Ensuring the security of your mobile business intelligence



Similar documents
Ensuring the security of your mobile business intelligence

ipad in Business Security

Deploying iphone and ipad Security Overview

iphone in Business Security Overview

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

company policies are adhered to and all parties (traders,

IBM Cognos Mobile Overview

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

When enterprise mobility strategies are discussed, security is usually one of the first topics

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Cisco Mobile Collaboration Management Service

Deploying iphone and ipad Virtual Private Networks

SharePlus Enterprise: Security White Paper

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Advanced Administration

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

iphone in Business How-To Setup Guide for Users

How To Protect Your Mobile Devices From Security Threats

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Copyright 2013, 3CX Ltd.

WHITE PAPER Secure mobile computing and business intelligence on Apple and Android mobile devices

Mobile Device Management Version 8. Last updated:

Configuration Guide BES12. Version 12.2

Corporate-level device management for BlackBerry, ios and Android

ipad in Business Mobile Device Management

IBM Endpoint Manager for Mobile Devices

Advanced Configuration Steps

iphone in Business Mobile Device Management

ManageEngine Desktop Central. Mobile Device Management User Guide

ONE Mail Direct for Mobile Devices

Securing end-user mobile devices in the enterprise

Configuration Guide BES12. Version 12.1

Deploying iphone and ipad Mobile Device Management

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

SENSE Security overview 2014

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

ADDING STRONGER AUTHENTICATION for VPN Access Control

Configuration Guide BES12. Version 12.3

Mobile Admin Security

Athena Mobile Device Management from Symantec

Kony Mobile Application Management (MAM)

Salesforce1 Mobile Security Guide

Symantec Mobile Management 7.1

FileCloud Security FAQ

Deploying iphone and ipad Apple Configurator

iphone and ipad in Business Deployment Scenarios

SAS Mobile BI Security and the Mobile Device

Sophos Mobile Control Technical guide

WHITE PAPER Secure mobile computing and business intelligence on Apple and Android mobile devices

ios Enterprise Deployment Overview

An Overview of Samsung KNOX Active Directory and Group Policy Features

Symantec Mobile Management 7.1

Mobile Device Management for CFAES

Securely. Mobilize Any Business Application. Rapidly. The Challenge KEY BENEFITS

Mobile App Containers: Product Or Feature?

Improve your mobile application security with IBM Worklight

iphone in Business How-To Setup Guide for Users

Mobile Device Management and Security Glossary

PMDP is simple to set up, start using, and maintain

STRONGER AUTHENTICATION for CA SiteMinder

A Brief Insight on IOS deployment in Education System- need for 3 rd Platform implementation in Schools

Feature and Technical

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

CA Mobile Device Management 2014 Q1 Getting Started

BlackBerry Enterprise Service 10. Version: Configuration Guide

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

Reach more users with business intelligence

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Preparing for GO!Enterprise MDM On-Demand Service

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

QuickStart Guide for Mobile Device Management. Version 8.6

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Systems Manager Cloud Based Mobile Device Management

Policy and Profile Reference Guide

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

QuickStart Guide for Mobile Device Management

IBM MobileFirst Managed Mobility

Kaspersky Security for Mobile Administrator's Guide

BES10 Cloud architecture and data flows

Novell Filr 1.0.x Mobile App Quick Start

Cloud Services MDM. ios User Guide

Strengthen security with intelligent identity and access management

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Securing mobile devices in the business environment

BYOD Guidance: BlackBerry Secure Work Space

The User is Evolving. July 12, 2011

Transcription:

IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence

2 Ensuring the security of your mobile business intelligence Contents 2 Executive summary 3 Securing BI on mobile devices 4 Apple ipad native application and device security 7 BlackBerry native application and device security 10 Web application security 11 Conclusion 11 About IBM Business Analytics 12 For more information Executive summary The number of mobile devices has now surpassed personal computers in sales. They are increasingly being used for business, which means that users expect to access all the applications they need to do their jobs, including business intelligence (BI), on these devices. Because BI can be sensitive and confidential, they also want to be sure it is protected from unauthorized users such as hackers and that it can t be accessed if the device is lost or stolen. IBM Cognos Mobile software has been delivering relevant information to smart phones such as the BlackBerry for some time. However, enhancements to Cognos Mobile now make it possible for users to interact with trusted BI content on their Apple ipad, BlackBerry PlayBook and Android 3.0 tablet computers, for a rich and visual experience that enables uninterrupted productivity. Making Cognos Business Intelligence available to more mobile device users invariably raises questions about the security of the BI they view and work with. IBM is aware of these concerns and has gone to significant lengths to ensure the security of Mobile operating on smart phones and tablet devices. Cognos Mobile security is derived from a combination of sources. From IBM, you get the same security provided to all Business Intelligence 10.1.1 environments through the Cognos platform, along with other security features specific to Cognos Mobile. Other features are provided from device vendors or your IT department. This paper describes how Mobile is secured.

IBM Software 3 Securing BI on mobile devices One of the biggest concerns organizations have when it comes to adopting mobile business intelligence (BI) is security. This is hardly surprising, given that the term mobile conjures up an image of important data being transmitted over unsecured networks, increasing fears of unauthorized access to or loss of sensitive corporate data. Mobile security can be broken down into several areas: Data access, or providing users with only the data they are authorized to see Data transmission, or securing communication channels Data storage, or protecting data stored on the device Device security, or protecting the device from unauthorized usage Deployment security, or configuring, provisioning, implementing or monitoring the mobile solution safely In addition, no matter how you access Cognos Mobile from a native application or the web your underlying security base will be the Cognos platform. The Cognos platform provides integration with enterprise authentication and a central place to control access and authorization for all Cognos Business Intelligence objects, capabilities and data. This integration makes single sign-on for authentication possible, simplifying the login process and restricting access to data according to business requirements. In addition, the Cognos platform supports LDAP, NTLM, Microsoft Active Directory, Netegrity and SAP Business Information Warehouse, among others. In essence, it makes the most of your existing enterprise security deployments and includes the ability to link to one or more security systems simultaneously, as you require. To ensure the security of Cognos Mobile, IBM addressed these areas as they relate to the ways that users access BI on their devices: The Apple ipad native application (available for download from the Apple itunes app store) The BlackBerry smart phone native application The web application, which can be used on your Apple iphone, BlackBerry Playbook and tablets that use the Android 3.0 operating system.

4 Ensuring the security of your mobile business intelligence Apple ipad native application and device security The Cognos Mobile native application for the Apple ipad uses a combination of Cognos platform, IT and device (or Apple ios) enabled security (Figure 1) to address the five areas of security mentioned in the previous section. Securing data access on the Apple ipad For secure data access on the ipad, Cognos Mobile uses Cognos platform authentication and role-based security. A device lease key prevents access to disconnected Cognos content when a timeout period elapses. A good analogy of the lease key functionality is the concept of a hotel key. The key is enabled for the duration (lease) of your stay. Then, at the checkout time on the last day of your stay, your key is disabled (your lease has expired) and you are unable to access the room. The room is still there, but you will not be able to gain access until you make appropriate arrangements. OTA ipad configuration (device level security policies, VPN settings, passcodes, etc.) Application sandboxing Device wipe etc. Mobile Device Management Solution Local encryption BI server authentication Device lease key VPN Platform BI Mobile Service IT Corporate Firewall Leverage platform and role based security Cognos Enabled Security IT Enabled Security MDM/iOS Enabled Security Report Data Source Content Store Figure 1: Cognos Mobile native ipad application security

