HUAWEI TECHNOLOGIES CO., LTD. Huawei BYOD Security Solution

Transcription

1 HUAWEI TECHNOLOGIES CO., LTD. Huawei BYOD Security Solution

2 Huawei BYOD Security Solution 1

3 Overview In 2012, about 20% of enterprise employees bring their own iphones, ipads, or Android phones into offices for related work activities. As IT consumerization drives a new fashion with Bring Your Own Device (BYOD), Anydevice is gaining real freedom. Today, BYOD is no longer a trend but is overwhelmingly changing people's working mode as a mandatory supplementary office means. BYOD enables people to have more time scraps to receive and send s, track sales opportunities, and push forward enterprise information management, so that customers' contact interface tend to be more de-layered to improve decision-making efficiency and quicken response. The openness of BYOD, however, may easily introduce numerous security or management risks. Are you ready to greet challenges from BYOD? Trends and Challenges BYOD further extends the boundaries of an enterprise office environment, enabling people to work on the same mobile device or download desired games from application stores. As people switch between enterprise office applications and personal applications in an instant, the boundaries between personal applications and enterprise applications become increasingly ambiguous. To most enterprises, it is impracticable to simply deny BYOD's access to enterprise applications. Young employees, born in an era of IT popularization, are not strange to mobile information technologies but urgently hope for employers to offer BYOD support. This requirement is driving enterprises to make changes and adapt to updates of BYOD. On the other hand, however, BYOD brings a huge number of issues, just like the tip of an iceberg, where huge risks are concealed beneath the sea surface. The smart and open mobile platform that comes with BYOD turns mobile terminals into new security vulnerabilities, which may easily incur a variety of problems, such as malicious code intrusion, mixing of personal and enterprise applications, data disclosure, and heterogeneous multi-platform management. All these pose great challenges to enterprises in terms of IT management. First, the IT department of an enterprise will detect that the corporate IT policy and configuration rules conflict with consumable applications and related settings. Specifically, security policies and management technologies based on traditional PCs can hardly be transplanted to mobile devices, especially those personal devices that are not owned and controlled by the enterprise. In this case, the enterprise needs to create a strategy especially for BYOD, including policy definitions and new management methods. The first step is to determine what mobile devices are permitted and what resources are accessible to these mobile devices, so that the first gate is properly built for security management and control. Second, BYOD devices access enterprise information by browsing web pages, downloading applications, and receiving or sending s. The enterprise information is not protected at all. Furthermore, smart mobile devices integrate the functions and features of PCs, and may cause the same application to more easily suffer from malicious attacks. Today, mobile devices incur more than two million types of malicious software, 30% of which are Trojan Horse programs exercising remote control to steal privacy and sensitive data. Mobile devices have already become a new bed of roses for new security risks along with the misuse of root rights and the application of hacker technologies. According to 71% of the interviewees, mobile devices, especially Android devices, are a top factor accountable for security incidents. Third, transplanting the applications of an enterprise to diversified mobile devices is no doubt another nightmare of its IT department. Then how can an enterprise simply and efficiently migrate its businesses to and deploy enterprise businesses in a mobile environment to avoid the high cost incurred by complex independent development, rapidly create value, and help the IT department to stand firm in a complex mobile environment? This undoubtedly poses a great challenge to today's enterprises. 2

