Meeting Mobile and BYOD Security Challenges
Transcript of Meeting Mobile and BYOD Security Challenges
with Digital Certificates
Meeting Mobile and BYOD SecurityChallengesWho should read this paperWho should read this paper
This white paper is written for enterprise executives who wish tounderstand what digital certificates are and why they are invaluable formobile and Bring Your Own Device (BYOD) security on wired and wirelessnetworks. The paper also illustrates the benefits of adopting Symantec™Managed PKI Service and provides real-world use cases.
WH
ITE PAPER
:M
EETING
MO
BILE A
ND
BYO
D SEC
UR
ITYC
HA
LLENG
ES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Content
Safeguarding Networks in an Increasingly Mobile World. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Digital Certificates Address Today’s Business Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Challenge of Digital Certificates – Managing the “I” in PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Symantec Managed PKI Service: A Proven, Scalable, Cost-Effective Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Symantec Managed PKI Service Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
Safeguarding Networks in an Increasingly Mobile World
Today, businesses and their IT managers must balance the desire to give employees the freedom to use a range of devices, including ones
they own (BYOD), to access company network resources against the very real threats those devices pose to the health and safety of the
network and its data assets.
The huge growth of wireless and mobile devices such as tablets and smart phones in business communications poses a significant challenge
because these devices are easily lost, stolen or compromised. Only by implementing a solution that can identify and monitor them as trusted
components can IT managers allow wireless and mobile devices to access network resources.
But there is no going back. Today, 75 percent of North and South American employees and 1.0 billion workers worldwide routinely work
outside traditional office environments and need to access a corporate network using mobile devices. The worldwide number is expected to
jump to 1.3 billion by 2015, accounting for an eye-opening 37.2 percent of the total workforce. (“Worldwide Mobile Worker Population
2011-2015 Forecast,” IDC, December 2011)
Digital Certificates Address Today’s Business Security Needs
Best practice security requires IT to verify that users and devices can be trusted to access the company network and its applications and
data. Even if IT strictly limits the applications available to users, authenticating users is still a priority.
Digital certificates offer a much stronger form of authentication than employing shared secret passwords or access control lists (ACLs). In
fact, global enterprises, government organizations, and digitally connected communities recognize digital certificates as the gold standard
for highly secure and trusted authentication, digital signatures and encryption.
Digital certificates provide a stable, scalable, and highly secure method of authenticating devices and users. They not only verify the identity
of the individual, they can also verify the legitimacy of the device and secure the transport of information across a LAN, wireless LAN (WLAN),
public WAN like the Internet, or a mobile cellular network.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
1
Digital certificates protect
information assets in the following
ways:
• Authentication - Validates the identity
of machines and users.
• Encryption - Encodes data to ensure
that unauthorized users or machines
cannot read transmitted content.
• Digital signing - Provides the electronic
equivalent of a hand-written signature;
also enables organizations to verify the
integrity of data and determine whether
it has been tampered with in transit.
• Access control – Works with third-party
applications to determine what type of
information a user or application can
access and what operations can be
performed upon access; also called
authorization.
• Non-repudiation - Ensures that
transactions, communications and data
exchanges are legally valid and
irrevocable.
Digital certificates easily integrate into existing environments, readily interoperating with virtual
private networks (VPNs), virtual desktop integration (VDI), policy control platforms, email
software, web browsers, wireless access points, and Mobile Device Management (MDM)
platforms. MDMs are used by many organizations to manage mobile devices accessing their
networks. Although MDMs are not required components of a mobile device strategy, they do offer
certain advantages such as onboarding and offboarding capabilities, device and application
security, digital certificate delivery, and full and selective remote wipe capabilities.
The Challenge of Digital Certificates – Managing the “I” in PKI
Taking advantage of the many benefits of digital certificates requires a Public Key Infrastructure
(PKI). Common misconceptions are that a PKI is made up solely of certificate enrollment software
and hardware, and that all PKIs (free, open source, and commercially available) are equally
suited to meet the modern enterprise’s needs. In reality, the software can provide the underlying
platform and tools, but it takes significantly more to build a stable, scalable and secure
Infrastructure.
