Weitere ähnliche Inhalte Ähnlich wie Mobile Application Security (20) Kürzlich hochgeladen (20) Mobile Application Security1. IBM Innovate 2012
Mobile Application Security Foundation &
Directions
Raj Balasubramanian Dirk Nicol
Product Architect, IBM Mobile Foundation Product Manager, IBM Mobile Foundation
raj_balasubramanian@us.ibm.com nicold@us.ibm.com
IPI2478
2. The Premier Event for Software and Systems Innovation
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise,
or legal obligation to deliver any material, code or functionality. Information about potential
future products may not be incorporated into any contract. The development, release, and
timing of any future features or functionality described for our products remains at our sole
discretion.
Performance is based on measurements and projections using standard IBM benchmarks
in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
2
© 2012 IBM Corporation
3. The Premier Event for Software and Systems Innovation
Mobile is transformational
10 Billion devices
by 2020
61% of CIOs put
mobile as priority
45% increased productivity
with mobile apps
3
© 2012 IBM Corporation
4. The Premier Event for Software and Systems Innovation
IBM strategy addresses client mobile initiatives
Extend & Transform Build & Connect
Extend existing business Build mobile applications
capabilities to mobile devices Connect to, and run
Transform the business by backend systems in support
creating new opportunities of mobile
Manage & Secure
Manage mobile devices, services
and applications
Secure my mobile business
4
© 2012 IBM Corporation
5. The Premier Event for Software and Systems Innovation
A deeper look at Manage & Secure capabilities
Extend & Transform Build & Connect
Manage & Secure
Manage mobile devices, services Key Capabilities
and applications • Mobile lifecycle management
Secure my mobile business • Device analytics and control
• Secure network communications & management
5
© 2012 IBM Corporation
6. The Premier Event for Software and Systems Innovation
Mobile Devices: Unique Management & Security Challenges
Mobile Mobile devices Mobile Mobile Mobile
devices are have multiple devices are devices are devices
shared more personas diverse used in more prioritize the
.
often locations user
Personal phones Work tool OS immaturity for A single location Conflicts with user
and tablets Entertainment
enterprise mgmt could offer public, experience not
shared with family device BYOD dictates
private, and cell tolerated
Enterprise tablet multiple OSs connections OS architecture
Personal
shared with co- organization Vendor / carrier
Anywhere, puts the user in
workers control dictates anytime control
Security profile
Social norms of multiple OS Increasing Difficult to enforce
per persona?
mobile apps vs. versions reliance on policy, app lists
file systems enterprise WiFi
6
© 2012 IBM Corporation
7. The Premier Event for Software and Systems Innovation
Mobile Risks
Top 10 Mobile Risks
1. Insecure Data Storage
2. Weak Server Side Controls
3. Insufficient Transport Layer Protection
4. Client Side Injection
5. Poor Authorization and Authentication
6. Improper Session Handling
7. Security Decisions Via Untrusted Inputs
8. Side Channel Data Leakage
9. Broken Cryptography
10. Sensitive Information Disclosure
7 Source: OWASP Mobile Security Project
© 2012 IBM Corporation
8. The Premier Event for Software and Systems Innovation
Challenges of Enterprise Mobility
Data separation: personal vs corporate
Achieving Data Separation & Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Providing Data Protection Data policies
Multiple device platforms and variants
Multiple providers
Adapting to the BYOD/ Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Consumerization of IT Trend Endpoint policies
Threat protection
Identity of user and devices
Providing secure access to Authentication, Authorization and Federation
User policies
enterprise applications & Secure Connectivity
data
Application life-cycle
Developing Secure Vulnerability & Penetration testing
Application Management
Applications Application policies
Designing & Instituting an Policy Management: Location, Geo, Roles, Response, Time policies
Security Intelligence
Adaptive Security Posture Reporting
8
© 2012 IBM Corporation
9. The Premier Event for Software and Systems Innovation
So How do I Protect My Mobile Initiatives?
