Vishwanath Narayan IBM Distinguished Engineer â€“ SWG & ISL, CTO

© 2011 IBM CorporationIBM CONFIDENTIAL

-Security at the "edge of the enterprise"

Vishwanath Narayan IBM Distinguished Engineer – SWG & ISL, CTO Industry Solutions Architecture

© 2011 IBM Corporation

IBM Security Solutions

Mobile continues to drive explosive growth, creating new opportunity for IBM

2IBM Confidential

WW Mobile Applications Opportunity

$0.0

$10.0

$20.0

$30.0

$40.0

$50.0

2010 2011 2012 2013 2014 2015

Bill

ions

66% CAGR

Mobile Infrastructure GrowthMobile Apps GrowthMobile Devices Eclipse PCs

Mobile Apps Surpass Web

Source: IDC 2010

WW Mobile Infrastructure Opportunity

$0.0

$1.0

$2.0

$3.0

$4.0

$5.0

2010 2011 2012 2013 2014 2015

Bill

ions

Mobile Platform Mobile Security Device ManagementSource: IDC 2010

20% CAGR

US Mobile Commerce

Mobile Commerce Growth

US

EU

China

Mobile payment trans hits $670B by 2015

Source: Juniper Research 2011

Mobile Payments Growth



Our customers have identified mobile as a top priority for investment, innovation, and growth

3IBM Confidential

Source: 2011 CIO Study, Q12: “Which visionary plans do you have to increase competitiveness over the next 3 to 5 years?”(n=3,018) 2009 2011

Most important visionary plan elements of the next 3 to 5 years(Interviewed CIOs could select as many as they wanted)

Business Intelligence and analytics83%

83%

Mobility solutions 74%

68%

Virtualization 68%75%

Cloud computing 60%33%

Business process management 60%64%

Risk management and compliance 58%71%

Self-service portals57%

66%

Collaboration and Social Networking55%

54%



4 IBM Confidential

Why is Security a Board Room discussion?

• Increased threat landscape

• Regulatory and compliance pressure

• Additional motivations

• Growing complexity of Malware

• Consumerization of IT

• Business Continuity/New Business model risk

• Priority No. 1: Securing Mobile Devices Within The Organization

• Priority No. 2: Managing Third- Party Security Risks

• Priority No. 3: Proactive Security across the organization

• Priority No. 4: Building An IT Risk Management Program

• Priority No. 5: Security Strategy, Maturity and Roadmaps

Top Priorities For Security And Risk Leader 2011

Source: 2010 Q4 Global Security And Risk Council Challenge Assessment Online Survey, Forrester Research



Bring-your-own– Corporate data protection– Policy– Which platforms/variants– Extend to desktop– Employees, non-exempt employees, consumers

Management– Lockdown, patch, update..– Separation of employee/corporate data– User experience

Application support– Which apps/delivery– Consumer– Geo/Mobility concerns– Native/Virtual

Additional complexities of:– Identity, roles, multiple devices, content rights

Non-Traditional endpoints

Key Discussion Points around Mobile Security & Management



Motivation

Mobile Phones run both enterprise and personal apps concurrently

– Email client vs. Youtube

No guarantees on how enterprise data is used on the phone

– Could be leaked to personal apps which then send it out of the phone

– Enterprise data could be modified by arbitrary applications



Motivation

Enterprise Remote Management– Enterprises need to measure the

integrity of their end devices for a variety of operations

• Prevent rogue software from being installed

• Before Sending Sensitive Data• Ensuring remote management

tasks such as remote wipe, remote lock are executed on phone



Problem Statement

Develop a security framework that– Prevents data leakage among enterprise

and personal apps– Flexible to support different security

policies• Select available capabilities based

on current operating mode– Enables remote measurement of

platform Integrity



Proposed Security Framework

Trusted Platform Module for Secure boot and Platform Integrity Attestation

Session Key for securing sensitive data

Privacy Enforcement Engine to prevent data leakage

Dynamic Policies for run time information flow control



IBM Viewpoint - Mobile Security & Device Management

10 IBM Confidential

Device Platforms (30 device manufacturers, 10 operating platforms)

iOS Blackberry Android WindowsMobile Symbian Others

Mobile ApplicationsMobile Web

Native Mobile

Hybrid mobile

Platform Extension – Optional OS/Application layerVirtualizationApplication Container (Sandboxing)

