Monday Jun 16, 2014

It’s Time for Businesses to get Serious about BYOD

It’s Time for Businesses to get Serious about BYOD
Klaus Bergius, Director of Technology Marketing EMEA at Oracle

Bring Your Own Device (BYOD) is a corporate reality that is already affecting virtually every business operating today. In some ways BYOD is inevitable, with businesses having little choice but to adapt to it. Consumer smartphones, tablets and laptops may eventually end the corporate mandating of employee devices. But currently, there is widespread concern and even denial in enterprises, while embracing BYOD could create new opportunities. This is what the Oracle European BYOD Index Report, based on research carried out in January and February 2014, reveals.

This Index assesses the opinions of Chief Security Officers, Chief Information Security Officers or other personnel responsible for information security at 700 businesses in the Nordics, Germany and Switherland (DCH), Benelux, the UK, France, Italy and Iberia (Portugal and Spain) – across all major industry verticals. It seeks to understand where in the deployment of key BYOD technologies and processes European businesses are and what their opinions are with regards to the future of BYOD.

Barriers to Adoption
The latest research  from Oracle suggests that few businesses in Europe have fully warmed to BYOD, with 44 per cent of businesses stating that they dislike BYOD and only allow it in exceptional circumstances. A further 22 per cent have a complete ban on data or information residing on a BYOD device and – perhaps most worrying – 20 per cent have no rules in place at all. Half of organizations are not managing smartphones as part of BYOD, and there seem to be big concerns around security. Device security (45 percent), application security (53 percent) and data security (63 percent) were all listed as areas of concern.  Full BYOD Index Report

The Awareness Gap
This issue, however, is not a technological or process one – it is an educational one. For me, the main thing hindering further adoption of BYOD across Europe is a lack of awareness of what exactly it is  and what can be done to secure it. Fortunately the technology already exists to cost-effectively deliver secure BYOD. Containerization, or sand-boxing as it is sometimes referred to, illustrates this point perfectly.  But in our survey the majority (37 percent) of the IT professionals we asked had never even heard of it, let alone deployed it (only 8 percent reported that they have deployed containerization).  Full BYOD Index Report

Device vs. Application Management
Functions such as locking or remote wiping the device content or doing firmware upgrades are the domain of MDM (Mobile Device Management). Managing applications on devices typically is in the MAM (Mobile Application Management) area. But why should we continue to separate them from each other, thus fragmenting the overall solution into small pieces that are addressed by multiple vendors? Why shouldn’t we view MDM and MAM as overlapping areas, and moreover, treat it as ‘just’ an extension of corporate Identity and Access Management, by simply extending this solution to include device and application management features? This is exactly what Oracle Mobile Security Suite does.  Full BYOD Index Report

Outlook
In an attempt to widen this research and find out what the readiness and opinion towards BYOD is in other parts of the world, Oracle is currently preparing a second version which shall cover North America, South America, Eastern Europe, Middle East and Africa as well as Asia Pacific countries. And in addition to the aspects of data security, device security and application security, we will also include cloud security as an additional aspect. It will be extremely interesting to compare results, so stay tuned for an update!


Thursday Jun 12, 2014

BYOD is not a fashion statement; it’s an architectural shift - by Indus Khaitan

Ten years ago, if you asked a CIO, “how mobile is your enterprise?”. The answer would be, “100%, we give Blackberry to all our employees.”

Few things have changed since then:

1.    Smartphone form-factors have matured, especially after the launch of iPhone.
2.    Rapid growth of productivity applications and services that enable creation and consumption of digital content
3.    Pervasive mobile data connectivity

There are two threads emerging from the change. Users are rapidly mingling their personas of an individual as well as an employee. In the first second, posting a picture of a fancy dinner on Facebook, to creating an expense report for the same meal on the mobile device.

Irrespective of the dual persona, a user’s personal and corporate lives intermingle freely on a single hardware and more often than not, it’s an employees personal smartphone being used for everything.
A BYOD program enables IT to “control” an employee owned device, while enabling productivity. More often than not the objective of BYOD programs are financial; instead of the organization, an employee pays for it.  More than a fancy device, BYOD initiatives have become sort of fashion statement, of corporate productivity, of letting employees be in-charge and a show of corporate empathy to not force an archaic form-factor in a world of new device launches every month.

