Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authentication

Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authentication

• 1.
  © 2015 IBMCorporation Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authentication Jason Hardy WW Market Segment Manager, Mobile Security Jason Keenaghan Program Director, Access Management & Cloud IAM IBM Mobile Security
• 2.
  2© 2015 IBMCorporation Enterprise mobile trends “Enterprise mobility will continue to be one of the hottest topics in IT, and high on the list of priorities for all CIOs.” Ovum “IT organizations will dedicate at least 25% of their software budget to mobile application development, deployment, and management by 2017.” IDC The number of smartphone users worldwide will surpass 2 billion in 2016 eMarketer Mobile downloads will increase to 268 billion by 2017 Gartner
• 3.
  3© 2015 IBMCorporation As mobile grows, so do security threats “With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.” Gartner “Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners, and employees with context-aware apps and smart products.” Forrester Arxan Top mobile devices and apps hacked 97%Android 87%iOS 38new threats every minute and six every second McAfee
• 4.
  4© 2015 IBMCorporation What concerns does this create for the enterprise? Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity” 32% are concerned about fraudulent transactions Only 18% can detect malware / jailbreaks 50% say content and data leakage are their top security concern 60% use secure containers for data security 57% say a lost or stolen device is top concern 60% use passcodes for device security 52% worry about application vulnerabilities Only 23% have tamper-proofing capabilities
• 5.
  5© 2015 IBMCorporation MobileFirst Protect (MaaS360) AppScan, Arxan, Trusteer M; bile SDK IBM Mobile Security Framework AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana HP Fortify, Veracode, Proguard CA, Oracle, RSA • Manage multi-OS BYOD environment • Mitigate risks of lost and compromised devices • Separate enterprise and personal data • Enforce compliance with security policies • Distribute and control enterprise apps • Build and secure apps and protect them “in the wild” • Provide secure web, mobile, API access and identify device risk • Meet authentication ease-of-use expectation Extend Security Intelligence • Extend security information and event management (SIEM) to mobile platform • Incorporate mobile log management, anomaly detection, configuration and vulnerability management Manage Access and Fraud Safeguard Applications and Data Secure Content and Collaboration Protect Devices
• 6.
  6© 2015 IBMCorporation IBM Security Access Manager IBM DataPower Gateway IBM BigFix IBM MobileFirst Platform Executing a strategy with IBM Mobile Security IBM MobileFirst Protect MaaS360 IBM Security AppScan Arxan Application Protection for IBM Solutions IBM QRadar Security Intelligence Platform IBM Security Trusteer IBM Mobile Security Services
• 7.
  © 2015 IBMCorporation Securing mobile access with risk-based authentication
• 8.
  8© 2015 IBMCorporation IBM Identity and Access Management helps secure the digital identities for an open enterprise Identity Management Access Management Threat-aware Identity and Access Management Directory Services • Identity Governance and Intelligence • Identity Lifecycle Management • Privileged Identity Control • Adaptive Access Control and Federation • Application Content Protection • Authentication and Single Sign On Datacenter Web Social Mobile Cloud Software-as-a- Service On Premise Appliances Cloud Managed / Hosted Services Platform-as-a- Service
• 9.
  9© 2015 IBMCorporation Take back control of Access Management Consumers Employees Partners & Contractors Enterprise Applications Cloud Workloads SaaS Applications ISAM
• 10.
  10© 2015 IBMCorporation Adopt a graded trust posture to help achieve secure transactions & risk-based enforcement Consumer / Employee Applications Manage consistent security policiesConsumers Employees BYOD Security Team Application Team DataApplications On/Off-premise Resources Cloud Mobile Internet Fraud & Threat-aware application access across multiple channels Strong Authentication, SSO, session management for secure B2E, B2B and B2C use cases Context-based access and stronger assurance for transactions from partners and consumers Transparently enforce security access policies for web and mobile applications Enforce security access polices without modifying the applications Access Management
• 11.
  11© 2015 IBMCorporation Enforce risk-based access and strong authentication for transactions Reduce risk associated with mobile user and service transactions Example: transactions performed in the user‘s state of residence can proceed with normal authentication User attempts to transfer funds in another state or another country – requires an OTP for stronger authentication and additional identity assurance User attempts transaction from unexpected location Strong authentication challenge Transaction completes
• 12.
