© 2011 IBM CorporationIBM CONFIDENTIAL
-Security at the "edge of the enterprise"
Vishwanath Narayan IBM Distinguished Engineer – SWG & ISL, CTO Industry Solutions Architecture
© 2011 IBM Corporation
IBM Security Solutions
Mobile continues to drive explosive growth, creating new opportunity for IBM
2IBM Confidential
WW Mobile Applications Opportunity
$0.0
$10.0
$20.0
$30.0
$40.0
$50.0
2010 2011 2012 2013 2014 2015
Bill
ions
66% CAGR
Mobile Infrastructure GrowthMobile Apps GrowthMobile Devices Eclipse PCs
Mobile Apps Surpass Web
Source: IDC 2010
WW Mobile Infrastructure Opportunity
$0.0
$1.0
$2.0
$3.0
$4.0
$5.0
2010 2011 2012 2013 2014 2015
Bill
ions
Mobile Platform Mobile Security Device ManagementSource: IDC 2010
20% CAGR
US Mobile Commerce
Mobile Commerce Growth
US
EU
China
Mobile payment trans hits $670B by 2015
Source: Juniper Research 2011
Mobile Payments Growth
© 2011 IBM Corporation
IBM Security Solutions
Our customers have identified mobile as a top priority for investment, innovation, and growth
3IBM Confidential
Source: 2011 CIO Study, Q12: “Which visionary plans do you have to increase competitiveness over the next 3 to 5 years?”(n=3,018) 2009 2011
Most important visionary plan elements of the next 3 to 5 years(Interviewed CIOs could select as many as they wanted)
Business Intelligence and analytics83%
83%
Mobility solutions 74%
68%
Virtualization 68%75%
Cloud computing 60%33%
Business process management 60%64%
Risk management and compliance 58%71%
Self-service portals57%
66%
Collaboration and Social Networking55%
54%
© 2011 IBM Corporation
IBM Security Solutions
4 IBM Confidential
Why is Security a Board Room discussion?
• Increased threat landscape
• Regulatory and compliance pressure
• Additional motivations
• Growing complexity of Malware
• Consumerization of IT
• Business Continuity/New Business model risk
• Priority No. 1: Securing Mobile Devices Within The Organization
• Priority No. 2: Managing Third- Party Security Risks
• Priority No. 3: Proactive Security across the organization
• Priority No. 4: Building An IT Risk Management Program
• Priority No. 5: Security Strategy, Maturity and Roadmaps
Top Priorities For Security And Risk Leader 2011
Source: 2010 Q4 Global Security And Risk Council Challenge Assessment Online Survey, Forrester Research
© 2011 IBM Corporation
IBM Security Solutions
Bring-your-own– Corporate data protection– Policy– Which platforms/variants– Extend to desktop– Employees, non-exempt employees, consumers
Management– Lockdown, patch, update..– Separation of employee/corporate data– User experience
Application support– Which apps/delivery– Consumer– Geo/Mobility concerns– Native/Virtual
Additional complexities of:– Identity, roles, multiple devices, content rights
Non-Traditional endpoints
Key Discussion Points around Mobile Security & Management
© 2011 IBM Corporation
IBM Security Solutions
Motivation
Mobile Phones run both enterprise and personal apps concurrently
– Email client vs. Youtube
No guarantees on how enterprise data is used on the phone
– Could be leaked to personal apps which then send it out of the phone
– Enterprise data could be modified by arbitrary applications
© 2011 IBM Corporation
IBM Security Solutions
Motivation
Enterprise Remote Management– Enterprises need to measure the
integrity of their end devices for a variety of operations
• Prevent rogue software from being installed
• Before Sending Sensitive Data• Ensuring remote management
tasks such as remote wipe, remote lock are executed on phone
© 2011 IBM Corporation
IBM Security Solutions
Problem Statement
Develop a security framework that– Prevents data leakage among enterprise
and personal apps– Flexible to support different security
