What Every CIO should know about EMM? Leszek Twardowski, Sr. System Engineer, MobileIron
[email protected], Riga, October 22, 2015
60s & 70s
80s
90s
Today
Past Enterprise Transitions: Change the Way People Work Disrupt Enterprise Architectures
Mainframe / Mini Era
PC Era
Internet Era
Mobile Era
New Leaders Emerge
Mobile is Here to Stay in the Enterprise Accelerated growth of mobile workforce
Rapid Evolution of Mobile Applications
Explosion of Content & Data
890 Million
82%
1 Billion
Tablets and Smartphones install base in 2017
Employees using multiple apps
Files saved to Dropbox in 24 hours
Forrester February 2013 “2013 Mobile Workforce Adoption Trends” Installed based calculation assumes 2 Years refresh cycle – Source: IDC https://www.dropbox.com/news/company-info
MobileIron Confidential
MDM User-Led
EMM
Device Choice and email
Devices
Apps Explosion
Apps
Cloud or On-Prem
IT at Consumer Speed
Multi-OS Security
App Storefront & Work Separation
Mobile Content
Content
Secure Access
Security Document & Web access
Mobile has introduced a new operating system architecture and application model. User expectations and threat landscapes have changed so that traditional information security and business enablement technologies are no longer effective for modern end-user computing.
Centered on device
Centered on individual
“Digital business will completely change the technology provider landscape” Peter Sondergaard, SVP Research, Gartner Inc. (May 2015)
CISO confusion about mobile architecture
Evolution of operating system architecture Traditional Windows
iOS / Android / Windows 10
1 Logon
Win32 API
UI components
Session manager
NTDLL.DLL
Graphics
Classes/utilities
Audio
Video
User mode Win32K.sys HAL
1 2 3
Graphics drivers Printer drivers
2
Kernel mode System utilities Kernel
Management primitives
User mode Kernel mode
3
From open file system to application sandboxing (security, no app conflicts, no “DLL hell”) From unprotected to protected OS kernel (stability, ease of update, ease of patching) From untrusted to trusted management primitives (simplicity, consistency)
Traditional security: multiple agents
Anti-virus Device VPN
Contentaware DLP
PC management
Encryption VDI Remote access
Architectural security flaws 1. Unprotected file system 2. Unprotected OS kernel
Multiple challenges • “DLL hell” • Zero privacy • Poor user experience • High TCO (licenses, staff) … and not so secure after all …
Modern security: EMM as central security hub Single point of trust
Anti-virus Device VPN
Contentaware DLP authenticate
PC management
Encryption
monitor
EMM
access
VDI Remote access
EMM is the gatekeeper for enterprise data
Devices are personal
Modern computing
Networks are open
Data is stored in the cloud
IT does not own assets
Managed trust Only trusted users on trusted devices with trusted apps over trusted sessions can access enterprise data Device trust Trust determines level of access
User trust
Trust = identity + posture Trust is dynamic
App trust
Session trust
The mind of the mobile hacker
Hackers know mobile is different New generation operating systems are sandboxed
Network edge has blurred Server
Users
Users are low-hanging fruit
Hackers look to the device
Jailbroken iPhone = Windows 7 Compromise OS integrity gain access to password and resources
Countermeasure: detection and mitigation
Hackers look to the app
From file infection to app infection Bad apps
Good apps behaving badly
New generation of malware
Excessive permissions
Moving “up the stack” from OS and file to app
No obvious malicious intent
~ 10,000 malware apps in the Android and iOS app stores
80% of popular 3rd party apps contain security, privacy, and data exfiltration risks (Appthority)
Countermeasure: reputation analysis and mitigation
Hackers look to the network
Compromising the session Corporate Mobile device Man-in-the-middle attack SSID = CoffeeShop
X
Active Directory Email Apps Content
Countermeasure: session trust through certificates
SSID = CoffeeShop
Designing a managed trust framework Establishing device trust • Jailbreak / root detection • Encryption enforcement • Passcode / biometrics • Automated remediation
Establishing app trust • Secure distribution • Containerized data store • Reputation analysis • Local DLP controls
Device trust
Establishing session trust • Secure gateway • Certificate-based auth • Per-app VPN • Conditional access
User trust
App trust
Session trust
Managed trust protects choice OS
Cloud
Device
Choice Identity
App
2015: the summer of mobile breaches
Notified: Jul 27, 2015
Notified: Sept 1, 2015
Notified: Sept 17, 2015
Notified: Oct 4, 2015
Attacks through overflow vulnerability in old versions of Android
Exposes owner’s iTunes credentials on jailbroken iOS devices
Hacked dev tool library allows phishing and information collection
Compromise, replace, and launch apps through abuse of private APIs
Mitigate: Quarantine by OS version until affected devices upgraded
Mitigate: Identify and selectively wipe jailbroken devices
Mitigate: Identify and quarantine devices with compromised apps
Mitigate: Quarantine by OS version until affected devices upgraded
ActiveSync can’t protect EMM required
ActiveSync can’t protect EMM required
ActiveSync can’t protect EMM required
ActiveSync can’t protect EMM required
EMM has become the security hub for data protection and incident response
" By 2020, smartphone security and management architectures will dominate the endpoint computing environment, while traditional PC image management will decline except on dedicated appliance-style devices."
Source: “Managing PCs, Smartphones and Tablets and the Future Ahead” by Ken Dulaney, Terrence Cosgrove, May 5, 2014
MobileIron Confidential
Windows 10 is catalyst to rethink PC operations MobileIron extends managed trust to the PC: • Windows security will be more reliable • Windows operations will be more agile • Windows TCO will be less expensive “EMM is critical to the success of our enterprise customers.” Microsoft keynote (2015 MobileIron user conference)
EMM has become the security hub for data protection and incident response
What to know about EMM? Recap
EMM allows to establish Managed Trust and is the gatekeeper for enterprise data
Without EMM, data will always be at increased risk of breach EMM will become leading management platform for modern end-user computing
Requirements for information security and business enablement For both cloud and traditional data centers
1 Enablement
Security
Provisioning and configuration of connectivity and business services (apps)
2 Protection of data-at-rest on the endpoint
3 Protection of data-in-motion on the network
4 Authentication and conditional access to back-end business services
5 Analytics
Collection and analysis of usage, operations, and security data spanning the user to the data center
MobileIron is the security and apps hub for modern end-user computing
Secure enterprise information wherever it lives
Across apps
Across networks
Across clouds
A leader in Gartner Magic Quadrant for EMM past 5 years
Modern end-user computing: EMM is hub for information security and apps enablement Single point of trust
Anti-virus Device VPN
Contentaware DLP authenticate
PC management
monitor access
Encryption VDI Remote access
Front-end: MobileIron is single point of trust Back-end: MobileIron is gatekeeper and policy engine for all user-facing services
platform architecture Enablement
Enforcement
Policy and Identity
Cloud Security
Apps@Work Enterprise app store Docs@Work Secure content Web@Work Secure browsing Help@Work Troubleshooting Tunnel Per app VPN DataView Cost management Email+ Secure email
Access Control Integration
Note: Some features will vary by device and deployment model
Q&A?
Thank you
[email protected]