4 Fourth, as mobile applications are being rapidly developed and put into use, an enterprise will face a lack of means to manage these applications. If employees can download and install consumable applications on devices as they wish, system reliability will be threatened and new security risks will be introduced, causing enterprise data loss or device malfunction. Finally, mobile devices are small and may be easily lost or stolen. Statistics show that plenty of customer data, including sensitive customer information and sensitive enterprise data, is stored on mobile devices for 47% of interviewed enterprises. Device loss does not merely mean the disclosure and loss of sensitive commercial information, but may incur risks for an enterprise in terms of law compliance. Overview of Huawei BYOD Security Solution To resolve the conflict between personal requirements of enterprise employees and the policy of an enterprise, Huawei developed an effective tradeoff solution, so that employees enjoy more freedom to select devices. Employees can conveniently access the internal corporate network using any device at any time and any place, and run internal applications without compromising the corporate security policy at all. Huawei is dedicated to providing customers with end-to-end (E2E) mobile security management and flexible application release capability. Huawei BYOD security solution provides total protection for mobile offices in five dimensions (mobile terminal security, network transmission security, application security, sensitive data security, and security management), aiming to help enterprises attain an optimal tradeoff between the high efficiency of BYOD and information security. Furthermore, Huawei has developed a simple platform which can migrate applications to mobile devices to deal with the increasingly complex mobile environment. This platform features high expansibility and helps better control costs, so that enterprises are even more competitive in globalized businesses. Architecture and Key Components Essentially three issues, Identity, Privacy, and Compliance, need to be addressed in mobile security and management. Huawei BYOD security solution provides security that is mostly common in the industry and the simplest and easiest management approach for enterprise customers while centering around the three issues. Terminal side Access side DMZ Intranet Office-based WiFi Security Application management distribution Assets IT services management UI design Application compilation Application integration Application release and maintenance LDAP NonOffice-based SSL Access switch SACG Device interface Development platform Business object Workflow Supporting platform Application interface Mobile security client AnyOffice 2G/GPRS/3G Pubilic WiFi Firewall VPN Unified policy management platform (including MDM) Firewall MEAP server OA and other servers AnyOffice security platform Identity Privacy Compliance Authentication Application Access control Link security Threat defense Data protection and authorization security Management security Mobile strong Mobile NAC SSL or UDP DDoS Mobile sandbox Application Security management authentication tunnel encryption Web VPN L3 VPN Network antivirus Network IDS/IPS Web/ ; DLP Anti-theft monitoring Application management Assets management IT services 3 1. Smart Mobile Access Client AnyOffice Huawei BYOD security solution provides a unified secure mobile client known as the AnyOffice client. As a simple mobile client, the AnyOffice client provides unique interaction interfaces between users, networks, and applications. It enables management and maintenance to be much easier.

5 The AnyOffice client is also a secure mobile office workspace, which integrates a series of applications, such as a secure sandbox, secure client, secure browser, mobile device management (MDM) software, Layer 3 virtual private network (L3 VPN) client, and virtual desktop on only one agent to meet universal mobile office requirements, enabling employees to access the internal corporate network securely, conveniently, and efficiently. Furthermore, the AnyOffice client is context-aware and can work with a security access control gateway (SACG) and an SVN SSL VPN gateway on the network side to attain the following objectives: Intelligent detection of users on the internal corporate network and external networks Application security policies for seamless handover Consistent user experience 2. Consistent Network Access Control* In Huawei BYOD security solution, the SACG is a dedicated access control gateway developed based on a Huawei carrier-class firewall hardware platform. It has the following features: Cooperates with the AnyOffice client and an admission control server to provide unified network access control and guarantee consistent policy enforcement in different environments, such as corporate LANs, WLANs, or remote access environments. Attains security policy compliance and controls device access based on identity authentication and the security states of devices, ensuring that only secure, authorized, and legitimate users access the enterprise network from appropriate terminals. Furthermore, Huawei BYOD security solution provides two optional network admission control means, 802.1x switches and software firewalls, for flexible access in various scenarios. 3. Secure Remote VPN Access The SVN2000 or SVN5000 series SSL VPN gateway is based on a Huawei high-reliability hardware platform and a dedicated real-time operating system. It has the following features: Provides industry-leading system performance, security, and reliability. Offers a flexible, secure, and controllable E2E link encryption mechanism for users. Protects security during remote VPN access. 4. Carrier-Class Mobile Threat Defense Huawei carrier-class high-reliability USG series firewalls can be deployed on enterprise network borders to comprehensively defend the network against security threats. While integrating the cutting-edge intrusion prevention and antivirus technologies of Symantec, and an industry-leading deep packet inspection (DPI) technology, the USG series firewalls provide professional content security protection capability, including network antivirus (AV) function, intrusion prevention system (IPS), distributed denial of service (DDoS), and content filtering. 5. Unified Security Policy Management* Huawei BYOD security solution provides a unified security policy management mechanism to exercise unified security policies inside the entire organization. It applies different policies based on different user roles, device types, locations, time periods, and areas, ensuring that secure access is controlled at a fine granularity for enterprise applications at various sensitivity levels. The solution also provides a unified and intuitive security policy management platform to effectively reduce management complexity and save IT manpower inputs. 6. Simple Platform for Releasing Mobile Enterprise Applications As mentioned previously, mobile applications of enterprises can hardly be transplanted and released. Huawei provides an industry-leading mobile enterprise application platform (MEAP) to smoothly migrate enterprise applications. It has the following features: Provides a simple integrated development environment (IDE). Supports HTML5, native, and hybrid applications, which can be developed in one step and released time and again across the platform, obviously reducing development complexity and saving costs for enterprises. 4