Begin by taking a holistic view of Mobile Security
WiFi Mobile
apps
Develop, test and
deliver safe
applications
Web
sites
Internet
Telecom
Provider
Secure
Security Corporate
endpoint Gateway Intranet &
device and Systems
data Achieve Visibility and Enable
Adaptive Security Posture
Secure access to enterprise
applications and data
9
© 2012 IBM Corporation
10. The Premier Event for Software and Systems Innovation
Spectrum of Mobile Security Requirements
Mobile devices are not only computing platforms but also communication devices, hence
mobile security is multi-faceted, driven by customers’ operational priorities
Mobile Security Intelligence
Mobile Device Data, Network & Access Security App/Test
Management Development
Mobile Device Mobile Device Mobile Threat Mobile Mobile Network Mobile Identity& Secure Mobile
Management Security Management Information Protection Access Management Application
Management Protection Development
Acquire/Deploy Identity
Register Device wipe & Anti-malware Data encryption Secure Management
lockdown Authorize & Vulnerability
Activation Anti-spyware (device,file & Communications
Password Anti-spam app) (VPN) Authenticate testing
Content Mgmt
Management Firewall/IPS Mobile data loss Edge Protection Certificate Mobile app
Manage/Monitor
Configuration Web filtering prevention Management testing
Self Service
Policy Web Reputation Multi-factor Enforced by tools
Reporting Compliance Enterprise
Retire
policies
De-provision
Mobile Applications
i.e. Native, Hybrid, Web Application
Mobile Application Platforms & Containers
Device Platforms
30 device Manufacturers, 10 operating platforms
i.e. iOS, Android, Windows Mobile, Symbian, etc
10
© 2012 IBM Corporation
11. The Premier Event for Software and Systems Innovation
Mobile App Security: Defending the Software
Consistently apply and
enforce best practices
during Development Provide or employ a
secure channel for
Perform vulnerability delivering apps
analysis during
Testing
Employ a secure runtime
environment to safeguard
app data
As threats evolve recognize
required updates and establish a Perform checks to validate
process for pushing them to users the integrity of apps
11
© 2012 IBM Corporation
12. The Premier Event for Software and Systems Innovation
Mobile Security Enabled with IBM Solutions
IBM QRadar
Achieve Visibility & Enable System-wide Mobile Security Awareness
Adaptive Security Posture • Risk Assessment
• Threat Detection
Build & Run Safe Mobile Apps
Secure Data & the Device Protect Access to Enterprise
IBM WorkLight
Apps & Data Develop safe mobile apps
IBM WorkLight • Direct Updates
Runtime for safe mobile apps IBM Security Access
• Encrypted data cache Manager for Mobile IBM AppScan for Mobile
• App validation Authenticate & Authorize users and Vulnerability testing
devices • Dynamic & Static analysis of Hybrid
IBM Endpoint • Standards Support: OAuth, and Mobile web apps
SAML, OpenID
Manager for Mobile • Single Sign-On & Identity
Configure, Provision, Monitor
Mediation
IBM DataPower
• Set appropriate security Protect enterprise applications
policies • XML security & message
• Enable endpoint access IBM Mobile Connect protection
• Ensure compliance Secure Connectivity • Protocol Transformation &
• App level VPN Mediation
Internet
12
© 2012 IBM Corporation
13. The Premier Event for Software and Systems Innovation
The Difference Between Secure Apps and Device Management
Mobile Device Application-Level
Management Security
Device-level control: App takes care of itself:
• Password protection • Authentication
• File-system encryption • File encryption
• Managed apps • Remote administration
• Jailbreak detection • Adaptive functionality
Requires consent of user to have Applicable in all scenarios,
enterprise manage entire device including BYOD and consumer-
facing contexts
13
© 2012 IBM Corporation
14. The Premier Event for Software and Systems Innovation
Worklight Runtime Architecture
Worklight Server Device Runtime
Application Code
Server-side
Client-side
Application Code
App Resources
Stats Aggregation
Cross Platform Technology
JSON Translation Direct Update
Mobile
Authentication Web Apps Security and Authentication
Back-end Data Integration
Post-deployment control
Unified Push
Adapter Library Diagnostics
Notifications
14
© 2012 IBM Corporation
15. The Premier Event for Software and Systems Innovation
Mobile Application Security Objectives
Protect data on Enforce security
the device updates
• Malware, Jailbreaking • Be proactive: can’t rely
• Offline access on users getting the
• Device theft latest software update
on their own
• Phishing, repackaging
Streamline Provide robust Protect from the
Corporate authentication “classic” threats
security approval and authorization to the application
processes • Existing authentication security
• Complex infrastructure • Hacking
• Time-consuming • Passwords are more • Eavesdropping
vulnerable • Man-in-the-middle
15
© 2012 IBM Corporation
16. The Premier Event for Software and Systems Innovation
IBM WorkLight: Security By Design
Protecting data on the Enforcing security
device and in transit updates
App Jailbreak and
Encrypted Offline Secure Remote
authenticity malware Direct update
offline cache authentication connectivity disable
testing detection
SSL with
Mobile Authentication Coupling Data Proven
server Code
platform as a integration device id with protection platform
identity obfuscation
trust factor framework user id realms security
verification
Streamlining Providing robust
Application
Corporate security authentication and
Security
processes authorization
16
© 2012 IBM Corporation
17. The Premier Event for Software and Systems Innovation
IBM WorkLight: Security By Design
Protecting data on the Enforcing security
device and in transit updates
App Jailbreak and
Encrypted Offline Secure Remote
authenticity malware Direct update
offline cache authentication connectivity disable
testing detection
SSL with
Mobile Authentication Coupling Data Proven
server Code
platform as a integration device id with protection platform
identity obfuscation
trust factor framework user id realms security
verification
Streamlining Providing robust
Application