BYOD is no longer a means of effectively moving expense dollars and support costs. It does not matter who owns the device, it has to be protected.  BYOD brings an architectural shift.  BYOD is an architecture, which assumes that every device is vulnerable, not just what your employees have brought but what organizations have purchased for their employees. It's an architecture, which forces us to rethink how to provide productivity without comprising security.

Why assume that every device is vulnerable?

Mobile operating systems are rapidly evolving with leading upgrade announcement every other month. It is impossible for IT to catch-up. More than that, user’s are savvier than earlier.  While IT could install locks at the doors to prevent intruders, it may degrade productivity—which incentivizes user’s to bypass restrictions. A rapidly evolving mobile ecosystem have moving parts which are vulnerable.

Hence, creating a mobile security platform, which uses the fundamental blocks of BYOD architecture such as identity defragmentation, IT control and data isolation, ensures that the sprawl of corporate data is contained.

In the next post, we’ll dig deeper into the BYOD architecture.

Friday May 09, 2014

Three User Friendly Strategies for BYOD Security

For most CIO's, securing corporate data on mobile devices is top of mind. With enterprises producing more data than ever before in human history, much of that data will be accessible via mobile devices and mobile applications. In fact, studies suggest that 80% of enterprise access will be via mobile devices by 2020 vs. just 5% today. Amit Jasuja's recent article on the Forbes Oracle Voice, discusses three strategies for CIO's that can reduce the risk and simplify the user experience.

Wednesday Apr 30, 2014

Identity Enabling Mobile Security - by Suresh Sridharan

Smart Connected Device Growth: The growth of smartphones and tablet devices has been phenomenal over the past 4 years. Global smartphone shipments have grown extensively from approximately 100m units in 2010 to 725m units in 2012, reaching 1b devices in January 2014. Simultaneously, tablet shipments have grown from 5m units in 2010 to approximately 125m units in 2012. Tablet numbers are likely to touch 400m units by 2017.

This explosion in the shipment of smart connected devices has also led to a significant change in users’ behavior and expectations.

In a corporate environment, the phenomenon of Bring Your Own Device (BYOD) is gaining momentum. Gartner predicts that 38% of all organizations will have an “all BYOD” policy by 2016, up from 6% today (2014). If the same device is being used for both personal and work purposes, users will expect the same experience across corporate and personal apps. Further, employees regularly use similar apps for both business and personal purposes examples include: WhatsApp, Skype and Facebook..

Mobile devices present benefits both for organizations and for individuals. Surveys show that a BYOD policy helps employee gain an extra 37 minutes of productive time every week. To increase sales productivity, some of our customers are mobile-enabling sales teams to ensure that they have access to the latest information when they meet with customers.

Security is one of the most significant mobile device challenges both for consumers and for enterprises. Although mobile-commerce is growing rapidly (to $25b in the US alone), 60% all retail transactions that get to the checkout stage are abandoned with security as one of the main causes, according to recent data.

As corporate data on the device co-mingles with user data on a personal device, it becomes challenging for enterprises to impose restrictions on the use of devices. About 40% of adults do not protect their smartphones with a passcode, with married adults that number goes up to 45%.
In order to address security challenges, IT should be able to define and enforce policies that meet security and privacy standards to protect intellectual property, other corporate assets and optionally, personal employee data.

There are three things to consider while implementing security in the new mobile age:

  1. Implement a strong identity management system that allows one to manage users and ensure that they are able to access information based on the principle of least privilege to carry out the necessary tasks.
  2. Implement an access management solution to secure data based on who is accessing it and the risk profile of that specific transaction.
  3. Implement a mobile security solution that will help secure data on the device and ensure corporate security policies are enforced on the device from which assets are being accessed.

In essence, organizations need to ensure that application data is secured based on the user accessing it and the device and location from which it is being secured. Securing the device and the user identity, in isolation, is not sufficient.

Monday Nov 18, 2013

The Technology Stack of Mobile Device Enablement - Simieo Solutions

Introduction
Mobile computing has proven to be a game changer, revolutionizing the way we work, communicate and connect. Arguably, this revolution can trace its roots back to the ‘Personal Computer’, which freed individuals and organizations from the centralized mainframe operating model and we haven’t looked back since then. But what’s remarkable about mobile computing is the unprecedented pace of change and innovation it has brought about. Mobile devices are penetrating and transforming businesses today far faster than any previous generations of computing technologies ,including laptops and desktops.