IBM Software 5 In the case of Mobile, upon expiration of the lease key, content is not accessible until the user authenticates and a new key is granted. This ensures that disconnected content is inaccessible without wiping the entire device. Securing Apple ipad data transmission Cognos Mobile takes advantage of standard VPN protocols or an SSL connection to ensure a secure communication channel. Support for your enterprise network Wi-Fi enables secure access to your corporate network when you are on premises. This secure access can be enabled with the VPN client that is part of the Apple ipad operating system or third-party applications from Juniper, Cisco and F5 networks. Your ipad comes with support for Cisco IPSec, Layer 2 Tunneling Protocol (L2TP) over IPSec and Point-to-Point Tunneling Protocol (PPTP). If your company supports one of these protocols, you do not have to make any additional configurations to connect your ipad to your VPN. Applications from Juniper and Cisco are also available for enabling SSL VPN. You can configure these connections manually or use the Apple Configuration Profile. Your ipad also supports IPv6, proxy servers, split tunneling and other industry standards to ensure you have a rich VPN experience when connecting to your network. It also works with a number of authentication methods, such as passwords, two-factor tokens and digital certificates. VPN On Demand, which initiates a VPN session dynamically when connecting to specific domains, is also available to streamline environments that use digital certificates. Securing data storage on the Apple ipad Cognos Mobile fully supports the Apple hardware encryption that secures any data you store on the device. Apple Sandbox prevents other applications from accessing Cognos Business Intelligence data on the device. Apple Sandbox protects your system by limiting application operations, such as opening documents or accessing the network. Sandboxing makes it more difficult for a security threat to take advantage of an issue in a specific application to affect the greater system. The Apple Sandbox system consists of a set of user space library functions for initializing and configuring the sandbox for each process, a Mach server for handling logging from the kernel, a kernel extension using the TrustedBSD API for enforcing individual policies and a kernel support extension providing regular expression matching for policy enforcement. If a device that is storing Cognos Business Intelligence data is lost or stolen, it s important to deactivate and erase the device. In the case of the Apple ipad application, the Cognos Business Intelligence content stored on the device is protected by an Apple feature called remote wipe. With this feature, your administrator or device owner can issue a command that removes all data and deactivate the device.

6 Ensuring the security of your mobile business intelligence Securing your Apple ipad device Cognos Mobile fully exploits the ability to establish strong policies for device access that is provided by the Apple ipad platform. All devices have password (which Apple calls passcode ) formats that can be configured and enforced over the air. An extensive set of passcode formatting options can be set to meet security requirements, including timeout periods, passcode strength and how often the passcode must be changed. These methods provide flexible options for establishing a standard level of protection for all authorized users. A local wipe feature is also part of your Apple ipad device security. By default, ipad automatically wipes the device after 10 failed passcode attempts. However, you can configure your ipad to wipe the device after a different maximum number of failed attempts using a configuration profile. Secure Apple ipad deployment Apple ipad configuration is managed by the Apple ipad Configuration Utility, which enables an administrator to set up the corporate resources that the mobile users can use. This utility provides a centralized configuration of settings, such as Wi-Fi network connectivity, LDAP authentication information and secure VPN access. It can also be used to load provisioning profiles onto a device. Such centralized administration ensures that devices are configured correctly and according to security standards set by your organization. There is also an Apple iphone Configuration Utility that can install configuration profiles on devices when connected by USB. The configuration profile an XML file that is distributed to users and loaded on the mobile device is protected by a password only known to the administrator. After the profile has been loaded on the ipad, the settings cannot be changed from that profile unless someone uses the profile password. The profile can also be locked to the device and cannot be removed without completely erasing all of the device contents. Configuration profiles can be both signed and encrypted. Signing a configuration profile ensures that the settings being enforced cannot be altered in any way. Encrypting a configuration profile protects the contents of that profile and ensures installation only on the devices for which it was created. Configuration profiles are encrypted using CMS (Cryptographic Message Syntax, RFC 3852), supporting 3DES and AES 128. There are several ways that a configuration profile can be loaded on to the device: The device can be connected directly to the computer or server where the Apple Configuration Utility is installed. A link can be provided on a web page that will load the profile onto the device after it is accessed from a web browser on the device. An email message can provide a link that will load the configuration profile.