Corporate security authentication and
Security
processes authorization
Integration point with VPN solutions (i.e. IBM Mobile Connect) Integration point with User Security solutions
(i.e. IBM Security Access Manager for
Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile) Mobile)
17
© 2012 IBM Corporation
18. Protecting data on the device
The Premier Event for Software and Systems Innovation
Malware, Jailbreaking
Protecting data Device theft
on the device Offline access
Phishing, repackaging
Secure
Encrypted App Compatibility
Offline challenge-
offline authenticity with jailbreak
authentication response on
cache testing detection libs
startup
Encrypted offline cache
Offline authentication using password
Extended authentication with server using secure challenge response
App authenticity testing: server-side verification mechanism to mitigate
risk of Phishing through repackaging or app forgery
Compatibility with various jailbreak and malware detection libraries
18
© 2012 IBM Corporation
19. The Premier Event for Software and Systems Innovation
Enforcing security updates
Can’t rely on users Remote Disable: shut down
getting the latest
software update on specific versions of a
their own downloadable app, providing
users with link to update
Enforcing
security
updates
Direct Update: automatically
send new versions of the
Remote Direct locally-cached HTML/JS
disable update
resources to installed apps
19
© 2012 IBM Corporation
20. The Premier Event for Software and Systems Innovation
Authentication and Authorization
Authentication Data
Device
integration
framework
protection
realms
Provisioning Very flexible framework for simplifying
integration of apps with existing
authentication infrastructure
Providing robust
authentication and Manages authenticated sessions with
authorization
configurable expiration
Open: e.g., custom OTP as
anti-keylogger mechanism
Need to integrate with existing Server-side services grouped into
authentication infrastructure separate protection realms for different
authentication levels
Authenticate users when offline Secure device ID generated as part of
extensible provisioning process
Mobile passwords are more
vulnerable (keyboard more
difficult to use, typed text is
visible)
20
© 2012 IBM Corporation
21. The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 1 – Unauthenticated Session
1. Call protected Procedure
Worklight Server
Access denied because
session is unauthenticated or
expired
2. Request Authentication
Session:
• Created on first access from client
• Identified using session cookie
• Associated data is stored on the server
21
© 2012 IBM Corporation
22. The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 2 – Authentication
1. Obtain credentials from
user and device
Worklight Server
2. Forward credentials Process authentication data
3. If necessary:
• Consult with authentication servers
• Perform device provisioning
• Receive authentication token
• Associate token with session
22
© 2012 IBM Corporation
23. The Premier Event for Software and Systems Innovation
Session Authentication Management
Step 3 – Authenticated Session
1. Procedure call on Worklight Server
authenticated session
Authenticated token
associated with session
3. Procedure result
Session ID Auth
Tokens/State
2bd4296a3f29 Realm 1:
25487
Realm 2: ------ 2. Access back-end service
--
using authentication
25617ff82a90 Realm 1: ------
---
token
Realm 2:
a6c9a
89a77921b02 Realm 1:
7b8df
Realm 2:
6a8a0
23
© 2012 IBM Corporation
24. The Premier Event for Software and Systems Innovation
Worklight Studio simplifies the reuse of custom
containers across the organization
One team creates a custom
container (“Shell Component”) for
extensive security certification
Other teams create
HTML-only “inner apps”
wrapped in that container
24
© 2012 IBM Corporation
25. The Premier Event for Software and Systems Innovation
Mobile Security Enabled with IBM Solutions
IBM brings together a broad portfolio of technologies and services to meet the
mobile security needs of customers across multiple industries
•Application security
•Worklight
•IBM Rational AppScan
•Mobile device management
•IBM Endpoint Manager for Mobile devices
•IBM Hosted Mobile Device Security
Management
•Secure enterprise access
•IBM Security Access Manager
•Security Intelligence
•IBM QRadar
25
© 2012 IBM Corporation
26. The Premier Event for Software and Systems Innovation
Deployment for SSO and Security Intelligence
Security Intelligence Platform
Hybrid Mobile Apps IBM Endpoint
Based on WorkLight Manager
Risk Based Access
Hybrid App. SSL SSO WorkLight Server Enterprise
Hybrid App. Mobile Security
Applications,
Gateway (WAS w/ security)
Worklight Runtime Connectivity & Data
Mobile Device
Security intelligence with mobile context
Intelligence around malware and advanced threats in mobile enabled enterprise
User identity and device identity correlation, leading to behavior analysis
Geo-fencing, anomaly detection based on device, user, location, and application
characteristics
26
© 2012 IBM Corporation
27. The Premier Event for Software and Systems Innovation
IBM AppScan: Bringing Vulnerability Scanning to Mobile
Detection of Vulnerabilities before Apps are Delivered and Deployed
Known vulnerabilities can be addressed in software development and testing
Code vulnerable to known threat models can be identified in testing
Security designed in vs. bolted on
Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript,
HTML5) of hybrid mobile apps
27
© 2012 IBM Corporation
28. The Premier Event for Software and Systems Innovation
IBM Security Access Manager: Authentication & Authorization of Mobile
Users and their Devices
Authorization Access Manager
Servers (e.g.,
IBM Access Policy)
Manager
User registries
(i.e. LDAP)
Federated
External Identity
Authentication Manager
Authentication Provider
VPN or (i.e. userid/password,
HTTPS Basic Auth,
Certificate or
Custom)
IBM Security Access Manager for Mobile can be Application Servers
used to satisfy complex authentication (i.e. WebSphere, WorkLight)
requirements. A feature called the External
Authentication Interface (EAI) is designed to
provide flexibility in authentication.