Single-purpose PKI solutions are typically deployed using open source programs or are what
many believe to be “free” programs included in larger server software packages. The most
common occurrence of a single-purpose PKI in an organization is what is referred to as a “Project
PKI.” This is not a true enterprise PKI, but a collection of public key cryptography tools utilized
together to meet a project’s deadlines and operational constraints. More often than not, the `I` in PKI is not considered as a fundamental
design requirement to avoid the costly impact on the project. Such practices lead to the creation of multiple Project PKIs, each with their own
set of unique requirements.
The most well-known, and purportedly easy to deploy, example of a single-purpose PKI solution is Microsoft® Active Directory™ Certificate
Services. It is more sophisticated than a loose collection of tools, including such basic certificate lifecycle management capabilities as auto-
enrollment, but beneath the veneer of simplicity lie a number of hidden weaknesses. Platform specific software such as Microsoft Active
Directory Certificate Services provides a basic platform and set of tools that can perform basic PKI functions, but the reality is there are many
critical PKI aspects that cannot be addressed without complex supporting infrastructure:
• Single-purpose PKI solutions generally have either limited or single platform support. This ignores the reality that the modern enterprise
network is an increasingly heterogeneous and mobile environment that must support a variety of devices and operating systems.
• Single-purpose solutions lack the automation and full lifecycle management features of purchased enterprise solutions. In addition, most
single-purpose solutions lack the self-service options that allow select employees to request and manage certificates for unique needs.
• Furthermore, although small-scale PKI solutions can easily provide certificates for their own employees, they are usually not in a position
to issue certificates that are automatically trusted outside the organization—thereby posing challenges, such as lack of trust, that are
crucial for enabling applications such as secure email or digital document signing.
• Without proper planning, a single-purpose PKI lacks the ability to deliver the reliability required across mission-critical security
applications.
• Finally, as a company grows, it is forced to deploy multiple single-purpose PKIs. The resulting expense and overhead makes it a costly
choice in the long run.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
2
A secure, enterprise-scale PKI is a combination of hardware, software, facilities, people, policies, and processes employed to create, manage,
store, distribute, and revoke digital certificates. Building an on-premise PKI requires managing the purchase, deployment, expiration and
renewal of digital certificates for multiple servers, email, purposes and users—often in many different locations and from many different
vendors—which can lead to critical application outages if reliability is not rock solid.
The following figure illustrates the various aspects of building a PKI infrastructure:
Implementing all the components that make up a robust, secure PKI is time-consuming and costly and requires that the organization accept a
certain amount of risk in the event there is a breach or the root certificate is compromised. Managing internal digital certificates for
identities, devices and machines can further compound the challenge.
Symantec Managed PKI Service: A Proven, Scalable, Cost-Effective Solution
Symantec Managed PKI Service enables organizations of any size to cost effectively deploy and control certificate lifecycle processes for all
devices, from desktops to cell phones, and from fully owned and managed devices to wide open BYOD situations, with a level of security that
other PKI solutions, especially in-house PKI solutions, cannot begin to match.
Because it is cloud-based, Symantec Managed PKI Service economically fits a range of business needs, from tens to tens of thousands of
devices. The figure below shows how the service handles multiple network security applications.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
3
Convenient for Users No Matter What Device They Choose
Mobility and BYOD offer companies the opportunity to improve efficiency, increase workplace effectiveness and accomplish things faster.
However, these trends pose very real dangers in lost or stolen devices, data loss and malware infecting the corporate network. The challenge
is to balance the multiple lines of defense IT understandably erects to safeguard the company network with user demands for more
convenience.
Fortunately, Symantec’s digital certificates can be used to securely authenticate users and their devices without the need for hardware
tokens, additional programming, or a MDM because it includes automated enrollment capabilities. In addition, once the digital certificate is
installed, the second factor of the authentication process is completely transparent to users. Unlike “free” single-purpose solutions,
Symantec Managed PKI does not require laptop users to configure usage by application or by browser, and client software automatically
stays current through Symantec’s Live Update™ feature.