  12© 2015 IBMCorporation IBM Security Access Manager supports five main context domains for adaptive access control Identity: Groups, roles, credential attributes, organization Endpoints: There are various unique attributes (device fingerprint). Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, device model & UUID Environment: Geographic location, network, local time . . . etc Resource / Action: The application being requested and what is being done. Behavior: Analytics of user historical and current resource usage. User activity monitoring, specific business activity monitoring
• 13.
  13© 2015 IBMCorporation Common requirements for strong authentication and context-aware access from mobile customers  Improved end user experience: – Eliminate usernames and passwords for mobile devices users – Situation awareness and graded trust  Step-up authentication for additional identity assurance: – Unknown device – High-risk or infected device – High-value transactions  Risk-elevation factors: – IP reputation – Geo-political location – Behavioral anomalies (e.g., time of day)  Continuous authentication: – Soft biometrics – User presence detection (e.g., motion, WiFi networks, Bluetooth devices)
• 14.
  14© 2015 IBMCorporation Additional sources of context appear as policy information points IBM Security Access Manager Servers Databases Applications APIs Fiberlink MaaS360 LDAP Server Trusteer Mobile & Pinpoint Malware Detection Server Connection Policy Information Point Users Managed mobile device contextMalware / fraud indicators User AttributesContext from external DB or service
• 15.
  15© 2015 IBMCorporation Simplify fraud protection ISAM Automatically protect users and organizations from fraud with strong authentication  Risk-based access controls built around malware and fraud risk score from Trusteer – High risk transactions can be prompted to change behavior (e.g. open secure browser) or perform step-up authentication  ISAM adds Trusteer fraud protection to applications without requiring any code changes on the protected applications themselves Protected ApplicationsUsers Fraud Context and Risk Score QRadar Security Intelligence Fraud and Access Context
• 16.
  16© 2015 IBMCorporation Remove barriers to mobile productivity Enable more convenient and secure access to enterprise resources from mobile MaaS360 App Username Password Sign In Enterprise Web Applications Single Sign-on User Authenticates to MaaS360 MaaS360-enabled enterprise mobile apps  Allows users to easily access enterprise resources with minimal authentication friction  Utilizes existing access management infrastructure to prevent the need for application changes while enabling access from mobile devices  Risk-based access controls can utilize context from MaaS360 in access decision (e.g., compliance state, jail broken status, ownership status, etc.) SaaS Applications ISAM
• 17.
  17© 2015 IBMCorporation Implementation pattern for providing advanced API security  IBM API Management provides developer portal, API analytics, and development acceleration for ISAM integration on DataPower Gateway appliances  IBM DataPower Gateway provides API runtime policy enforcement point and integration to other dynamic decision engines (e.g., ISAM)  IBM Security Access Manager provides advanced mobile/API security capabilities for enhanced protection of API resources. DataPower is the API Gateway for IBM API Management to secure & integrate API traffic DataPower “API Gateway” IBM MobileFirst Mobile Application DMZ Trusted ZoneInternet APIm ISAM Module ISAM 1 3 4 2 Define Policies Invoke API Consult Decision Engine Invoke Backend Service
• 18.
  18© 2015 IBMCorporation IBM architecture for risk-based access with strong authentication Easy to deploy, easy to manage, and highly scalable virtual and physical appliances ISAM Proxy Or Data Power (PEP) Policy Server (PAP) Runtime Services (PDP) Risk Engine Authentication Framework Access Policy Authoring Extensible Authentication & Verification MethodsExtensible Context Applications and Data Context SSO / FSSO / Context based Access User on Mobile or Desktop Mobile Client Extensible Multi-modal Authentication PEP ISAM
• 19.
  © 2015 IBMCorporation Q&A
• 20.
  20© 2015 IBMCorporation 133 countries where IBM delivers managed security services 20 industry analyst reports rank IBM Security as a LEADER TOP 3 enterprise security software vendor in total revenue 10K clients protected including… 24 of the top 33 banks in Japan, North America, and Australia Learn more about IBM Security Visit our web page IBM.com/Security Watch our videos IBM Security YouTube Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity
• 21.
  © Copyright IBMCorporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOUwww.ibm.com/security