*2011 Projections - IDC WW Mobile Security, March 2011, IDC WW Mobile Device Mgmt. 2010

Mobile Identity & Access

• Authorize & Authenticate

• Certificate mgmt

• Multi-factor

Mobile Threat Management

• Anti-malware• Anti-spyware• Anti-spam• Firewall / IPS• Web filtering &

Web reputation

Mobile IPC (Info

Protection)

• Data encryption (device, file, app)

• Mobile DLP

Mobile VPN

• Virtual Private Network (VPN) secure communications

$179.2M 36.5% CAGR

$140.1M 42.5% CAGR

$190.2M 28.1% CAGR

$69.9M 38.8% CAGR

Mobile Security$675M, 35.4% CAGR

Mobile Device

Security Management

• Device wipe, lockdown

• Passwd Mgmt.• Config policy &

compliance$65.7M 36.5% CAGR

•Register •Device Activation•Configure to Policy•App/Content Mgmt.•SW Distribution

•Self Service Portal•Usage & Quality monitoring/reporting

•Migrate to new device•De-provision

Mobile Device Mgmt.

Manage/Monitor

Retire

Acquire/Deploy

$433M, 32% CAGR (Enterprise Segment)

Security is often the primary motivation for managing enterprise mobile devices

Many key mobile security capabilities are an extension of endpoint management

Secure Mobile App Dev.

• Vulnerability testing

• Mobile app testing

• Enforced by tools• Enterprise

policies enforced

App Test/ Development



11 IBM Confidential

Mobile Security & Mobile Device Management Priorities

Alignment with IBM Security Strategy

Mobile Device Mgmt. (MDM) Threat Mgmt. Info/Data Protection VPN Identity & Access

Vendor Characteristics by Mobile Security Sector

Competitive, Diverse set of Vendors including pure plays and vendors from adjacent segments

Dominated by Major Endpoint Anti- Malware vendors, plus some pure plays

Dominated by major Encryption vendors, native platform encryption or integrated in MDM

Mobile VPN specialists, major Network players, integrated in MDM

Fragmented Multi- factor Auth. Vendors plus some integrated in MDM


• Authorize & Authenticate

• Certificate mgmt

• Multi-factor


• Anti-malware• Anti-spyware• Anti-spam• Firewall / IPS• Web filtering &

Web reputation

Mobile IPC (Info

Protection)

• Data encryption (device, file, app)

• Mobile DLP

Mobile VPN

• Virtual Private Network (VPN) secure communications

$179.2M 36.5% CAGR

$140.1M 42.5% CAGR

$190.2M 28.1% CAGR

$69.9M 38.8% CAGR

Mobile Security$675M, 35.4% CAGR

Mobile Device

Security Management

• Device wipe, lockdown

• Passwd Mgmt• Config policy &

compliance$65.7M 36.5% CAGR

•Register •Device Activation•Configure to Policy•App/Content Mgmt.•SW Distribution

•Self Service Portal•Usage & Quality monitoring/reporting

•Migrate to new device•De-provision

Mobile Device Mgmt.

Manage/Monitor

Retire

Acquire/Deploy

$433M, 32% CAGR (Enterprise Segment)

1

2

Mobile Device Management (MDM) is top Mobile Security given client priorities, and observed adoption models.

