Upload
ibm-danmark
View
447
Download
3
Tags:
Embed Size (px)
DESCRIPTION
w/ Pat Wardrop, Lead architect from IBM Security access management development
Citation preview
© 2013 IBM Corporation
Mobile Security Identity & Access Maturity Model &
Real World Deployments and Architecture
Patrick R Wardrop
28 May 2013
Copenhagen, Denmark
1
Topics
IBM’s perspective
Identity & Access Mobile Security Maturity Model
Real World Use cases
Demo & Architecture Walk through
2
Enterprises face mobile security challenges
Enabling secure transactions to enterprise
applications and data
Developing secure applications and ensuring
assurance
Designing and instituting an adaptive security
posture
Adapting to BYOD and the consumerization of IT
3
©2013 IBM CorporationIBM M obileFirst IBM CONFIDENTIAL
Managing and securing the mobile device, enterprise, and apps
5
Personal vs. corporate
data.
Document sync.
Secure access.
Easy authentication.
Mobile-enabled IT &
productivity apps.
No device control.
Malware.
Secure transactions.
Threat protection.
Network monitoring.
Rapid application
delivery, APIs.
Security & monitoring.
Device Enterprise Apps
Mobile BYOD(B2E)
Mobile
Transactions(B2C)
Mobile adoption patterns point to focus areas around managing risk - across device, network and applications
4
Ensuring Secure Transactions span an integrated approach across Device, Enterprise and Applications
Safe usage of smartphones and tablets in the enterprise
Secure transactions enabling customer confidence
Visibility and security of enterprise mobile platform
IBM Mobile Security &
Management Strategy
Manage Device Register; Set appropriate
security policies; compliance;
wipe; lock
Persona Separation Data separation; data leakage
prevention
Data Mgmt/Protection Encryption; content (i.e.
documents) management &
protection; data sync
Secure Access Properly identify mobile users &
devices; allow or deny access
Connectivity,
Security Intelligence Security Intelligence, Usage
Identify & stop mobile threats
Logging events, anomalies
Threat Protection content/info; network;
transactions
App Assurance scanning, analysis certification,
Identify application vulnerabilities
App Management App performance management.
Monitoring. App store, versioning,
Update apps
App Security api, sdk, application level controls
At the Device For the Mobile App
Internet
Over the Network &
Enterprise
5
Current IBM capabilities - Securing the Mobile Enterprise
6
Mobile security intelligence provides deeper insights around security and risk posture of an enterprise, in the context of mobile.
Mobile Security Intelligence
Intelligence around malware and
advanced threats in mobile
enabled enterprise
User identity and device identity
correlation, leading to behavior
analysis
Geo-fencing, anomaly detection
based on device, user, location,
and application characteristics
Mobile Security
Intelligence
7
Topics
IBM’s perspective
Identity & Access Mobile Security Maturity Model
Real World Use cases
Demo & Architecture Walk through
8
Mobile Security: Identity & Access Maturity Model
Optimized
Access Monitoring & Reporting
Content Filtering/Server-Side DLP
Access governance / certification to mobile applications
Integration with SaaS and BaaS
Context / risk-based access
Advanced authentication (Bio-metrics, behavior, analytics,..)
Proficient
Application access management
Device registration, authentication and revocation (i.e OAuth)
Strong authentication (OTP, Device, .. )
Application VPN
Application threat protection (WAF)
Connecting client’s reputation
Basic Browser based Federated Single Sign-On
Server side Single Sign-On
Server-side application protection (Authentication, Authorization
and Audit, Session Mgmt.)
9
Topics
IBM’s perspective
Identity & Access Mobile Security Maturity Model
Real World Use case
Architecture Walk through & Demo
10
Business challenge:
• Automobile customers require
secure, personalized access
to vehicle information
services on their mobile
devices
• Customers require access to
radio, internet and social
network services from their
telematics systems inside
cars
Solution:
• Security Access Manager
along with DataPower
• Authentication and
Authorization to back-end
services
• Secure integration and
federated single sign-on with
third party service providers
FIM
DataPower
Authorization
Request
Token Request
Access Token
Access Token
Granted
Cloud Services
Data Center 2
Data Center 1
ISAM Proxy
(WebSEAL)
Value
• Fast time to value and quick integration with partner services
• Secure mobile access
An Automobile company secures its cloud services access with IBM Security Access Manager & Websphere Datapower
11
Topics
IBM’s perspective
Identity & Access Mobile Security Maturity Model
Real World Use case
Architecture Walk through & Demo
12
Example Architecture
IBM Security Access Manager
Web Gateway Appliance
DMZ
IBM Security
Federated Identity
Manager
Application
13
Example Architecture
IBM Security Access Manager
Web Gateway Appliance
DMZ
Reverse Proxy WAF (PAM)
OAuth RBA X
IBM Security
Federated Identity
Manager
OTP RBA OAuth
Application
14
Example Architecture
IBM Security Access Manager
Web Gateway Appliance
IBM Security
Federated Identity
Manager
Reverse Proxy
OAuth RBA
Value: • Identity aware mobile applications
• Non-intrusive user experience with reduced risk
• Using adaptive (risk-based access) security
• Strong authentication only when it’s necessary by
using context-based access
• Reduce unnecessary barriers
• Revocable application instances
OTP RBA OAuth
X
Application
DMZ
WAF (PAM)
15
Identity-aware Mobile Application Demo: OAuth device registration, identity-aware application, context-aware access & application instance revocation
Scenario 1:
Oauth device registration and identity-aware application launch
Scenario 2:
Risk-based access decision that is transaction value aware with strong
authentication
Scenario 3:
Mobile application instance revocation
16
Identity-aware Mobile Application Demo: OAuth device registration, identity-aware application, context-aware access & application instance revocation
17
IBM Security Access Manager
Web Gateway Appliance
IBM Security
Federated Identity
Manager
Reverse Proxy
OAuth RBA
OTP RBA OAuth
IBM Worklight Server
DMZ
WAF (PAM)
Mobile App
WL Runtime
Identity-aware Mobile Application Demo Architecture
18
THANK YOU!!!