IBM Software 7 In addition, Apple ios over-the-air enrollment and configuration provide an automated way to configure devices securely. This process provides IT with assurance that only trusted users are accessing corporate services and that their devices are properly configured to comply with established policies. Because configuration profiles can be both encrypted and locked, the settings cannot be removed, altered or shared with others. For geographically distributed enterprises, an over-the-air profile service enables you to enroll ios-based devices without physically connecting them to an Apple Configuration Utility host. Secure mobile device management With mobile device management capabilities provided by Apple, IT can easily scale the ipad application deployment for your entire organization. It provides a central point for managing all mobile devices that makes it possible to take advantage of configuration profiles, over the air enrollment and Apple push notification to enroll, configure, update settings, monitor compliance and remote wipe or lock ipads. Updates can be automatically installed on devices without any user intervention. In addition, monitoring capabilities make it possible to query devices for information to ensure compliance. BlackBerry native application and device security The Cognos Mobile native application for BlackBerry smart phones uses a combination of Cognos platform and Research in Motion (RIM) enabled security (Figure 2) to address the five areas of security mentioned earlier in this paper. Securing data access on the BlackBerry smart phone For secure data access on BlackBerry smart phones, Cognos Mobile uses Cognos platform and role-based security. This includes an administration option that allows saved credentials with a timeout period for Cognos Business Intelligence server authentication. Users must authenticate with the Cognos platform to gain access to local content. A device lease key prevents access to disconnected Cognos content after a specified period elapses. If a user is using Cognos Mobile on a personal Blackberry smart phone and leaves the company, you can ensure their disconnected content is inaccessible without wiping the entire device. Securing Blackberry smart phone data transmission All Cognos Business Intelligence data that is transmitted to BlackBerry smart phones is encrypted for secure Over the Air (OTA) data transfer and encrypted when stored on the device. This prevents unauthorized users from intercepting and reading sensitive data during transmission or from accessing data from the device with another application.

8 Ensuring the security of your mobile business intelligence OTA device configuration (security policies, application distribution, etc.) Device wipe Local encryption etc. Corporate Firewall Blackberry Enterprise Server NOC Architecture Encrypted communication Platform BI server authentication Device lease key BI Mobile Service IT Leverage platform and role based security Cognos Enabled Security RIM Enabled Security Report Data Source Content Store Figure 2: Cognos Mobile native application for Blackberry smart phone security Cognos Mobile takes advantage of the two transport encryption options offered by RIM, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between BlackBerry Enterprise Server and BlackBerry smart phones. Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smart phone user. Each secret key is stored only in the user s secure enterprise account and on their BlackBerry smart phone and can be regenerated wirelessly by the user.

IBM Software 9 Data sent to the BlackBerry smart phone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user s mailbox. The encrypted information travels securely across the network to the smart phone where it is decrypted with the key stored there. Data remains encrypted in transit and is not decrypted outside of the corporate firewall. Securing data storage on BlackBerry smart phones Cognos Mobile relies on BlackBerry Enterprise Server to extend corporate security to BlackBerry smart phones and provide administrators with tools to manage this security. To secure information stored on BlackBerry smart phones, you can make password authentication mandatory using the customizable IT policies of the BlackBerry Enterprise Server. By default, password authentication is limited to 10 attempts after which the smart phone memory is erased. Local encryption of all data (messages, address book entries, calendar entries, memos and tasks) can also be enforced by IT policy. And with the Password Keeper, AES encryption technology makes it possible to store password entries securely on BlackBerry smart phones. Additionally, system administrators can create and send wireless commands to remotely change BlackBerry device passwords and lock or delete information from lost or stolen BlackBerry smart phones. Securing BlackBerry devices Passwords ensure that only authorized users can utilize their BlackBerry smart phones. Administrators can enforce this password with configurable properties to prevent unauthorized access. In addition, a security timeout feature automatically locks the BlackBerry smart phone after a predetermined amount of inactivity. Secure BlackBerry native client deployment and management You can deploy the BlackBerry client in several ways: OTA application distribution pushes the native application through the BlackBerry Enterprise Server to a device. You can pull the application from a web server by clicking a link that downloads the application. You can install the application using the BlackBerry desktop manager. Device management capabilities are provided by the BlackBerry Enterprise Server, which includes device, IT policy and security updates. BlackBerry Enterprise Server also manages user settings and control groups with over 450 IT policies.