Focus on enterprise customer opportunities given IBM segment permission, capabilities and ecosystem

1

2

22



IBM POV Discussion Point: Mobile Footprint

12 IBM Confidential

Enterprise Security Infrastructure & Management

Mobile device

security mgmt

Mobile Access mgmtt

Mobile Threat mgmt

Mobile Data

Protection

Secure mobile

app dev

Across Device Platforms

Securing Mobile Applications

Mobile Access mgmt

Secure mobile

app dev

Mobile device

security mgmt

Mobile Threat mgmt

Mobile Data

Protectio n

Secured and constrained application container

Client side container based Approach

Client side configuration based Approach

•Rich, granular security controls – app specific wipe, encryption, etc•Can address all mobile platforms – iOS, Android, BB, etc.

•Strongly tied to a mobile application platform•Works well for B2E, but likely an issue for B2C

•E.g., Good Technology

• Flexibility to work with many mobile app platforms• Works for B2E and B2C scenarios

•Dependency on mobile platform capabilities – e.g., device wipe, encryption, etc

•E.g., MobileIron,



Platform diversity & impact - Understanding mobile platforms and associated challenges

13 IBM Confidential

Diverse platforms Device platforms are very diverse in their native capabilities, and some are proprietary

Strict licensing terms

Developing apps, or using their device management APIs have severe licensing terms. These restrictions such as application sandboxing and strict licensing terms (Apple in particular) cause challenges in building rich mgmt. / security applications

Programming models

Proprietary programming models across platforms are barriers to build a cross- platform “container”, and may be tied with specific Mobile Application Platform (MAP).

Adoption motivation

Enterprise e-mail is still a main motivation of mobile adoption. Increasingly enterprise mobile applications (web, native, hybrid) are being deployed.

Future ? Going forward, fragmented approaches will likely still continue. For multi-vendor solutions, evolution of standards across key vendors (iOS, Android, BB,..) would simplify management and security, but are not imminent, and may be a long shot.

We need to prepare for working with multiple diverse platforms for the foreseeable future in mobile device management and mobile security.



Deliver a unified management solution for all IP- enabled enterprise devices

Mobile Endpoint Management Strategy

14

DESKTOPS / LAPTOPS / SERVERS

MOBILE DEVICES

PURPOSE- SPECIFIC DEVICES

NETWORK DEVICES

14 IBM Confidential

TEM Management

Server

TEM Management

Server

TEM RelaysTEM Relays Proxy agentProxy agent

MOBILE DEVICES

DESKTOPS / LAPTOPS / SERVERS

Enterprise device management

FixletsFixlets

PURPOSE- SPECIFIC DEVICES

Device Wipe *

Location info *

Jailbreak/Root detection *

Enterprise App store *

Self-service portal *

Device inventory *

Security policy mgmt *

Application mgmt *

Device config (VPN/Email/Wifi) *

Encryption mgmt *

Roaming device support *

Integration with internal systems *

Scalable/Secure solution *

Easy-to-deploy *

Multiple OS support *

Consolidated infrastructure *

OS provisioning

Patching

Power Mgmt

Anti-Virus Mgmt

Mobile Device Mgmt

Traditional Endpoint Mgmt

Available in Tivoli Endpoint Manager today

Iterative Beta starting Q32011

Technical strategy - allows for management for mobile device management use cases, and purpose- specific endpoints.

Also, allows for integration with 3rd party technologies (e.g., MobileIron, VMWare ESXi, iPhones, etc)




Technology of interest - Virtualization technology & mobile endpoints background

15 IBM Confidential

Virtualization for mobile devices is an enabling technology that offers a variety of potential benefits, if properly leveraged and integrated

Effective leveraging of many virtualization for mobile devices will require cooperation and support from multiple constituent groups

– Device manufacturers, chipset manufacturers, service providers, high level OS vendors, enterprises, end users

There are already at least four or five different virtualization techniques/approaches for mobile devices (phones, smartphones, tablets) with different benefits and challenges

