In this webinar we discussed the future of mobile application security in the enterprise?
Smart phones, tablets and even e-readers are now seen as security problems for an enterprise by some IT organizations. Applying MDM — aka mobile device management — has been the response of IT to handle devices, but this approach is lacking, especially as BYOD (bring your own device) has become the primary source of devices in companies. And, as “apps” have proliferated, the apps and data are becoming the engine of user empowerment and ROI — and risk.
Users are not accepting the restrictions MDM places on their use of the phone, especially when the user actually owns the device. And if the user leaves, IT may wipe the device, personal data and all. Mobile Application Management (MAM) promise a solution that keeps enterprise apps and data separate and secure. Other approaches are coming in the future as well. Virtualization promises that one phone can run two VMs, one personal and one business. There are containers and sandboxed apps. Ultimately, different approaches to application development and management could solve the puzzle of protecting confidential data while keeping individuals productive. What approach will win out?
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The information and images contained in this document are of a proprietary and confidential nature. The disclosure, duplication, use in whole, or use in part, of the document for any purposes other than client evaluation without the written permission of Apperian, Inc. is strictly prohibited.
Congratulations!!! You won R1,000,000.00 in the on-going Chevron UK bonanza. Claim code: CHVUKB/SA/10. Call Elizabeth on 0835161978 from 9am to 4pm for claim.
MDM focuses on device-based security, provisioning and control of mobile devices. Additional features may provide
TEMS, Device Inventory, and app lists (part of MAM)
• MDM is useful for organizations requiring a high level of control over Corporate Liable devices due to regulatory requirements, or where the risk of users accessing “non approved” information is high.
• Microsoft Exchange Server provides security with device management features via ActiveSync, including security profile (e.g., user must have PIN code or specific type and length), and device “wipe” and “lock”
• Apple IOS supports a protocol called “MDM” that allows IOS devices to register with a central server, and thereafter receive specific commands to perform tasks, e.g., “device wipe”, install security profiles, or send back device status without user intervention.
MEAPs provide “tools and client/server middleware for mobile (targeting any sort of mobile application) and
multichannel (highly device/OS- and network-adaptive) thick (offline) enterprise application development”*
• MEAPs are used by some organizations that require an integrated development environment.
• MEAPs are attractive to companies that want to deploy an enterprise-wide solution across many different device types, using central logic for large, complex apps
• MEAP Sandboxes enable multiple applications within a single “native app” sandbox, thereby providing control over the application from a single dashboard
MAM focuses on the role-based security, provisioning and control of mobile apps in an organization with capabilities that may
include device inventory, reporting/tracking, and user compliance.
• MAMs are useful for organizations providing “in-house” apps to users on either CL or IL devices. For example, if a user leaves an organization or group, apps and data belonging to the organization can be de-provisioned, without resorting to a full “device wipe”
• MAM solutions are typically used in mixed (CL/IL) environments or where BYOD policies are implemented.
• Apple and Android supports over-the-air delivery of apps than enable apps and profiles to be delivered from a server
MSSS focuses on providing a complete “suite” of solutions that may include antivirus, personal firewall, VPN, encryption, anti-
spam, and remote monitoring and control services.
• MSSS solutions extend traditional “enterprise” protections for the PC environment to mobility. Services can include remote back up and restore, lost and stolen device location, as well as data wipe.
• MSSS can also send an alert when “security” events occur, e.g., when a SIM card has been removed or replaced.
• MSSS capabilities are beginning to overlap or be subsumed by MDM or built-in OS solutions (e.g. iCloud) and certain features, such as anti-virus, are not necessarily viewed as critical… yet
• Virtualization allows a device to having a different “partition” or “persona” that provides two or more virtual device modes; apps built for these modes may require an SDK or Wrapper
• SDKs provide direct support to native app developers for authentication, authorization, reporting/tracking and other services to provide for app and data security enforcement
• Wrappers offer the promise of “wrapping” an existing mobile app without the need to re-compile or change code; the resulting app can then be managed centrally
• Sandboxes allow a single or multiple apps to live within a “sandbox” and be logically separated from other apps but managed centrally
… Application Developers may use one or more of these approaches to address security issues, or use “do it yourself” methods
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Unauthorized disclosure of information … to organizational operations, organizational assets, or individuals
limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Integrity Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.
Unauthorized modification or destruction of information … to operations, organizational assets, or individuals.
limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Availability Ensuring timely and reliable access to and use of information.
Disruption of access to or use of information or an information system .. on organizational operations, organizational assets, or individuals
limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Source: Adapted from “Standards for Security Categorization of Federal Information and Information Systems” (FIPS PUB 199)