policies• Select available capabilities based
on current operating mode– Enables remote measurement of
platform Integrity
© 2011 IBM Corporation
IBM Security Solutions
Proposed Security Framework
Trusted Platform Module for Secure boot and Platform Integrity Attestation
Session Key for securing sensitive data
Privacy Enforcement Engine to prevent data leakage
Dynamic Policies for run time information flow control
© 2011 IBM Corporation
IBM Security Solutions
IBM Viewpoint - Mobile Security & Device Management
10 IBM Confidential
Device Platforms (30 device manufacturers, 10 operating platforms)
iOS Blackberry Android WindowsMobile Symbian Others
Mobile ApplicationsMobile Web
Native Mobile
Hybrid mobile
Platform Extension – Optional OS/Application layerVirtualizationApplication Container (Sandboxing)
*2011 Projections - IDC WW Mobile Security, March 2011, IDC WW Mobile Device Mgmt. 2010
Mobile Identity & Access
• Authorize & Authenticate
• Certificate mgmt
• Multi-factor
Mobile Threat Management
• Anti-malware• Anti-spyware• Anti-spam• Firewall / IPS• Web filtering &
Web reputation
Mobile IPC (Info
Protection)
• Data encryption (device, file, app)
• Mobile DLP
Mobile VPN
• Virtual Private Network (VPN) secure communications
$179.2M 36.5% CAGR
$140.1M 42.5% CAGR
$190.2M 28.1% CAGR
$69.9M 38.8% CAGR
Mobile Security$675M, 35.4% CAGR
Mobile Device
Security Management
• Device wipe, lockdown
• Passwd Mgmt.• Config policy &
compliance$65.7M 36.5% CAGR
•Register •Device Activation•Configure to Policy•App/Content Mgmt.•SW Distribution
•Self Service Portal•Usage & Quality monitoring/reporting
•Migrate to new device•De-provision
Mobile Device Mgmt.
Manage/Monitor
Retire
Acquire/Deploy
$433M, 32% CAGR (Enterprise Segment)
Security is often the primary motivation for managing enterprise mobile devices
Many key mobile security capabilities are an extension of endpoint management
Secure Mobile App Dev.
• Vulnerability testing
• Mobile app testing
• Enforced by tools• Enterprise
policies enforced
App Test/ Development
© 2011 IBM Corporation
IBM Security Solutions
11 IBM Confidential
Mobile Security & Mobile Device Management Priorities
Alignment with IBM Security Strategy
Mobile Device Mgmt. (MDM) Threat Mgmt. Info/Data Protection VPN Identity & Access
Vendor Characteristics by Mobile Security Sector
Competitive, Diverse set of Vendors including pure plays and vendors from adjacent segments
Dominated by Major Endpoint Anti- Malware vendors, plus some pure plays
Dominated by major Encryption vendors, native platform encryption or integrated in MDM
Mobile VPN specialists, major Network players, integrated in MDM
Fragmented Multi- factor Auth. Vendors plus some integrated in MDM
Mobile Identity & Access
• Authorize & Authenticate
• Certificate mgmt
• Multi-factor
Mobile Threat Management
• Anti-malware• Anti-spyware• Anti-spam• Firewall / IPS• Web filtering &
Web reputation
Mobile IPC (Info
Protection)
• Data encryption (device, file, app)
• Mobile DLP
Mobile VPN
• Virtual Private Network (VPN) secure communications
$179.2M 36.5% CAGR
$140.1M 42.5% CAGR
$190.2M 28.1% CAGR
$69.9M 38.8% CAGR
Mobile Security$675M, 35.4% CAGR
Mobile Device
Security Management
• Device wipe, lockdown
• Passwd Mgmt• Config policy &
compliance$65.7M 36.5% CAGR
•Register •Device Activation•Configure to Policy•App/Content Mgmt.•SW Distribution
•Self Service Portal•Usage & Quality monitoring/reporting
•Migrate to new device•De-provision
Mobile Device Mgmt.
Manage/Monitor
Retire
Acquire/Deploy
$433M, 32% CAGR (Enterprise Segment)
1
2
Mobile Device Management (MDM) is top Mobile Security given client priorities, and observed adoption models.