Current landscape
Today, "going mobile" means a lot more than just modifying the content to fit a browser on a small screen size. Infrastructures can no longer afford to limit remote or mobile access to browser-based functionality. Users need access to more applications and data, from a wider variety of mobile and wireless devices.
Mobile device capabilities have reached new heights, which in turn has spurred demand for rich mobile applications that require access to private enterprise data in order to deliver functionality. These applications have become indispensable tools for end users. They are being inextricably woven into day-to-day business operations in an effort to improve productivity. In spite of the complexity, these devices are becoming a critical component of the computing environment because of their versatility.


Enter BYOD
Perhaps the single biggest driver of the mobile revolution has been the widespread adoption of “Bring Your Own Device” or “BYOD.” BYOD is the policy of permitting – or even encouraging – employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace, and to use those devices to access privileged company information and applications. Seemingly overnight, BYOD has supplanted the traditional policy of permitting only “corporate-liable” or “CL” devices, those that are owned and issued by the company.


The Benefits of BYOD
BYOD fosters business process efficiency by allowing employees to complete their tasks at any time and from anywhere – whether they are sales representatives, technical analysts in the field, customer-facing employees, manufacturing reps and the like. Every one of these employees needs access to data, which can enable them to make the right decisions, answer queries, come up with proposals, close deals and execute other vital tasks.
The benefits of BYOD include:

Improved workplace flexibility and productivity with secure "anytime, anywhere" access for employees. It promotes employee satisfaction. It also increases effective employee work hours in small increments per week, which in turn translates to a greater throughput from the workforce.

Increased sales revenues from quick, reliable access to business-generating applications on employee-owned devices.

  • Competitive appeal for market leadership and recruiting. Adopting innovative technology solutions such as mobility is valued by organizations for maintaining competitive positioning in their respective marketplaces. 
  • Reduced costs for acquiring, distributing and replacing corporate-liable (CL) devices.
  • Reduce complexity and costs from internally maintaining the mobility infrastructure.
  • Decreased help desk support with a reduction in the number of inbound calls for CL devices.
  • This is definitely not an exhaustive list, but it covers the common factors fueling BYOD adoption.


Imminent Challenges and Risks
It's not too difficult to lose a smart phone or tablet, resulting in confidential data being exposed to non trusted entities. Thus, accessing and storing corporate data on private devices presents unique security challenges to the enterprise.The IT security team and the CIO office are now dealing with questions such as:

Do our enterprise applications qualify as “secure” and “cloud ready”?

  • How do we manage security of the enterprise applications in a scenario where a plethora of mobile devices connect to them for accessing sensitive data?
  • How can my company enable social trust as a means of connecting to customers and employees?
  • What about securing the digital and intellectual property which has been exposed as a result of the BYOD scheme?
  • Some of the inevitable challenges for organizations adopting BYOD include:
  • Handling the deluge of BYOD demand (tablets, smart phones, smart watches and more)
  • Adapting to costs and risk that are no longer "per user" but rather "per device"
  • Avoiding the risk of revolt when applying corporate lock-downs and restrictions on devices owned by the employee
  • Addressing the increased threats associated with mobile
  • Obtaining increased budget to address the risk of mobile
  • Configuration management to reduce vulnerability exposure
  • Adopting configuration management to reduce vulnerability exposure
  • Managing what apps are allowed
  • Determining how to track and manage a personal device the same way as a CL device without violating personal privacy
  • Using mobile as an "enabling" component to the business instead of a roadblock

There are four primary areas that are putting consumers and enterprises at risk on mobile platforms:

  • Access based attacks – Privileged users who have access to more data than they should, or are using legitimate access to steal confidential data, and share or use it in ways that negatively affect the organization.
  • Device Loss – The loss of a corporate or personal device that contains confidential data on the device, or within secondary memory, due to loss or theft of the device.
  • Rogue malicious apps – Applications that have been compromised by attackers and posted on various app stores that contain hidden payloads that steal data, initiate connections, commit outbound toll-fraud or are used as a launching point for attacks inside a trusted corporate network.
  • SMS Attacks – Unwanted inbound SMS messages from attackers that trick users to take actions that can lead to installation of code or to increased carrier based charges.


