What Every CIO should know about EMM? Leszek Twardowski, Sr. System Engineer, MobileIron [email protected], Riga, October 22, 2015

60s & 70s

80s

90s

Today

Past Enterprise Transitions: Change the Way People Work Disrupt Enterprise Architectures

Mainframe / Mini Era

PC Era

Internet Era

Mobile Era

New Leaders Emerge

Mobile is Here to Stay in the Enterprise Accelerated growth of mobile workforce

Rapid Evolution of Mobile Applications

Explosion of Content & Data

890 Million

82%

1 Billion

Tablets and Smartphones install base in 2017

Employees using multiple apps

Files saved to Dropbox in 24 hours

Forrester February 2013 “2013 Mobile Workforce Adoption Trends” Installed based calculation assumes 2 Years refresh cycle – Source: IDC https://www.dropbox.com/news/company-info

MobileIron Confidential

MDM User-Led

EMM

Device Choice and email

Devices

Apps Explosion

Apps

Cloud or On-Prem

IT at Consumer Speed

Multi-OS Security

App Storefront & Work Separation

Mobile Content

Content

Secure Access

Security Document & Web access

Mobile has introduced a new operating system architecture and application model. User expectations and threat landscapes have changed so that traditional information security and business enablement technologies are no longer effective for modern end-user computing.

Centered on device

Centered on individual

“Digital business will completely change the technology provider landscape” Peter Sondergaard, SVP Research, Gartner Inc. (May 2015)

CISO confusion about mobile architecture

Evolution of operating system architecture Traditional Windows

iOS / Android / Windows 10

1 Logon

Win32 API

UI components

Session manager

NTDLL.DLL

Graphics

Classes/utilities

Audio

Video

User mode Win32K.sys HAL

1 2 3

Graphics drivers Printer drivers

2

Kernel mode System utilities Kernel

Management primitives

User mode Kernel mode

3

From open file system to application sandboxing (security, no app conflicts, no “DLL hell”) From unprotected to protected OS kernel (stability, ease of update, ease of patching) From untrusted to trusted management primitives (simplicity, consistency)

Traditional security: multiple agents

Anti-virus Device VPN

Contentaware DLP

PC management

Encryption VDI Remote access

Architectural security flaws 1. Unprotected file system 2. Unprotected OS kernel

Multiple challenges • “DLL hell” • Zero privacy • Poor user experience • High TCO (licenses, staff) … and not so secure after all …

Modern security: EMM as central security hub Single point of trust

Anti-virus Device VPN

Contentaware DLP authenticate

PC management

Encryption

monitor

EMM

access

VDI Remote access

EMM is the gatekeeper for enterprise data

Devices are personal

Modern computing

Networks are open

Data is stored in the cloud

IT does not own assets

Managed trust Only trusted users on trusted devices with trusted apps over trusted sessions can access enterprise data Device trust Trust determines level of access

User trust

Trust = identity + posture Trust is dynamic

App trust

Session trust

The mind of the mobile hacker

Hackers know mobile is different New generation operating systems are sandboxed

Network edge has blurred Server

Users

Users are low-hanging fruit

Hackers look to the device

Jailbroken iPhone = Windows 7 Compromise OS integrity  gain access to password and resources

Countermeasure: detection and mitigation

Hackers look to the app

From file infection to app infection Bad apps

Good apps behaving badly

New generation of malware

Excessive permissions

Moving “up the stack” from OS and file to app

No obvious malicious intent

~ 10,000 malware apps in the Android and iOS app stores

80% of popular 3rd party apps contain security, privacy, and data exfiltration risks (Appthority)

Countermeasure: reputation analysis and mitigation

Hackers look to the network

Compromising the session Corporate Mobile device Man-in-the-middle attack SSID = CoffeeShop

X

Active Directory Email Apps Content

Countermeasure: session trust through certificates

SSID = CoffeeShop

Designing a managed trust framework Establishing device trust • Jailbreak / root detection • Encryption enforcement • Passcode / biometrics • Automated remediation

Establishing app trust • Secure distribution • Containerized data store • Reputation analysis • Local DLP controls

Device trust

Establishing session trust • Secure gateway • Certificate-based auth • Per-app VPN • Conditional access

User trust

App trust

Session trust

Managed trust protects choice OS

Cloud

Device

Choice Identity

App

2015: the summer of mobile breaches

Notified: Jul 27, 2015

Notified: Sept 1, 2015

Notified: Sept 17, 2015

Notified: Oct 4, 2015

Attacks through overflow vulnerability in old versions of Android

Exposes owner’s iTunes credentials on jailbroken iOS devices

Hacked dev tool library allows phishing and information collection

Compromise, replace, and launch apps through abuse of private APIs

Mitigate: Quarantine by OS version until affected devices upgraded

Mitigate: Identify and selectively wipe jailbroken devices

Mitigate: Identify and quarantine devices with compromised apps

Mitigate: Quarantine by OS version until affected devices upgraded

ActiveSync can’t protect EMM required

ActiveSync can’t protect EMM required

ActiveSync can’t protect EMM required

ActiveSync can’t protect EMM required

EMM has become the security hub for data protection and incident response

" By 2020, smartphone security and management architectures will dominate the endpoint computing environment, while traditional PC image management will decline except on dedicated appliance-style devices."

Source: “Managing PCs, Smartphones and Tablets and the Future Ahead” by Ken Dulaney, Terrence Cosgrove, May 5, 2014

MobileIron Confidential

Windows 10 is catalyst to rethink PC operations MobileIron extends managed trust to the PC: • Windows security will be more reliable • Windows operations will be more agile • Windows TCO will be less expensive “EMM is critical to the success of our enterprise customers.” Microsoft keynote (2015 MobileIron user conference)

EMM has become the security hub for data protection and incident response

What to know about EMM? Recap

EMM allows to establish Managed Trust and is the gatekeeper for enterprise data

Without EMM, data will always be at increased risk of breach EMM will become leading management platform for modern end-user computing

Requirements for information security and business enablement For both cloud and traditional data centers

1 Enablement

Security

Provisioning and configuration of connectivity and business services (apps)

2 Protection of data-at-rest on the endpoint

3 Protection of data-in-motion on the network

4 Authentication and conditional access to back-end business services

5 Analytics

Collection and analysis of usage, operations, and security data spanning the user to the data center

MobileIron is the security and apps hub for modern end-user computing

Secure enterprise information wherever it lives

Across apps

Across networks

Across clouds

A leader in Gartner Magic Quadrant for EMM past 5 years

Modern end-user computing: EMM is hub for information security and apps enablement Single point of trust

Anti-virus Device VPN

Contentaware DLP authenticate

PC management

monitor access

Encryption VDI Remote access

Front-end: MobileIron is single point of trust Back-end: MobileIron is gatekeeper and policy engine for all user-facing services

platform architecture Enablement

Enforcement

Policy and Identity

Cloud Security

Apps@Work Enterprise app store Docs@Work Secure content Web@Work Secure browsing Help@Work Troubleshooting Tunnel Per app VPN DataView Cost management Email+ Secure email

Access Control Integration

Note: Some features will vary by device and deployment model

Q&A?

Thank you [email protected]