Post on 07-May-2018
transcript
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1
Mobile Device Management David Roundtree, CISSP
Identity & Security
Public Sector | State & Local
Date: April 23, 2013
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2
This document is for informational purposes. It is not a commitment to
deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. The development, release, and timing of any
features or functionality described in this document remains at the sole
discretion of Oracle. This document in any form, software or printed matter,
contains proprietary information that is the exclusive property of
Oracle. This document and information contained herein may not be
disclosed, copied, reproduced or distributed to anyone outside Oracle
without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 3
Agenda Today’s Security Challenges
2012 Data Breaches
Enterprise Mobility Challenges
Mobile Identity Management
Mobile Identity Standards
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
INSIDE OUT
SECURITY STEP BY STEP APPROACH
DEFENSE IN DEPTH
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
Student Services
Business
Transformation
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
Citizen Services
Remote Mobile Workforce
Online Healthcare
Social Integration
Cloud Services
Most Significant
in
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
California Dept
of Child Support
Services
Health&Finance
records
STOLEN
800k US Bureau of
Justice
Statistics
Sensitive DB
Leaked 1.7GB
Bank Account #s
leaked 3.8M State of South
Carolina
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7
Attacks cost $$$$ in State Government (2012)
State of South Carolina Dept. of Revenue > Approximately 3.8 million Social Security
numbers, 387,000 credit and debit card numbers and 657,000 business tax filings were exposed in
a recent cyber-attack at the SC Department of Revenue. From http://www.sctax.org
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8
STATE OF UTAH : DATA BREACH UTAH CTO TAKES THE FALL. RESIGNATION SOUGHT BY GOV. HERBERT AFTER BREACH EXPOSES DATA ON 280,000 MEDICAID RECIPIENTS!!!!
“The state has said it will offer free credit monitoring and
identity theft insurance coverage of up to $1 million for
victims of the breach.”
“Some analysts have held up the breach as a classic
example of the dangers weak or default passwords
controlling access to critical systems and
applications pose to enterprises.”
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
1. Brand Decline = Loss of trust from Citizens!
2. Regulatory Fines
3. Financial Loss
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10
Mobile Devices in the Enterprise
• Employees, Citizens, Students, Vendors
…using mobile devices
Evolution of BYOD > Bring your own device
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
90% companies with mobile apps in
2014
62% will depend on social networking to connect with customers and prospects
Store passwords 76%
Store passwords
as
10%
Source: Information week Aug 2011
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12
Mobile Security is Beyond Device Management
46% Of organizations that allow
BYOD reported experiencing a
data or security breach
50% Of helpdesks struggle to keep
up with mobile apps support
Source: Mobility Revolution Redux, March 2012
MOBILE SECURITY STARTS FROM INSIDE
Source: Trend Micro Survey, Feb 2012
58% Building corporate app stores
Source: Partnerpedia Survey, Aug 2011
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
Mobile Identity & Access Challenges
?
Developer
• Limited resources to
support chatty clients
• No SSO across native
mobile applications
• Challenging to secure
access to data stored on
legacy systems
• Risky to allow business
transactions from untrusted
devices
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
Guess: The cost of remediating a breach
exceeds the cost of preventing a breach by…..
10X
We need to start taking a proactive approach
to security!!!
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15
SS #s
Credit Card Info
Personal Profile
Denial of Service
Fraud
Collaboration
Privacy
PII
PCI
NIST Security Model
IRS 1075
HIPPA/HITECH
Identity Theft Quality of Service Data Security
& Integrity Regulatory Compliance
BUSINESS HAVE
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16
Demystifying Mobile Identity Management and Standards
Shujaat Ali
Principal Security Consultant
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17
This document is for informational purposes. It is not a commitment to
deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. The development, release, and timing of any
features or functionality described in this document remains at the sole
discretion of Oracle. This document in any form, software or printed matter,
contains proprietary information that is the exclusive property of
Oracle. This document and information contained herein may not be
disclosed, copied, reproduced or distributed to anyone outside Oracle
without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Integration Internal
Users Only
Not Scaleable
Propr ie tary
Maintenance P o i n t 2 P o i n t Fragmentation
Cu
sto
m
Inflexible
Bri
ttle
Rigid Legacy
First Generat ion
VPN Based
Hard Coded
Status Quo
Slow
C l i e n t S e r v e r
E x p e n s i v e
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19
EMPLOYEE OWNED DEVICES
LIMITED POWER & STORAGE
DESIGNED FOR WIRELESS & 3G
CHANGING MOBILE APPLICATION DEMANDS
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20
APP
APP
APP
NATIVE
APP
APP
APP
APP
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21
APP APP APP
APP APP APP
REST VPN DOES NOT SCALE
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22
State-full
Cross-network
Device
Independent
SIMPLIFIES MOBILE APPS
REST INTERFACES
Lower
Energy Usage
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
Corporate DMZ Corporate Network
Mobile and Social
Webgate
Data Interfaces /
Oracle Entitlements Server
Oracle Access Manager
Directory Services
API Gateway
Mobile Browser
Native Application
OAM Protected Resource
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24
CONTEXT AWARE AUTHENTICATION
?
Device Aware !
Time Aware !
Location Aware !
Device
Fingerprint
Account
Detail
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25
PATIENT RECORD xxx xx x
PATIENT RECORD
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27
Login with Facebook
or…
Name:
College:
Major:
Minor:
Graduation Date:
Student Advisor:
High School:
Test Date:
Submit
OAUTH
REAL EXAMPLE CONNECTING
COLLEGE TEST PREP STUDENTS
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
Better Experience
Single Point of Revocation
Blacklist Devices
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30
Browser & OS statistics
Alerts Location Risk
Access Trends
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
White Pages
GPS & WIFI Location
Device Registration
Device Tracking
KBA & OTP
User Registration
White\Black List
Access Management
Platform Security Services
Directory Services
Mobile
Interfaces
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
I ns tagram
G o o g l e +
Facebook Advertisements
Games Curation
Mixi Social Marketing
U R L S h o r t e n e r s
Search Engine Optimization
S o c i a l P u b l i s h i n g
G a d g e t s
Renren
Promotions
T u m b l r
Twitter Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
I ns tagram G o o g l e
Facebook Yahoo!
Mixi flikr
V e r i s i g n
WordPress
M y O p e n I D
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
MySpace
Yahoo!
AOL
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
I ns tagram
G o o g l e +
Facebook Advertisements
Games Curation
Mixi Social Marketing
U R L S h o r t e n e r s
Search Engine Optimization
S o c i a l P u b l i s h i n g
G a d g e t s
Renren
Promotions
T u m b l r
Twitter Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
Dropbox
Everno te
G o o g l e
MySpace
TripIt
Yahoo! OpenSocial
N e t f l i x
Photobucket
Y a m m e r
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
SmugMug
Vimeo LinkedIn
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38
FOR YOUR ATTENTION THANK YOU
Feel free to contact us at
David.Roundtree@oracle.com
Shujaat.Ali@oracle.com