Focus on enterprise customer opportunities given IBM segment permission, capabilities and ecosystem
1
2
22
© 2011 IBM Corporation
IBM Security Solutions
IBM POV Discussion Point: Mobile Footprint
12 IBM Confidential
Enterprise Security Infrastructure & Management
Mobile device
security mgmt
Mobile Access mgmtt
Mobile Threat mgmt
Mobile Data
Protection
Secure mobile
app dev
Across Device Platforms
Securing Mobile Applications
Mobile Access mgmt
Secure mobile
app dev
Mobile device
security mgmt
Mobile Threat mgmt
Mobile Data
Protectio n
Secured and constrained application container
Client side container based Approach
Client side configuration based Approach
•Rich, granular security controls – app specific wipe, encryption, etc•Can address all mobile platforms – iOS, Android, BB, etc.
•Strongly tied to a mobile application platform•Works well for B2E, but likely an issue for B2C
•E.g., Good Technology
• Flexibility to work with many mobile app platforms• Works for B2E and B2C scenarios
•Dependency on mobile platform capabilities – e.g., device wipe, encryption, etc
•E.g., MobileIron,
© 2011 IBM Corporation
IBM Security Solutions
Platform diversity & impact - Understanding mobile platforms and associated challenges
13 IBM Confidential
Diverse platforms Device platforms are very diverse in their native capabilities, and some are proprietary
Strict licensing terms
Developing apps, or using their device management APIs have severe licensing terms. These restrictions such as application sandboxing and strict licensing terms (Apple in particular) cause challenges in building rich mgmt. / security applications
Programming models
Proprietary programming models across platforms are barriers to build a cross- platform “container”, and may be tied with specific Mobile Application Platform (MAP).
Adoption motivation
Enterprise e-mail is still a main motivation of mobile adoption. Increasingly enterprise mobile applications (web, native, hybrid) are being deployed.
Future ? Going forward, fragmented approaches will likely still continue. For multi-vendor solutions, evolution of standards across key vendors (iOS, Android, BB,..) would simplify management and security, but are not imminent, and may be a long shot.
We need to prepare for working with multiple diverse platforms for the foreseeable future in mobile device management and mobile security.
© 2011 IBM Corporation
IBM Security Solutions
Deliver a unified management solution for all IP- enabled enterprise devices
Mobile Endpoint Management Strategy
14
DESKTOPS / LAPTOPS / SERVERS
MOBILE DEVICES
PURPOSE- SPECIFIC DEVICES
NETWORK DEVICES
14 IBM Confidential
TEM Management
Server
TEM Management
Server
TEM RelaysTEM Relays Proxy agentProxy agent
MOBILE DEVICES
DESKTOPS / LAPTOPS / SERVERS
Enterprise device management
FixletsFixlets
PURPOSE- SPECIFIC DEVICES
Device Wipe *
Location info *
Jailbreak/Root detection *
Enterprise App store *
Self-service portal *
Device inventory *
Security policy mgmt *
Application mgmt *
Device config (VPN/Email/Wifi) *
Encryption mgmt *
Roaming device support *
Integration with internal systems *
Scalable/Secure solution *
Easy-to-deploy *
Multiple OS support *
Consolidated infrastructure *
OS provisioning
Patching
Power Mgmt
Anti-Virus Mgmt
Mobile Device Mgmt
Traditional Endpoint Mgmt
Available in Tivoli Endpoint Manager today
Iterative Beta starting Q32011
Technical strategy - allows for management for mobile device management use cases, and purpose- specific endpoints.
