Big Data Driven Security for BYOD - Workspot, Inc. · 2015-10-01 · Big Data Driven Security for...
Transcript of Big Data Driven Security for BYOD - Workspot, Inc. · 2015-10-01 · Big Data Driven Security for...
Photo by Marc_Smith -‐ Crea3ve Commons A8ribu3on License h8p://www.flickr.com/photos/49503165485@N01 Created with Haiku Deck
Big Data Driven Security for BYOD
BYOD Success Kit
Table of Contents
• Securing Data in Motion
• Security Data at Rest
• Big Data Driven Security
• Conclusion
2
Securing Data In Motion
Workspot leverages your Existing IT Infrastructure
• Workspot leverages your existing VPN appliance
• Supports: Cisco, Juniper, F5, and SonicWall
• Supports the authentication mechanism – AD+RSA
• Supports all internal SSO providers including CA Siteminder, and Oracle IdP
• Supports cloud identity integration – Okta, Ping Identity, and SAML 2.0 vendors
4
• No Data
Center Installation
• 100% Cloud
Controlled Architecture
Workspot is 100% Cloud
5
6
§ Workspot Control has been architected to be a control plane. When the user is performing workflows on the device using Workspot, all the data flows back and forth directly between the client and the business applications (e.g., Exchange, SharePoint, Salesforce.com). If the applications are behind the firewall, then they go back to the corporate network. If the applications are external, then the traffic directly goes to the external application.
§ Separation between control and data planes is very critical for a number of reasons: • Security: Data flows directly between the client and the applications; it
does not flow through our control service • Availability: Since Workspot is not in the data path, the availability of
applications is independent of the availability of our service • Performance: Since we are not in the data path, there is nothing to
impede the end user experience
Control vs. Data Plane Separation
BYOD Success Kit
Workspot Client Architecture
Device
Applications
User Experience
Data
Virtual File System
Viewers Encryption
HTML(5) Engine Collection Agent
Virtual Network
SSO VPN
• Workspot Client is mobile virtualization technology
• The client includes
a virtual file system and a virtual network stack
7
Workspot protects Data in Motion
Device
Applications
User Experience
Data
Virtual File System
Viewers Encryption
HTML(5) Engine Collection Agent
Virtual Network
SSO VPN
• Full L4-7 Control • Custom HTTP stack with
OpenSSL VPN termination to any SSL-VPN appliance • We support Cisco, Juniper,
SonicWall, and F5 • Workspot-level VPN – only
Workspot is on the corporate network • Control over Blacklist/
whitelist URL
8
9
We store the following information in Workspot Control: § Configuration: We store configuration information about the VPN, e.g., public
URL address, whether it uses RSA or not. § User Configuration: First Name, Last Name, Email Address, etc. § Application Configuration: Application URLs, whether or not it is behind the
firewall, etc. § Performance Data: For each network access, we store the amount of time it took
to fetch a response from the application (e.g. SharePoint), the device used (e.g. iPad3), the network used (e.g., AT&T), and the location (e.g., California).
§ Activity Data: We track different kinds of activity on the device, e.g., Open/Close Workspot, Open/Close Application (e.g., SAP), Open/Close Document, and View/Print Page of Document. All activity data is anonymized.
Our current policy is to retain this data for a period of one year.
Data Retention Policy
Workspot Policy Engine
Policies App/User/Geo/Device
Network & Security Policies - Trusted WLAN networks - Whitelist and blacklisted
addresses - Single sign-on Behavior - Passcode Length and
Complexity - Offline Data Retention - RSA Token Usage - VPN Configuration
Workspot Control
10
Securing Data at Rest
Workspot protects Data at Rest
Device
• Secure container on an un-managed device
• All enterprise assets fully encrypted in memory before touching the file system
• Multi-level encryption • Each file is encrypted
using its own key • Each key is encrypted
using a master key • Master key is encrypted
using a PIN which is not stored
• FIPS validated AES-256
Applications
User Experience
Data
Virtual File System
Viewers Encryption
HTML(5) Engine Collection Agent
Virtual Network
SSO VPN
12
13
Device Posture Check As soon as the Workspot Client is started, it conducts a posture check to determine whether the device has been jail-broken. An evolving set of checks to verify supported versions and platforms are performed, and only when the device is determined to be secure is the Workspot Client launched Secure Offline Access with PIN When a user taps on Workspot Client on their device, they are prompted for a PIN. The PIN is validated against client master secret (CMS). If the CMS can be decrypted then the PIN is deemed valid; otherwise the PIN is invalid. The Workspot Client will allow up to 5 invalid PIN entries after which Workspot Client will wipe all the data on the device.