10 Ensuring the security of your mobile business intelligence Web application security The Cognos Mobile web application for BlackBerry PlayBook, Apple iphone and Android uses a combination of Cognos platform and web application enabled security (Figure 3) to address the five areas of security mentioned earlier in this paper. Because the web application does not store anything on your mobile device, there is no risk of unauthorized access to BI content if your device is lost or stolen. In addition, use of the HTTPS protocol prevents caching on your device s web browser. Device security is also not as critical because there is no stored BI data that could be exploited. NOC Architecture Encrypted communication NOC Service Provider Server Blackberry Playbook VPN Tunnel Corporate Firewall Platform Android BI Mobile Service IT BI server authentication No local storage Leverage platform and role based security Cognos Enabled Security IT Enabled Security MDM Enabled Security Report Data Source Content Store Figure 3: Cognos Mobile web application security

IBM Software 11 Securing data access on devices using the Cognos Mobile web application For secure data access on the BlackBerry Playbook and devices that use the Android operating systems, Cognos Mobile uses Cognos platform and role-based security. In addition, Cognos Business Intelligence server authentication is required every time a user accesses the application. Securing data transmission to the Cognos Mobile web application Securing data transmission for the web application is similar to how the Apple ipad native application is secured. Standard VPN protocols or an SSL connection ensure a secure communication channel. Support for your enterprise network Wi-Fi enables secure access to your corporate network when you are on premises. Secure deployment of the web application When you install the Cognos Mobile service, the mobile web application is automatically configured to /m on the end of your gateway URL. IT can provide the link and you can create a bookmark on the devices for easy access to the application. Upgrades of the application occurs on the server side, so there is no impact to those using it on their devices and no need to deploy new software or configuration to devices. Conclusion Cognos Mobile is designed for users who need to view, analyze and share Cognos Business Intelligence content wherever they are. Whether you are on the road or at the office, you get the same great insight. With this mobile capability, however, comes the inevitable question: Is Cognos Mobile secure? The answer is yes. Cognos Mobile relies on a combination of security provided by the Cognos platform, lease key technology, the device and operating system developers and IT security measures to ensure that your BI content is protected and safe from hackers and device loss or theft. About Business Analytics IBM Business Analytics software delivers actionable insights decision-makers need to achieve better business performance. IBM offers a comprehensive, unified portfolio of business intelligence, predictive and advanced analytics, financial performance and strategy management, governance, risk and compliance and analytic applications. With IBM software, companies can spot trends, patterns and anomalies, compare what if scenarios, predict potential threats and opportunities, identify and manage key business risks and plan, budget and forecast resources. With these deep analytic capabilities our customers around the world can better understand, anticipate and shape business outcomes.

For more information For further information or to reach a representative please visit ibm.com/analytics. Request a call To request a call or to ask a question, go to ibm.com/business-analytics/contactus. An IBM representative will respond to your inquiry within two business days. Copyright IBM Corporation 2011 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America October 2011 All Rights Reserved IBM, the IBM logo, ibm.com and Cognos are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml. Other company, product or service names may be trademarks or service marks of others. Please Recycle YTW03199-CAEN-00

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information