Mobile Browser Enterprise
Web
or Native Web Services Applications
Applications
Federated Identity Manager can be incorporated into
the solution to provide federated identity management
28
© 2012 IBM Corporation
29. The Premier Event for Software and Systems Innovation
IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile
Devices
Common Advanced management for iOS,
management agent Android, Symbian, and Windows
and console Phone
Systems Security
management management Unified management automatically
Near-instant
enables VPN access based on
deployment of
security compliance
new features
Integration with back-end IT
management systems such as
service desk, CMDB, and SIEM
IBM Endpoint Manager
Security threat detection and
automated remediation
Extends IBM’s existing 500,000
endpoint deployment
Desktop / laptop / Mobile Purpose-specific
server endpoint endpoint endpoint
29
© 2012 IBM Corporation
30. The Premier Event for Software and Systems Innovation
IBM Qradar: Delivering Mobile Security Intelligence
Delivers Mobile Security Intelligence by monitoring data collected from other mobile
security solutions – visibility, reporting and threat detection
Unified collection, aggregation and analysis Ingest log data and events from:
architecture for: Endpoint Manager for Mobile Devices
o Application logs Access Manager for Mobile
o Security events Mobile Connect
o Vulnerability data WorkLight
o Identity and Access Management data
o Configuration files
o Network flow telemetry
A common platform for
o Searching
o Filtering
o Rule writing
o Reporting functions
A single user interface for
oLog management
o Risk modeling
o Vulnerability prioritization
o Incident detection
o Impact analysis tasks
30
© 2012 IBM Corporation
31. The Premier Event for Software and Systems Innovation
Copyright and Trademarks
© IBM Corporation 2012. All Rights Reserved.
IBM, the IBM logo, ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or
other companies. A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
31
© 2012 IBM Corporation
32. The Premier Event for Software and Systems Innovation
IBM Global Technology Services offers a broad set of complementary mobile
capabilities
Client Initiatives
Build mobile Manage mobile Extend existing
applications devices and business capabilities
Connect to, and run applications to mobile devices
backend systems in Secure my mobile Transform the
support of mobile business business by creating
new opportunities
Services
• Mobile application development • Telecom Expense • Unified Communications
• Mobile Application Platform Management Services
Management • Mobile Security • Mobile Application Platform
• Network (e.g. wi-fi, VPN) • Mobile Device Management Management
• End-user and administration • Strategy & Transformation
support • Mobile Application
• Procurement, staging and Management
kitting • Messaging, collaboration and
social
32
© 2012 IBM Corporation
33. The Premier Event for Software and Systems Innovation
www.ibm.com/software/rational
33
© 2012 IBM Corporation
34. The Premier Event for Software and Systems Innovation
Daily iPod Touch giveaway
Complete your session surveys online each day at a conference kiosk or on your
Innovate 2012 Portal!
Each day that you complete all of that day’s session surveys, your name will be entered
to win the daily IPOD touch!
On Wednesday be sure to complete your full conference evaluation to receive your
free conference t-shirt!
34
© 2012 IBM Corporation
35. The Premier Event for Software and Systems Innovation
Acknowledgements and disclaimers
Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries
in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for
informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant.
While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without
warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this
presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to,
nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2012. All rights reserved.
– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and
services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these
and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate
U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or
common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
If you have mentioned trademarks that are not from IBM, please update and add the following lines:
[Insert any special third-party trademark names/attributions here]
Other company, product, or service names may be trademarks or service marks of others.
35
© 2012 IBM Corporation
36. The Premier Event for Software and Systems Innovation
www.ibm.com/software/rational
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have
the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
36
© 2012 IBM Corporation