Also, allows for integration with 3rd party technologies (e.g., MobileIron, VMWare ESXi, iPhones, etc)
© 2011 IBM Corporation
IBM Security Solutions
© 2010 IBM Corporation
Technology of interest - Virtualization technology & mobile endpoints background
15 IBM Confidential
Virtualization for mobile devices is an enabling technology that offers a variety of potential benefits, if properly leveraged and integrated
Effective leveraging of many virtualization for mobile devices will require cooperation and support from multiple constituent groups
– Device manufacturers, chipset manufacturers, service providers, high level OS vendors, enterprises, end users
There are already at least four or five different virtualization techniques/approaches for mobile devices (phones, smartphones, tablets) with different benefits and challenges
– Hardware level virtualization, OS level virtualization, virtualized ‘desktop’
Some circumstances in the mobile space are very different than the Intel PC/Server market, and those differences should be explored and analyzed to fully understand if there are similar opportunities for mobile devices
© 2011 IBM Corporation
IBM Security Solutions
16 IBM Confidential IBM Confidential
Current IBM Mobile Security & Device Management - Actions
IBM Software capabilities in mobile security management– Tivoli - Tivoli Endpoint Manager (Bigfix) capabilities, using iterative development approach,
partnering with clients.– WebSphere - WAS Feature Pack for Web 2.0 and Mobile– Tivoli + Lotus - Prototypes with Tivoli ISS Network Security appliance and mobile VPN, to control
device access to enterprises and IBM Tivoli Access Manager to handle risk based authentication
IBM CIO Office– Objective: Deliver endpoint security management across workstation and mobile endpoints in a
comprehensive and cost effective manner– Policy changes to protect IBM data on mobile devices– Piloting of security technology to enable w3/internal access for iOS devices– Android pilot that meets all security requirements for IBM Confidential data underway
IBM Mobile Security Services Offerings– An end-to-end mobile security solution designed to implement and maintain policy based mobile
security for both corporate issued and end-user procured mobile devices to protect corporate assets – Offering: Solution design and implementation, Multi-tenant, cloud based solution, 24x7 management
and support at two service levels from unauthorized access.
© 2011 IBM Corporation
IBM Security Solutions
Moving forward, IBM will leverage the breadth of our capabilities to deliver mobile infrastructure capabilities
17IBM Confidential
Enterprise Mobile
Infrastructure
Back End
Devices
End to End Security & Privacy
Mobile Device Mgmt
SOA & Connectivity
Mobile Applications ($8.6B 66% CAGR)
Enterprise Applications
Data Cache & Scale Application Lifecycle Management
Gartner “Rule of 3”Mobile middleware delivers significant advantages when any of the following are true:• There are 3 or more mobile applications• There are 3 or more targeted operating systems or platforms• They involve the integration of 3 or more back-end systems
Gartner “Rule of 3”Mobile middleware delivers significant advantages when any of the following are true:• There are 3 or more mobile applications• There are 3 or more targeted operating systems or platforms• They involve the integration of 3 or more back-end systems
Mobile Foundation Platform
© 2011 IBM Corporation
IBM Security SolutionsOngoing activities and offerings - overview
18 IBM Confidential
Mobile device security management
•Extending Tivoli Endpoint Manager (TEM) to support mobile. Planned Beta in Sept 2011, and GA in 1Q2012•Incubation project in progress to help explore innovative approach to selective wipe, and to help accelerate product plans.
Threat management
GTS’s Mobile Security Offerings includes capabilities in this area, in partnership with Juniper.
Info protection •Selective data wipe, and data segregation is key requirement - TEM efforts start to address this space; data tagging and classification approach being explored.•Device level or mail encryption. Mail encryption using Lotus Traveller in place. For other data, more work to be done - Potential to use MAP
Mobile VPN •Lotus Mobile Connect provides capability in this space, as part of Lotus •In roadmap for Tivoli Next-Gen Firewall, in integrating MobileConnect into the appliance. Initial prototype implementation completed.
Mobile Identity & Access management
•Current IAM portfolio applicable to mobile context, and enforcement for HTTP traffic over mobile.•Prototype efforts in progress to look at multi-factor authentication, and adjacency to risk based authentication/authorization efforts as part of Tivoli IAM portfolio; and WebSphere’s MAP efforts. •Research and incubation projects in progress, working with clients.
Adjacency to Rational’s strategy around mobile application testing
Mobile Device Security
Management
Mobile Threat Management
Mobile Information Protection
Mobile VPN
Mobile Identity & Access
Management
Secure Mobile Application
Development
IBM Confidential
* Mobile Virtualization is an emerging area and being explored.
Mobile Security WG in SAB – driving technical point of view, and approach around Mobile Security