White Paper on Enterprise Mobility
-
Upload
bitzer-mobile-now-part-of-oracle -
Category
Technology
-
view
750 -
download
4
description
Transcript of White Paper on Enterprise Mobility
Enterprise mobility promises to make employees more productive, empowering them
to address business issues in a timely, untethered manner. But for security-minded
organizations—those using strong security methods to authenticate users trying to ac-
cess confidential information and data (smart cards or Kerberos with PKI certificates)—
numerous security concerns emerge when enterprise access is extended to and from
smartphones and tablets.
The primary issue is this: how to replicate the “trust” that exists inside a corporate net-
work and extend it to a “foreign device” (i.e., a device that is employee-owned and runs
one of the many available mobile operating systems).
Existing Solutions Fall Short
Historically, companies would have used a device level, mobile VPN to extend remote
access to mobile devices. While, some mobile VPNs support X.509 certifi cates, tradi-
tional mobile VPN solutions are problematic:
• Open Tunnel: Device-level VPN exposes the corporate network to nefarious apps,
malware, and viruses that may have been downloaded by the user;
• Man-in-the-Middle: use of constrained delegation in the demilitarized zone (DMZ)
creates a proverbial “Man-in-the-Middle” between the mobile device and the trust-
ed active directory in the enterprise;
• No PIN Protection: PKI certificates stored in device keychain are accessible to any
device user; without a proper PIN there is no “two-factor” authentication.
Moreover, mobile devices do not natively support Kerberos, and each mobile OS has its
own peculiarity about security and authentication, making the consistent deployment of
security standards nearly impossible. It’s no surprise, then, that these issues give CIOs
cause for concern about allowing Bring Your Own Device (BYOD) solutions inside a se-
curity-minded enterprise.
There has to be a better way...
CONTENTS:
• Existing Solutions Fall Short
• Why Should Enterprises Care About Strong Authentication & Secure Remote Access
• Security in a BYOD World Has New Rules
Authentication Challenges in a Mobile WorldA new option for securing intranet access from
mobile devices using Kerberos/PKI
© 2012 Bitzer Mobile
Bringing personal devices to work is an unstoppable trend. As workers embrace the benefits of BYOD and consumerization of the enterprise becomes a generally acceptable practice, enterprises must address security issues such as remote control of corporate data and enterprise data-leakage prevention (DLP). Security vigilance is all the more important given the fact that users can offl oad or transfer data from a mobile device to removable media like Micro SD cards placed in the device, a USB-connected PC or hard drive, or a remote storage solution such as iCloud, Dropbox, Box.net, or Skydrive.
Many enterprises combat DLP by prohibiting attachments in email as a best practice and providing links to internal SharePoint or Documentum hosted documents instead of attachments. This document-access schema requires that the mobile client (e.g., a smart-phone or tablet) be properly authenticated before the link in the secure email can actually access and serve the secure document to the specific validated mobile device.
Bitzer Mobile’s BMAX-SA Addresses the Problem
Bitzer’s Mobile Access Xcelerator with Strong Authentication (BMAX-SA) solution provides a secure container on your employee’s mobile device. The Bitzer Mobile secure container acts as a virtual smart card for authentication purposes. BMAX-SA enables three major differen-tiators that set its functionality and fl exibility far beyond current mobile VPN solutions:
1. Device trust vs. gateway; device trust is more secure and easier to maintain;2. PIN protected certifi cates vs. device password; PIN protection preserves the consum-
er user experience;3. AppTunnel™ vs. device-level VPN, preventing rogue apps on devices from gaining direct
access to your enterprise.
Figure 1: Complicated and insecure solution with mobile VPN and MDM. 1. Gateway trust, 2. Device password, 3. Device-level VPN
Figure 2: BMAX security through simplicity. 1. Device trust, 2. PIN protection, 3. AppTunnel™
Why Should
Enterprises
Care About
Strong
Authentication
& Secure
Remote
Access
1
1
2
2
3
3
© 2012 Bitzer Mobile
1. Device Trust vs. Gateway TrustBMAX extends your network’s Kerberos authentication trust directly to the user’s device in-
stead of stopping at a gateway server sitting in the DMZ.* Bitzer’s patent-pending technology
is signifi cantly more effi cient and secure than implementing constrained delegation offered
by VPN providers. This differentiation is critical: a constrained delegation solution is not only
less secure but also more cumbersome to set up and maintain.