Symantec Managed PKI Service also works with industry-leading MDM products from MobileIron®, AirWatch®, and Fiberlink as well as
Symantec™ Mobile Management to seamlessly handle content security on mobile devices. With or without a MDM, enrollment is essentially
the same for laptop, desktop and mobile users. Symantec Managed PKI Service provides special localizable and custom branded enrollment
pages for end-user registration and certificate renewal.
One commonly overlooked security benefit of the Symantec Managed PKI Service is that because it is a cloud-based service, the validation
server is hosted outside the firewall; this means there is no need for security compromises, such as firewall holes that in-house solutions
require to authenticate mobile devices. With Symantec Managed PKI Service the organization is not required to accept any additional security
risks to support mobile devices; and suppliers, partners, contractors, visitors, and temporary employees can be given access to defined areas
of the network to perform their jobs without compromising the corporate core.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
4
Delivering Non-Stop, Trusted Security
Another compelling reason to consider Symantec Managed PKI Service is Symantec’s worldwide reputation. The company is a global leader
in providing security, storage and systems management solutions for small businesses all the way to large global enterprises.
It is Symantec’s mission to secure and manage information against more risks at more points, more completely and efficiently than any other
company. Symantec leverages over 15 years of security expertise and over 300 million issued credentials to anticipate and respond to the
evolving threat landscape and to technology advances.
The multiple accreditations Symantec has earned from internationally recognized standards bodies such as WebTrust, International
Organization for Standardization (ISO), Federal Information Security Management Act (FISMA), and National Institute of Standards and
Technology (NIST) attest to its high security standards. Trying to duplicate the global reach, high availability and disaster recovery
infrastructure of Symantec Managed PKI Service would be prohibitively expensive for any organization for several reasons:1
• Symantec’s cloud infrastructure is operated from multiple ANSI/TIA1-942 Tier 4 data centers—the most stringent level of data
center—located physically and logically separated from its corporate network.
• Fully redundant fault-tolerant subsystems and compartmentalized security zones are controlled by biometric access restriction methods.
All IT equipment is dual-powered and served by multiple independent distribution paths. Cooling and power infrastructures are
independently dual-powered.
• Cryptographic keys are generated on dedicated Federal Information Processing Standard (FIPS2) 140-2 compliant hardware security
modules and stored in an encrypted format.
• Symantec employs an independent external global service to monitor its critical services and perform daily vulnerability scans. The
infrastructure undergoes multiple audits by WebTrust and PCI, among others, on an annual basis. Business continuity and disaster
recovery plans are also tested on a regular basis.
It is easy to understand why Symantec Managed PKI Service can offer a binding SLA with a 99.95 percent uptime guarantee.
Reducing Complexity while Providing Scalability and Flexibility
Symantec Managed PKI Service’s competitive edge arises from its flexibility to scale incrementally as an organization’s needs grow. Its PKI
infrastructure is designed to handle more than 100 million certificates per year, but it also designed to meet individual customer needs;
companies can add or delete certificates as needed.
Another key competitive factor is Symantec’s ability to eliminate risks to information, technology and processes independent of the device,
platform, interaction or location. For example, as a recognized industry Certificate Authority (CA), Symantec issues X.509 certificates that
support a wide range of operating systems, devices, VPN, email, web browsers, and ecosystems. Certificate profiles inherently cover common
applications such as email encryption and signing, Adobe® PDF signing, and Microsoft Exchange/ActiveSync.
Cloud-based Authentication – a Cost-Effective Solution
One of the most compelling reasons to consider Symantec Managed PKI Service is the financial one. Compared to in-house PKI functions, the
managed service is very scalable and cost effective and grows more so over time. One cost analysis demonstrated that over three years, total
1- Fact Sheet: Symantec User Authentication Solutions Infrastructure Security
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
5
acquisition and recurring costs for an on-premise solution for 1,000 users was more than $500,000. That is 2.5 times more than the total
cost for Symantec Managed PKI Service over that same three year period.2
Symantec Managed PKI Service achieves this impressive costs saving in several ways:
• By eliminating costly hardware and software purchase and maintenance expenses.