6 5 5

7 Highlights of the Solution I C compliance Device management throughout the entire lifecycle Identity Unified network access control P Privacy complete data security and threat defense Identity Unified Network Access Control 1. Context-Aware Network Access Control The solution provides fine-granularity access control policies based on context awareness (What device, Who, Where, When, and How). The IT department can configure multiple policy templates for a user role on the unified policy management platform, and uniformly distribute these templates to the AnyOffice client. The AnyOffice client, which is context-aware, intelligently starts a security module which mates with the device environment and works with the SVN VPN gateway, SACG, or 802.1x switch to precisely control network access. A user can freely and remotely access the enterprise network from a coffee shop, airport, or branch office. The SVN device transparently switches the user's session from the SVN device to the SACG. This process is completely transparent to the user. The AnyOffice client can shield all complex network connections, enabling users to gain the simplest but seamless access experience. 2. Unified Security Policy Management* The unified policy management platform guarantees a unified policy source to ensure consistent security policies on the entire network and compliance with enterprise security policies at ease. It really enables any person to access internal corporate resources freely without borders by using any authorized physical device (such as a laptop, smartphone, or pad) or virtual device from any place and through any network (such as a wired, wireless, or remote network). The management platform provides simple and easy-to-use management UIs to attain the total visibility and controllability of mobile devices while improving the work efficiency of the IT department. Privacy Complete Data Security and Threat Defense 1. E2E Data Leakage Prevention Data security on the device side: The AnyOffice client creates a security zone where personal applications are isolated from enterprise applications on the same mobile device by applying an innovative sandbox technology. The security zone eliminates numerous risks, such as data disclosure and virus infection incurred when personal applications or data are mixed with enterprise applications or data. It helps attain a tradeoff between personal requirements and enterprise policy enforcement. When a user logs in to the AnyOffice client, all enterprise business transactions will be processed within an enclosed secure environment separately from personal applications. Data, once created, is stored in a secure isolated zone at the very beginning and protected through encryption. The AnyOffice client process acts as an operating system kernel and performs the following functions: Monitors the behaviors of enterprise applications. Prevents personal applications from accessing enterprise applications. Blocks data behaviors such as copying, pruning, and pasting between personal applications and enterprise applications. Disables or enables application downloading or uploading based on a preset policy. Wipes temporary files and data without leaving any trace during application de-registration to further reduce the data disclosure risk. 6

