Big Data Driven Security for BYOD. Photo by Marc_Smith - Creative Commons Attribution License

Size: px
Start display at page:

Download "Big Data Driven Security for BYOD. Photo by Marc_Smith - Creative Commons Attribution License"


1 Big Data Driven Security for BYOD Photo by Marc_Smith - Creative Commons Attribution License Created with Haiku Deck

2 TABLE OF CONTENTS Securing Data in Motion Securing Data at Rest Big Data Driven Security Conclusion

3 WORKSPOT UNDERSTANDS END USER COMPUTING AMITABH SINHA, CEO PUNEET CHAWLA, CTO (GM XenApp/XenDesktop, Citrix) (Founding Engineer, VMware View) Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

4 WORKSPOT LEVERAGES EXISTING INFRASTRUCTURE Workspot leverages your existing VPN appliance Supports: Cisco, Juniper, F5, and SonicWall Supports the authentication mechanism AD+RSA Supports all internal SSO providers including CA Siteminder, and Oracle IdP Supports cloud identity integration Okta, Ping Identity, and SAML 2.0 vendors Terminal Server VPNSSO Windows Apps Web Apps AD CIFS SharePoint Native Apps

5 WORKSPOT IS 100% CLOUD Pilot in Minutes Multi-tenant Architecture Always up-to-date 6-8 updates annually On-demand scalability Power of AWS

6 CONTROL VS. DATA SEPARATION Workspot Control has been architected to be a control plane. When the user is performing workflows on the device using Workspot, all the data flows back and forth directly between the client and the business applications (e.g., Exchange, SharePoint, If the applications are behind the firewall, then they go back to the corporate network. If the applications are external, then the traffic directly goes to the external application. Separation between control and data planes is very critical for a number of reasons: Security: Data flows directly between the client and the applications; it does not flow through our control service Availability: Since Workspot is not in the data path, the availability of applications is independent of the availability of our service Performance: Since we are not in the data path, there is nothing to impede the end user experience

7 SECURE, CROSS-PLATFORM ARCHITECTURE Unified Workspace Web Apps HTML(5) Engine Encrypted File System (AES-256) & built-in document viewers for common formats Document Viewers Windows Apps RDP Client Context Agent Virtual File System Network Drives CIFS Client Built-in VPN for Cisco, Juniper, F5, and SonicWall SSO VPN ios/android/windows/macos Built-in Single Sign On for NTLM/Kerberos/ CA Siteminder/ Oracle idp/saml 2.0

8 WORKSPOT PROTECTS DATA IN MOTION Web Apps HTML(5) Engine Document Viewers Windows Apps RDP Client Context Agent Virtual File System Network Drives CIFS Client SSO VPN ios/android/windows/macos Full L4-7 Control Custom HTTP stack with OpenSSL VPN termination to any SSLVPN appliance We support Cisco, Juniper, SonicWall, and F5 Workspot-level VPN only Workspot is on the corporate network Control over Blacklist/ whitelist URL

9 WORKSPOT PROTECTS DATA AT REST Secure container on an unmanaged device All enterprise assets fully encrypted in memory before touching the file system Multi-level encryption Each file is encrypted using its own key Each key is encrypted using a master key Master key is encrypted using a PIN which is not stored FIPS validated AES-256 Web Apps HTML(5) Engine Document Viewers Windows Apps RDP Client Context Agent Virtual File System Network Drives CIFS Client SSO VPN ios/android/windows/macos

10 DATA RETENTION POLICY We store the following information in Workspot Control: Configuration: We store configuration information about the VPN, e.g., public URL address, whether it uses RSA or not. User Configuration: First Name, Last Name, Address, etc. Application Configuration: Application URLs, whether or not it is behind the firewall, etc. Performance Data: For each network access, we store the amount of time it took to fetch a response from the application (e.g. SharePoint), the device used (e.g. ipad3), the network used (e.g., AT&T), and the location (e.g., California). Activity Data: We track different kinds of activity on the device, e.g., Open/ Close Workspot, Open/Close Application (e.g., SAP), Open/Close Document, and View/Print Page of Document. All activity data is anonymized. Our current policy is to retain this data for a period of one year.

11 WORKSPOT POLICY ENGINE Network & Security Policies - Trusted WLAN networks - Whitelist and blacklisted addresses - Single sign-on Behavior - Passcode Length and Complexity - Offline Data Retention - RSA Token Usage - VPN Configuration Workspot Control Policies App/User/Geo/Device

12 PROTECTION BEGINS BEFORE WORKSPOT IS LAUNCHED Device Posture Check As soon as the Workspot Client is started, it conducts a posture check to determine whether the device has been jail-broken. An evolving set of checks to verify supported versions and platforms are performed, and only when the device is determined to be secure is the Workspot Client launched Secure Offline Access with PIN When a user taps on Workspot Client on their device, they are prompted for a PIN. The PIN is validated against client master secret (CMS). If the CMS can be decrypted then the PIN is deemed valid; otherwise the PIN is invalid. The Workspot Client will allow up to 5 invalid PIN entries after which Workspot Client will wipe all the data on the device.