Protection begins before Workspot is launched
14
Remote Wipe Workspot Control also provides IT the capability to remote wipe any data, including documents, cached objects and cookies, inside the Workspot Client. Data outside the Workspot Client is un-affected by the remote wipe operation. Whitelist/Blacklist IT can also control which sites the user can and cannot visit from inside the Workspot client by configuring the blacklist/whitelist. We also enable dynamic blacklisting of known malicious URLs.
Protect in real-time
15
§ When an end user downloads a document inside the Workspot application, it is encrypted in-flight.
§ The file system remains in an encrypted state even when the end user is within the container.
§ Only when the end user wants to view a document, for example an Adobe Acrobat document, does the Workspot Client decrypt the selected document and present it inside a viewer that is embedded within Workspot.
§ We have tuned the embedded viewers for the best possible rendering experience. Documents are more secure, because the documents stay within the Workspot Client. As soon as the end user finishes viewing the document and closes the viewer, the document is restored to its encrypted state on the device.
§ For large documents, we only decrypt the pages of the document that are currently being viewed.
Embedded Document Viewers
Big Data Driven Security
BYOD Success Kit
§ Security must be comprehensive to meet IT Requirements q Device q Network q Application q Data ü All of the above
§ Security must be balanced with convenience to make end users productive
§ Big Data Context Driven Risk Management can help achieve balance, e.g., credit cards
Mobile Security Needs Risk Management
17
BYOD Success Kit
Key to Risk Management is Context
What is context? Context is who is doing what, when, and from where. For example, user Adam downloaded a document at 9:00 PM from California. Or Adam took 12 seconds to access the SharePoint application from an iPhone in Chicago. Context can help you better secure your data and understand and improve the real user experience for your employees.
Context enables compliance, discoverability, and auditability Look for a solution that will help you “prove” you know what end users are doing with corporate data on the device. For example, you should know which files users are downloading. Or you should know which apps they are accessing from where?
18
BYOD Success Kit
Cloud Architecture enables Context
Device
Applications
User Experience
Data
Virtual File System
Viewers Encryption
HTML(5) Engine Collection Agent
Virtual Network
SSO VPN
• Container is highly instrumented
• Collects Context - who/what/when/where/how fast data in real-time
• Uploads to
Workspot Control when network conditions permit
19
BYOD Success Kit
Workspot Collects Granular Context
20
§ Business Benefits: Discoverability, Compliance, and Auditing
§ Can be integrated with existing SIEM systems, e.g., Splunk
BYOD Success Kit
Integration with Splunk
21
§ Download Splunk Application from Workspot Control
§ Simple Integration between Splunk and Workspot w/ security keys
BYOD Success Kit
Why Adaptive Auth?
22
Today IT and InfoSec teams cannot balance the needs for convenient access from mobile devices with the requirements of information security. Workspot has granular contextual data that can balance convenience with security. § All applications are not equally sensitive – the directory application is less
sensitive than the financials application. § All users are not equally trusted – the CEO is more trusted than a contractor. § All locations are not equally trusted – if a user is connected to a corporate
WLAN and is sitting in an office, then they are more trusted than somebody trying to access enterprise assets from a remote location.
Workspot can use this data to change the authentication required – making it simple when the access is trusted, and providing more challenges when the access is less trusted.
BYOD Success Kit
Context can be used for Adaptive Auth
23
§ Context also informs us about the typical behavior of an end user – how many applications they access, where they access it from, and other information.
§ Context can be used to detect abnormal access patterns and potentially deny access to end users if we detect abnormal behavior.
§ A good analogy is a credit card swipe. Every transaction is examined for risk, and most of the time the risk threshold is low, so the end user is allowed to transact. Occasionally a higher risk is determined and the end user is then challenged or informed of potentially fraudulent activity.
BYOD Success Kit
Adaptive Auth Examples
• High Trust Context => Aggressive Single Sign-On
– CFO accessing Intranet from HQ
• Medium Trust => Require RSA token
– CFO accessing Financials from new location
• Low Trust Context => Deny Access
- CFO downloading lots of documents while in China
24
Big Data Driven Adaptive Auth
BYOD Success Kit
Decision Makers Criteria
26"
Criteria Mobile User
CIO Network Manager
Security Manager
LOB CFO Legal
Manage Device – Email, Wireless Settings, etc. ✔
Deliver Apps and Data ✔
End User Experience – Integrated Business Workflows ✔ ✔
Security – Leverage existing VPN and AAA ✔ ✔ ✔ ✔
Risk Management - Audit & Discoverability ✔ ✔ ✔
Risk Management – Adaptive Authorization ✔ ✔ ✔
Performance – Understand real end user experience ✔ ✔ ✔
Lowest TCO – 100% Cloud, Delivered as a Service ✔