8 Personal applications Enterprise applications OA CRM Personal data Enterprise data Create Run De-register Mandatory isolation Encrypted storage Behavior monlitoring Clearance uponxit Security of data transmission: In terms of data transmission, the SVN SSL VPN gateway provides intensive L3 VPN or Layer 4 virtual private network (L4 VPN) transmission based on data encryption to guarantee data confidentiality and security, and to prevent malicious data sniffing or tampering. Data security on the server side: Mobile devices are small and may be easily lost or stolen. There are innumerable reports about data disclosure incidents arising from device loss or stealing every year. Huawei BYOD security solution provides powerful anti-theft functions, such as remote locking, remote data wipe, and data backup and restoration through interaction with a backend management system. These anti-theft functions, plus other features such as global positioning system (GPS) and automatic alarms, ensure that data is not disclosed even when devices are lost. 2. Mobile Application Security Secure Browser As enterprise applications such as conference systems, attendance management systems, document inquiry systems, and customer relationship management (CRM) systems are deployed in a web manner, the time is calling for a unified browser to access these internal applications. A secure browser can automatically adjust the layout of web pages according to the resolution of the terminal screen to bring smooth and consistent access experience to users. A secure browser also provides crucial security protection capability. First, the secure browser, which is based on a sandbox module of the AnyOffice client, can isolate personal applications and control users' access behavior to enterprise B/S applications. Second, the secure browser provides the L4 VPN function, which enables users to smoothly access enterprise websites without installing or enabling any other VPN dial-up software on terminals. Third, the secure browser supports traceless browsing. When exiting the secure browser, a user can clear temporary files, cookies, and the browsing history without leaving any access trace. The secure browser can also provide intensive encrypted protection for files and data locally stored. Finally, the secure browser supports the black list function to effectively prevent phishing and malicious software intrusion. Secure Push Mail services are the earliest mobile office application. Standard transfer protocols, such as the Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), and Internet Message Access Protocol Version 4 (IMAP4), can run on a secure client. The secure client can also push s in real time to enable real-time processing in the era of Now Economy. The secure Push Mail provides powerful security features to reduce the risks of data disclosure and virus infection that may come with mobile s. It supports the L4 VPN technology for automatic data encryption during transmission to prevent malicious interception or tampering. The secure Push Mail encrypts s by using an intensive encryption algorithm on terminals before s are stored, and keys are dynamically obtained but not locally stored. Furthermore, the secure Push Mail supports abundant security control policies, including whether to permit forwarding, download attachments, upload attachments, and browse attachments online. The IT department can deliver different control policies based on different roles of employees. 7

9 3. Carrier-Class Mobile Threat Defense on the Network Side Huawei carrier-class high-reliability USG series firewalls can be deployed on enterprise network borders to comprehensively defend the network against security threats in the following three scenarios: Defense against threats from the Internet to the mobile platform: The defense means include preventing DDoS attacks, defending against unauthorized access, defending against hacker springboard invasion, preventing virus infection, guarding against Trojan Horse spreading, and filtering malicious s. Defense against threats from mobile devices to servers in an LAN: The defense means include defending against unauthorized access to internal servers, defending against malicious invasion from employees, preventing virus infection, and guarding against Trojan Horse spreading. Defense against information disclosure from mobile office terminals to the Internet: The defense means include defending against unauthorized uniform resource locator (URL) access, preventing access to malicious web pages, filtering web pages, and filtering the body or attachments. Compliance Lifecycle-based Mobile Device Management Deploy Retire Device lifecycle Retire Run 1. Acquire Huawei BYOD security solution complies with the IT infrastructure library (ITIL) assets management specification. It supports assets discovery and registration of standard corporate devices and BYOD devices, and password initialization. Huawei BYOD security solution also provides custom templates for end user agreements. 2. Deploy Before deploying a mobile office solution, an enterprise must guarantee its mobile devices security compliance. In Huawei BYOD security solution, the host firewalls, VPNs, and Wi-Fi modules of mobile devices can be securely configured, and security policies can be delivered to them. Huawei BYOD security solution supports the enforcement of enterprise security policies. Securely distributing mobile applications is a core issue for consideration during mobile office deployment. Huawei BYOD security solution integrates an enterprise application store to securely and remotely distribute, install, and configure mobile enterprise applications. Furthermore, the enterprise can define application white list and black list policies based on user roles to ensure that right persons access right applications and data. Finally, Huawei BYOD security solution provides an application signature verification feature and the anti-uninstall of resident services to ensure that authorized applications are not maliciously tampered or uninstalled, so that an integral application environment is maintained on mobile terminals. 3. Run The focus should be on the security of applications and data in the running phase. Huawei BYOD security solution provides the following features to protect the security of data on mobile terminals: 8

