Mobile Security Luther Knight - @lutherldn Mobility Management Technical Specialist, Europe IOT IBM Security April 28, 2015 12015 IBM Corporation
Where I Started: Blackberry Migration BYOD Bring Your Own Device (BYOD) became popular and grew over the past few years. Businesses were expected to adapt to the growing demands of the user. Network Access Internal Resources Corporate Mobile Applications Email, Contacts, Calendars Migration from BlackBerry to ios & Android 2
BYOD Pain Points Infrastructure expenses for supporting multiple, mobile operating system platforms and devices. Increased risk how do you maintain device compliance without impacting usability? Security User needs impact data loss prevention policy Security Monitoring apps for malicious code 3 Luther Knight - @lutherldn
I Spy A Naughty Application IBM & Ponemon Institute ran a large scale study, unveiling an alarming state of mobile insecurity for consumer and business facing applications 40% their large companies are doing a bad job or nothing at all to protect consumer applications, including Pharma and Finance 50% 33% of these companies setting zero budget for mobile security and therefore they re only testing half the apps they build of these companies don t test their apps at all 4
Risky Apps 100 % 53 % of the Top 100 Paid apps have hacked variants in the wild Top applications have been cracked & offered on 3 rd party App Stores Offered for free but often injected with malware or malicious code Android users particularly at risk 5
The way to your data, is through your heart Sharing personal information Access privileges Photos Location Data Contacts Calendar Camera/Microphone 26 of the top 41 dating apps on Google Play had high security vulnerabilities Poorly coded credit card info vulnerable Phishing Attacks 60% of Popular Dating Apps Vulnerable to Hackers 6
What does IBM do? What we use and offer to mitigate mobile risk @lutherldn 7
IBM MobileFirst 8 Luther Knight - @lutherldn
IBM Mobile First Protect Secure Mobile Containers Secure Content Collaboration Seamless Enterprise Access Comprehensive Mobile Management One Platform for All Your Mobile Assets 9
A complete Mobile Management platform 10
Integration 11
What does Mobile First Protect do? (we re not reading your text messages or looking at your selfies!) @lutherldn 12
Powering Productivity Mail Content File Sharing Editing Intranet Wrapping data loss prevention rules around sensitive information Maintaining device compliance Malware Protection 13 Luther Knight - @lutherldn
Mobile Device IBM Security Mobile Threat Protection - SDK integrated Prevent deployment of containers into Jailbroken or Rooted device Restrict content sharing between enterprise apps on malwareinfected devices Trusteer security researching DarkNet for new exploits, OTA logic updates 1. Integrate Libraries within app code 2. Code the ability to collect data 3. Analyze risk Data MobileFirst Protect 4. Send Data to Server 5. Enforce Policy Trusteer Mobile SDK Jailbroken /Rooted Jailbreak Hiders Persistent Device ID Malware Infection Geo-location Unpatched OS Unsecure Wi-Fi Suspicious Apps 14
How it Works Define compliance rules Trusteer Logic always current Relays OOC event, determines action IBM Mobile First Protect Console Policy Definitions Risk Policy Mgmt. & Control Policy Enforcement Device Risk Data Inbound OTA Updates 15
European Security European datacenters Ireland & Germany Adheres to EU security standards, ISO-27001 certified and SOC-2 compliant. Information is transmitted over SSL3.0/TLS1.0 with certificated from DigiCert Data within the European data centers does not get replicated back to USA. Data is 256bit AES encrypted in motion and at rest (on device). On-Premise available 16
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security 17 Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.