• By eliminating labor costs associated with the planning, building, and maintaining of a certificate management infrastructure.
• By reducing labor costs through the automation of certificate provisioning and application configuration tasks. A single staff member can
administer a managed solution.
• By minimizing operation costs. Symantec Managed PKI Service user seat (certificate) covers all devices, a potential savings of three to four
times the cost of competitive solutions that charge for each device.
Symantec Managed PKI Service Use Cases
This section of the paper takes a closer look at four customer successes with Symantec Managed PKI Service. These use cases exemplify how
Symantec’s experience and knowledge can significantly transform the way organizations secure their business.
Use Case 1: Company-Owned Mobile Device Authentication
A global Internet service provider came to Symantec with an initial need to manage 12,000 company-owned mobile devices and meet an
extremely aggressive deployment timetable.
Challenge:
• Need to authenticate company-owned Apple® iOS iPads® and iPhones®.
• Top executives pushing IT staff to deploy a solution in less than one month.
Mobile Authentication Solution:
• Symantec Managed PKI Service provides a flexible platform to issue and manage certificates for all employee mobile devices. It works with
the company’s MDM MobileIron, which provisions iOS devices, treating the Symantec digital certificates as an application or secure data
to be managed on the device.
• Mobile users are not charged for airtime during the authentication process or anytime they are on the company’s wireless network.
2- Comparing Cost of Ownership: Symantec™ Managed PKI Service vs. On-Premise Software, April 2012
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
6
Benefits:
• Symantec met the aggressive deadline with a flawless deployment. A quick and easy deployment reduces disruption to the organization.
and by choosing a managed service it allows the company to focus on the business problem and not building out a PKI infrastructure.
• With automated certificate provisioning and application configuration, a single administrator can handle the entire enterprise network.
Next Steps:
• Thanks to the success of the mobile device implementation, the company plans to use Symantec Managed PKI Service to authenticate its
company-owned laptops. These laptops do not require additional certificates because they use the same user certificates, adding to the
cost savings.
Use Case 2: Company-Owned Mixed Device Authentication
A Fortune 500 manufacturing conglomerate that recently changed its network architecture to support anywhere access needed a flexible, all-
in-one solution to manage the authentication of tens of thousands of company-owned laptops and mobile devices.
Challenge:
• Need to authenticate Apple iOS iPads and iPhones and Windows laptops connecting over Internet VPNs or over onsite wired or wireless
networks.
• Company cannot afford the risk of a trusted root certificate being compromised.
Mixed Authentication Solution:
• Mobile users: Symantec Managed PKI Service works with the company’s MDM, Airwatch, to manage certificate deployment, installation,
configuration and renewal on iOS devices.
• Laptop users: Symantec Managed PKI Client manages certificate deployment, installation, configuration and renewal on Windows-based
laptops.
• Email: Digital IDs for Secure Email, also included in Symantec Managed PKI Service, signs and encrypts communications in email
applications such as Outlook and Mozilla Thunderbird using Secure/Multipurpose Internet Mail Extension (S/MIME) certificates bound to
validated email addresses. The service also provides certificates that can represent an entire department or business unit.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
7
Benefits:
• Authentication is fully automated and completely transparent to both laptop and mobile users; client software automatically keeps
current through Symantec’s Live Update™ technology.
• Recipients of emails from this company can trust their origin and trust that content has not been tampered with during transit.
• Symantec’s per-user seat covers all devices for each user, a potential savings of two to three times the cost of competitive solutions that
charge for each device.
Next Steps:
• The solution has been so successful that the manufacturer is looking to add digital certificates managed by Symantec Managed PKI
Service for machine-to-machine (M2M) communications in durable goods to reduce operating costs, increase revenue, and streamline
production and delivery processes.
Use Case 3: Mobile BYOD Authentication for Wireless Network Access
A Fortune 500 pharmaceutical was implementing a new wireless network on a tight schedule and needed a solid, quickly implementable
solution to manage the authentication of tens of thousands of BYOD mobile devices. The company recognized that Microsoft Active Directory
Certificate Services was not really a free solution, requiring in-house expertise to deploy, monitor and manage PKI processes successfully.
