Delivering Mobile Security Intelligence
Unified collection, aggregation and analysis architecture for: o Application logs o Security events
o Vulnerability data o Identity and Access Management data
o Configuration files o Network flow telemetry
A common platform for o Searching o Filtering
o Rule writing o Reporting functions
A single user interface for o Log management o Risk modeling
o Vulnerability prioritization o Incident detection
o Impact analysis tasks
Ingest log data and events from:
Endpoint Manager for Mobile Devices
Access Manager for Mobile
Mobile Connect
WorkLight
Delivers Mobile Security Intelligence by monitoring data collected from other mobile
security solutions – visibility, reporting and threat detection
© 2012 IBM Corporation 31
The Premier Event for Software and Systems Innovation
© IBM Corporation 2012. All Rights Reserved.
IBM, the IBM logo, ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or
other companies. A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
Copyright and Trademarks
© 2012 IBM Corporation 32
The Premier Event for Software and Systems Innovation
IBM Global Technology Services offers a broad set of complementary mobile capabilities
Build mobile applications
Connect to, and run backend systems in
support of mobile
Manage mobile devices and applications
Secure my mobile business
Extend existing business capabilities
to mobile devices
Transform the business by creating
new opportunities
• Unified Communications Services
• Mobile Application Platform Management
• Strategy & Transformation
• Mobile Application Management
• Messaging, collaboration and social
• Mobile application development
• Mobile Application Platform Management
• Network (e.g. wi-fi, VPN)
• Telecom Expense Management
• Mobile Security
• Mobile Device Management
• End-user and administration support
• Procurement, staging and kitting
Client Initiatives
Services
© 2012 IBM Corporation 33
The Premier Event for Software and Systems Innovation
www.ibm.com/software/rational
© 2012 IBM Corporation 34
The Premier Event for Software and Systems Innovation
Daily iPod Touch giveaway
Complete your session surveys online each day at a conference kiosk or on your
Innovate 2012 Portal!
Each day that you complete all of that day’s session surveys, your name will be entered
to win the daily IPOD touch!
On Wednesday be sure to complete your full conference evaluation to receive your
free conference t-shirt!
© 2012 IBM Corporation 35
The Premier Event for Software and Systems Innovation
Acknowledgements and disclaimers
© Copyright IBM Corporation 2012. All rights reserved.
– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and
services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these
and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate
U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or
common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
If you have mentioned trademarks that are not from IBM, please update and add the following lines:
[Insert any special third-party trademark names/attributions here]
Other company, product, or service names may be trademarks or service marks of others.
Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries
in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for
informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant.
While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without
warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this
presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to,
nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
© 2012 IBM Corporation 36
The Premier Event for Software and Systems Innovation
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
www.ibm.com/software/rational