10 Password policies Jailbreak detection and isolation Controlling peripheral disclosure channels, such as SIM cards, SD storage cards, cameras, Bluetooth, Wi-Fi, USB, GPS, and recorders As mobile devices may be easily lost, Huawei BYOD security solution provides the following functions to deal with device loss: Encryption of key data of enterprises Remote backup, recovery, and synchronization Remote locking Data wipe Furthermore, the IT department can consolidate application security through remote upgrade and patching. In the backend management system, the IT department can query and audit a list of all mobile devices and the status of each mobile device, such as the device model, operating system type, and operating system version. The IT department can output an assets audit report after auditing the mobile devices. Alleviating the pressure on IT infrastructure is an important indicator of whether a mobile office solution is successful. Huawei BYOD security solution supports a friendly and easy-to-use self-help portal, through which employees can perform the following common operations: Registration Password resetting Loss reporting Locking Data backup and restoration Remote data wipe Therefore, Huawei BYOD security solution can greatly alleviate the pressure on IT support personnel. Huawei BYOD security solution also integrates a centralized management console, which supports even more complex management functions, such as message pushing and fault locating. The application programming interface (API) on the console supports integration with the existing help desk systems of enterprises to further improve support service efficiency. 4. Retire If an employee quits from the enterprise or a device is lost, the IT department may first uninstall remaining applications from the device, then wipe data, and finally de-register the device to prevent data disclosure. If the device is a standard device of the enterprise, the IT department can re-register and re-bind the retired device, and deploy security polices and applications on the device later when necessary. 5. Flexible Application Release Enterprises may find it hard to develop mobile applications due to the diversification of mobile devices and the complexity of enterprise applications. To relieve this headache, Huawei provides a centralized MEAP, which allows centralized adaptation and interconnection between mobile terminals and enterprise applications, and therefore improves system expansibility. Huawei MEAP has the following features: Supports HTML5 and native applications. Supports hybrid application development and deployment, where native applications serve as containers and HTML5 serve as UIs. Provides an IDE where auxiliary service logic design modules are embedded to reduce the number of codes. Supports one-off application development and application release across multiple platforms to help reduce development complexity and shorten the go-live time of applications. In the design and development phase, enterprises can design abundant embedded security features, such as secure sockets layer (SSL), single sign-on (SSO), and MDM, in mobile applications. These security features can be associated with one another to consolidate application security. Huawei MEAP supports a development process that threads through the entire lifecycle of applications. The process consists of design, development, testing, deployment, and maintenance phases, ensuring that application development activities are continuously and efficiently performed. 9

11 Selecting Huawei Huawei provides a market-leading BYOD security solution for enterprises and industrial customers. BYOD mobile services involve terminal devices, bottom-layer firmware, system software, and application middleware. They form an integrated ecological chain and place an emphasis on the integration of the upstream and downstream. Renowned for an open mind, Huawei is able to closely cooperate with mobile original equipment manufacturers (OEMs), integrators, mobile or wireless operators, and the other members of the ecological system to quicken steps in bringing into reality the particular value and features of the BYOD security solution. While providing deep security control for devices and applications, Huawei BYOD security solution offers a good choice for enterprises to exercise simple but efficient security management. It emancipates enterprises from worrying about mobile service deployment and helps enterprises improve the return on investment (ROI). Huawei BYOD security solution enables you to: Create a secure zone where an enterprise environment and a personal environment are isolated from each other, helping to attain an optimal tradeoff between security and efficiency for BYOD. Provide E2E ability to guard against the disclosure of sensitive data while data is at a standstill, in motion, being used, or being stored. Provide an industry-leading, consistent, and secure access means for ubiquitous endpoints, and a unified security policy management platform*. Exercise deep security management and control of devices and applications. Provide lifecycle-based mobile device management and a complete security management process covering Acquire, Deploy, Run, and Retire phases. Supported Client Platforms Device Platform Version iphone 3G/3Gs iphone 4/4s ipad Android (such as Huawei and Samsung) ios or above ios 4.0 or above ios or above Android 2.2 or above Windows XP, Vista, Windows 7 Windows Phone Windows Phone 8* * indicates a feature to be supported by later versions of Huawei BYOD security solution. 10

12 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0