Challenge:
• Authenticate any BYOD mobile device transparently to users.
• Deploy the solution for 32,000 BlackBerrys, iPads, and iPhones in six weeks.
• Meet stringent Federal government security regulations.
Mobile BYOD Authentication Solution:
• Symantec Managed PKI Service works with the company’s MDM, MobileIron, which manages certificate deployment, installation,
configuration and renewal on iOS devices.
• Symantec Managed PKI Service works with the auto-enrollment server to deploy certificates to all Windows laptop users.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
8
Benefits:
Symantec Professional Services had the knowledge and expertise to meet the aggressive deadline, deploying the solution flawlessly in less
than one month.
• Users noticed no change in connectivity or response time. Outsourcing eliminated the need to hire six to ten full-time temporary PKI
engineers to develop the solution in-house.
• Authentication is fully automated and completely transparent to both laptop and mobile users; client software automatically keeps
current through Symantec’s Live Update™ technology.
• Symantec Managed PKI Service meets top federal regulations, including NIST4 SP800-53, which specifies security controls for information
systems in U.S. federal government executive agencies. It is also FIPS-201 cross-certified with the U.S. Federal Bridge Certification
Authority for personal identity verification (PIV) for smart cards.
Next Steps:
• Thanks to the success of the BYOD mobile device implementation, the company is considering Symantec Managed PKI Service for
authenticating BYOD PCs. The PCs will use the same user certificates, adding to the cost savings.
Use Case 4: Bring Your Own Everything (BYOE) Authentication
This Fortune 500 insurance company decided to allow users to access its network with whichever devices they choose. The long-time
Symantec customer needed to meet an extremely aggressive deadline to deploy the authentication solution.
Challenge:
• Need to authenticate a range of devices for 15,000 users.
• Need to ensure that no data or resources leave the corporate network.
• Company cannot afford the risk of a trusted root certificate being compromised.
• Executives pushing IT staff to deploy a solution in less than 6 weeks.
All-in-One Authentication Solution:
• Symantec Managed PKI Service integrates with the company’s VLAN web page to manage the certification enrollment process. Users
requesting network access are directed to the web page to request and receive certificates.
• Symantec PKI Client handles certification installation and configuration for laptops, notepads and non-iOS mobile devices. Symantec
Managed PKI Service uses native iOS protocols Over-the-Air (OTA) and Simple Certificate Enrollment Protocol (SCEP) to provision Apple
devices such as iMac® laptops, iPads and iPhones.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
9
Benefits:
• Symantec met the aggressive deadline with a flawless deployment. The company can continue to rely on Symantec’s over 15 years of
certificate security expertise and ongoing leadership to protect their data and resources.
• Users determine which devices they prefer to use without corporate constraints, improving productivity. After initial enrollment, the
certification process is seamless and transparent for all users, which significantly reduces IT time.
• VDI separates and secures network applications and resources so no data leaves the corporate environment.
Next Steps
More information can be found about Symantec Managed PKI Service on the web: http://www.symantec.com/business/verisign/managed-
pki-service
A free trial of Symantec Managed PKI Service is also available: http://www.symantec.com/business/theme.jsp?themeid=free-trial
The full-featured trial includes all the Symantec Manager PKI deployment options, ranging from a fully cloud-based deployment to a hybrid
Enterprise Gateway deployment. The trial is limited to 90 days and up to 100 users.
Meeting Mobile and BYOD Security Challengeswith Digital Certificates
10
About Symantec
Symantec protects the world’s information, and is a
global leader in security, backup, and availability
solutions. Our innovative products and services
protect people and information in any environment
– from the smallest mobile device, to the enterprise
data center, to cloud-based systems. Our world-
renowned expertise in protecting data, identities,
and interactions gives our customers confidence in
a connected world. More information is available at
www.symantec.com or by connecting with
Symantec at go.symantec.com/socialmedia.
For specific country offices
and contact numbers, please
visit our website.
Symantec World Headquarters
350 Ellis St.
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2013 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.7/2013 21307003
Meeting Mobile and BYOD Security Challengeswith Digital Certificates