– Hardware level virtualization, OS level virtualization, virtualized ‘desktop’

Some circumstances in the mobile space are very different than the Intel PC/Server market, and those differences should be explored and analyzed to fully understand if there are similar opportunities for mobile devices



16 IBM Confidential IBM Confidential

Current IBM Mobile Security & Device Management - Actions

IBM Software capabilities in mobile security management– Tivoli - Tivoli Endpoint Manager (Bigfix) capabilities, using iterative development approach,

partnering with clients.– WebSphere - WAS Feature Pack for Web 2.0 and Mobile– Tivoli + Lotus - Prototypes with Tivoli ISS Network Security appliance and mobile VPN, to control

device access to enterprises and IBM Tivoli Access Manager to handle risk based authentication

IBM CIO Office– Objective: Deliver endpoint security management across workstation and mobile endpoints in a

comprehensive and cost effective manner– Policy changes to protect IBM data on mobile devices– Piloting of security technology to enable w3/internal access for iOS devices– Android pilot that meets all security requirements for IBM Confidential data underway

IBM Mobile Security Services Offerings– An end-to-end mobile security solution designed to implement and maintain policy based mobile

security for both corporate issued and end-user procured mobile devices to protect corporate assets – Offering: Solution design and implementation, Multi-tenant, cloud based solution, 24x7 management

and support at two service levels from unauthorized access.



Moving forward, IBM will leverage the breadth of our capabilities to deliver mobile infrastructure capabilities

17IBM Confidential

Enterprise Mobile

Infrastructure

Back End

Devices

End to End Security & Privacy

Mobile Device Mgmt

SOA & Connectivity

Mobile Applications ($8.6B 66% CAGR)

Enterprise Applications

Data Cache & Scale Application Lifecycle Management

Gartner “Rule of 3”Mobile middleware delivers significant advantages when any of the following are true:• There are 3 or more mobile applications• There are 3 or more targeted operating systems or platforms• They involve the integration of 3 or more back-end systems

Gartner “Rule of 3”Mobile middleware delivers significant advantages when any of the following are true:• There are 3 or more mobile applications• There are 3 or more targeted operating systems or platforms• They involve the integration of 3 or more back-end systems

Mobile Foundation Platform


IBM Security SolutionsOngoing activities and offerings - overview

18 IBM Confidential

Mobile device security management

•Extending Tivoli Endpoint Manager (TEM) to support mobile. Planned Beta in Sept 2011, and GA in 1Q2012•Incubation project in progress to help explore innovative approach to selective wipe, and to help accelerate product plans.

Threat management

GTS’s Mobile Security Offerings includes capabilities in this area, in partnership with Juniper.

Info protection •Selective data wipe, and data segregation is key requirement - TEM efforts start to address this space; data tagging and classification approach being explored.•Device level or mail encryption. Mail encryption using Lotus Traveller in place. For other data, more work to be done - Potential to use MAP

Mobile VPN •Lotus Mobile Connect provides capability in this space, as part of Lotus •In roadmap for Tivoli Next-Gen Firewall, in integrating MobileConnect into the appliance. Initial prototype implementation completed.

Mobile Identity & Access management

•Current IAM portfolio applicable to mobile context, and enforcement for HTTP traffic over mobile.•Prototype efforts in progress to look at multi-factor authentication, and adjacency to risk based authentication/authorization efforts as part of Tivoli IAM portfolio; and WebSphere’s MAP efforts. •Research and incubation projects in progress, working with clients.

Adjacency to Rational’s strategy around mobile application testing

Mobile Device Security

Management


Mobile Information Protection

Mobile VPN


Management

Secure Mobile Application

Development

IBM Confidential

* Mobile Virtualization is an emerging area and being explored.

Mobile Security WG in SAB – driving technical point of view, and approach around Mobile Security



Thank you

Documents

Vishwanath Narayan IBM Distinguished Engineer â€“ SWG & ISL, CTO