13 REAL-TIME PROTECTION Remote Wipe Workspot Control also provides IT the capability to remote wipe any data, including documents, cached objects and cookies, inside the Workspot Client. Data outside the Workspot Client is un-affected by the remote wipe operation. Whitelist/Blacklist IT can also control which sites the user can and cannot visit from inside the Workspot client by configuring the blacklist/whitelist. We also enable dynamic blacklisting of known malicious URLs.

14 EMBEDDED DOCUMENT VIEWERS When an end user downloads a document inside the Workspot application, it is encrypted in-flight. The file system remains in an encrypted state even when the end user is within the container. Only when the end user wants to view a document, for example an Adobe Acrobat document, does the Workspot Client decrypt the selected document and present it inside a viewer that is embedded within Workspot. We have tuned the embedded viewers for the best possible rendering experience. Documents are more secure, because the documents stay within the Workspot Client. As soon as the end user finishes viewing the document and closes the viewer, the document is restored to its encrypted state on the device. For large documents, we only decrypt the pages of the document that are currently being viewed.

15 MOBILE SECURITY NEEDS RISK MANAGEMENT Security must be comprehensive to meet IT Requirements q Device q Network q Application q Data ü All of the above Security must be balanced with convenience to make end users productive Big Data Context Driven Risk Management can help achieve balance, e.g., credit cards

16 KEY TO RISK MANAGEMENT IS CONTEXT What is context? Context is who is doing what, when, and from where. For example, user Adam downloaded a document at 9:00 PM from California. Or Adam took 12 seconds to access the SharePoint application from an iphone in Chicago. Context can help you better secure your data and understand and improve the real user experience for your employees. Context enables compliance, discoverability, and auditability Look for a solution that will help you prove you know what end users are doing with corporate data on the device. For example, you should know which files users are downloading. Or you should know which apps they are accessing from where?

17 CLOUD ARCHITECTURE ENABLES CONTEXT Web Apps Container is highly instrumented Collects Context - who/ what/when/where/how fast data in real-time Uploads to Workspot Control when network conditions permit HTML(5) Engine Document Viewers Windows Apps RDP Client Context Agent Virtual File System Network Drives CIFS Client SSO VPN ios/android/windows/macos

18 WORKSPOT COLLECTS GRANULAR CONTEXT Business Benefits: Discoverability, Compliance, and Auditing Can be integrated with existing SIEM systems, e.g., Splunk

19 INTEGRATION WITH SPLUNK Download Splunk Application from Workspot Control Simple Integration between Splunk and Workspot w/ security keys

20 WHY ADAPTIVE AUTH? Today IT and InfoSec teams cannot balance the needs for convenient access from mobile devices with the requirements of information security. Workspot has granular contextual data that can balance convenience with security. All applications are not equally sensitive the directory application is less sensitive than the financials application. All users are not equally trusted the CEO is more trusted than a contractor. All locations are not equally trusted if a user is connected to a corporate WLAN and is sitting in an office, then they are more trusted than somebody trying to access enterprise assets from a remote location. Workspot can use this data to change the authentication required making it simple when the access is trusted, and providing more challenges when the access is less trusted.

21 CONTEXT CAN BE USED FOR ADAPTIVE AUTH Context also informs us about the typical behavior of an end user how many applications they access, where they access it from, and other information. Context can be used to detect abnormal access patterns and potentially deny access to end users if we detect abnormal behavior. A good analogy is a credit card swipe. Every transaction is examined for risk, and most of the time the risk threshold is low, so the end user is allowed to transact. Occasionally a higher risk is determined and the end user is then challenged or informed of potentially fraudulent activity.

22 ADAPTIVE AUTH EXAMPLES High Trust Context => Aggressive Single Sign-On CFO accessing Intranet from HQ Medium Trust => Require RSA token CFO accessing Financials from new location Low Trust Context => Deny Access - CFO downloading lots of documents while in China


24 WORKSPOT IS SIMPLEST SOLUTION BYOD Features Workspot Secure Browser CIFS, SharePoint, etc. Windows Apps Single Sign-On Mobile Device Management Big Data Security & Performance NO NEW BOXES; PILOT IN MINUTES VMware Citrix MobileIron Mobile Gateway Netscaler App Tunnel Content Locker ShareFile Averail View XenApp Horizon App Controller Airwatch XenMobile MobileIron Citrix, VMware, and MobileIron have complex on-premise architectures. Citrix is the furthest along in integrating the various components. Lets take a deeper look at the Citrix solution.

25 LEARN MORE ABOUT WORKSPOT us at Additional resources at