If the insecurity of a constrained delegation solution doesn’t offer reason enough to pause
and consider alternatives, keep in mind that, to enable gateway trust, your enterprise must
confi gure and maintain long lists of all the internal servers that accept this trust. In a large
organization, the list could contain hundreds of continually and dynamically changing serv-
ers. Confi guration and maintenance can represent an administrative nightmare of signifi -
cant proportions. Bitzer’s device-trust approach eliminates the need to maintain additional
lists of internal servers; administrators continue to authorize users and servers only in Active
Directory, as they do today.
2. PIN Protected Certifi cate vs. Device Password The continual battle between IT and end users regarding the tradeoff between usability
and security is magnified when dealing with consumer devices and BYOD** programs.
Corporate IT requires strong PINs to protect the certificate and corporate data on BYOD
devices; conversely, users want simple PINs—or preferably no PIN at all—so they can easily
access Facebook® and other consumer apps.
Requiring a device password is frustrating for users, as they are constantly using the device
for non-enterprise purposes that don’t require enterprise authentication. As a matter of
compromise for executive BYOD users (the people who access the organization’s most
confidential IP and data), IT loosens password requirements for mobile devices, resulting in
a lowest-common-denominator security solution.
Unfortunately, mobile devices are the most vulnerable devices; they are more subject to
loss and theft and are susceptible to CDMA/GSM/LTE/WiMAX scanning technology. These
devices should, therefore, utilize your strongest authentication solution, not your weakest.
Bitzer’s solution provides the necessary balance between security and usability when deal-
ing with BYOD programs.
Bitzer’s Solution Solves the Certificate-Security Problem
By holding the certificate inside a secure container app, Bitzer enforces PIN protection only
when the user is trying to access corporate resources. The Bitzer secure container elimi-
nates the battle between usability and security. Users can still access their consumer apps
without any device password, and enterprises can enforce password policies to PIN protect
only when enterprise authentication is required.
* Demilitarized Zone — DMZ
** Bring Your Own Device — BYOD
© 2012 Bitzer Mobile
Bitzer’s solution also includes a remote Mobile Container Management (MCM) component
that can enforce policy and remotely lock or wipe the secure container on the employee’s
mobile device instantaneously. Policies can include authentication and access to certain
resources. Access can be restricted to certain locations or time windows, affording the
enterprise control over intranet access by whom, with what, from when, and from where.
3: AppTunnel™ vs. Device VPN
Device-level VPNs provide a trusted, secure tunnel between a user’s device and a corpo-
ration’s network. Yet device-level VPN solutions are problematic: they are more appropri-
ate for corporate-owned and secured endpoint devices such as laptops than for consumer
mobile devices. The stark reality is that once a mobile-device VPN tunnel is open to your
network, any app on that device has access to this secure tunnel. This is a huge security hole
and a pathway to danger.
With the near-exponential rise in mobile application malware, spyware, viruses, and general
nefarious code, can any enterprise ensure that consumer-focused BYOD users have not
unintentionally or intentionally downloaded a rogue app onto their devices? Does your
organization really need the additional overwhelming, if not impossible, task of monitoring
and managing all the content on all your employees’ mobile devices?
Secure AppTunnel™ Talks Only to the Secure Container
With Bitzer’s secure AppTunnel™, the connection from the mobile device to the enter-
prise intranet exists only between the secure container and enterprise servers. The solution
redefines enterprise mobility.
Security in a BYOD World Has New Rules
Your organization has invested significantly in implementing secure Kerberos/X.509 authen-
tication, both inside your enterprise and for laptop remote access; however, the complexity
of authentication challenges is exacerbated with mobility, consumer devices, and especially
BYOD programs. Security-conscious IT professionals must look beyond current solutions to
ones designed for the new challenges that accompany changing realities.
Create a far more secure solution while simplifying deployment and preserving the user
experience. Bitzer can make the difference for your organization.
BITZER MOBILE440 N. Wolfe Road
Sunnyvale, CA 94085, USA
www.bitzermobile.com
1-(866) 603-8392
Follow us on @bitzermobile
Join us on | | Bitzer Mobile