Identity and Access Management to the Rescue
Luckily, corporations facing these risks and challenges don’t have to go it alone. The field of Identity and Access Management (IAM) has evolved just as rapidly with solutions designed to address key aspects of BYOD adoption:

  • Mobile Device Management (MDM)
  • Mobile Identity Management (MIM)
  • Mobile Application Management (MAM)

IAM solution providers, including our company, Simeio Solutions, have seen tremendous growth in these areas, with new tools, technologies, methodologies and best practices designed to help organizations adopt BYOD securely and effectively.

The need of the hour is seamless and secure digital connectivity for cloud and mobile integration in order for BYOD to prosper.
Here is where a product like Oracle Mobile and Social Access Management comes into the picture. Oracle Mobile and Social Access Management is a solution which enables an organization to secure mobile access to their enterprise applications. It includes a server which acts as a “secure wall” between external mobile client applications and the enterprise applications and data stores (which the mobile applications eventually access) by leveraging the existing back end identity infra services in order to regulate the interaction between both entities.

Oracle Mobile and Social Access Management Offerings


The Oracle Mobile and Social Access Management solution includes features in each of the following key areas: MDM, MIM and MAM.


Mobile Device Management

  • Device Enrollment – Oracle Mobile and Social Service components enforce device registration as a prerequisite to granting access to sensitive enterprise applications/data. A “Client Registration Handle” is used to process first-time device registration post user authentication via the Mobile and Social server.
  • Device Fingerprinting – Mobile and Social Access Server leverages the service from Oracle Adaptive Access Manager (OAAM) in order to deliver functionality such as Device Fingerprinting. OAAM provides capabilities such as One Time Password (OTP) and Knowledge Based Authentication (KBA) based on policies and risk assessments.
  • Device Blacklisting – Oracle Mobile and Social Access Services address the inherent risk of smart phone thefts. It provides capabilities to blacklist/block insecure devices and/or wipe out sensitive security information on the device as per threat levels.

Mobile Identity Management

  • Mobile User Authentication – Oracle Mobile and Social Services facilitate delegation of mobile user authentication to existing and trusted components such as Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM for strong authentication)
  • Mobile User Authorization – Oracle Entitlements Server (OES), a fine grained authorization server, is leveraged to provide authorization services for mobile users based on its policy driven decision engine in order to enforce appropriate access for mobile users to backend enterprise applications.
  • Social Identity support – Oracle Mobile and Social Services facilitates the usage of social internet identities such as Facebook, Twitter, Google, LinkedIn, etc., for signing on users to less sensitive applications. Many of these providers are based on open standards such as OpenID and OAuth, and this in turn can be leveraged to provide rich user experiences.


Leveraging Social Identities


Mobile Application Management

  • Mobile Apps Single Sign-On (SSO) – A mobile user can run many mobile applications on the same device without having to authenticate to each application individually. The out-of-the-box software development kit (SDK) shipped as a part of Oracle Mobile and Social can be used to build and configure Mobile SSO agents which can be used as a centralized point from where authentication and SSO can be managed.
  • SSO functionality is also available to web based applications in addition to inter-application SSO.
  • Application Registration – In order to strengthen mobile application security, Oracle Mobile and Social services ensure application registration before allowing access to sensitive data housed within enterprise applications.

Oracle Mobile and Social Access: The Big Picture


Conclusion
Mobile computing is here to stay. Along with its many luxuries, its penetration has introduced new complexities and challenges to organizations. They cannot afford to fall back on user awareness and user agreements to provide security. The question is no longer about allowing or denying mobile access. The question for today is about effective management.
This post is just the first in a 4-part blog series. In our next post, we’ll have in-depth coverage of Mobile Device Management (MDM).

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.

Tuesday Jun 25, 2013

It's not just “Single Sign-on” by Steve Knott (aurionPro SENA)

It is true that Oracle Enterprise Single Sign-on (Oracle ESSO) started out as purely an application single sign-on tool but as we have seen in the previous articles in this series the product has matured into a suite of tools that can do more than just automated single sign-on and can also provide rapidly deployed, cost effective solution to many demanding password management problems.

In the last article of this series I would like to discuss three cases where customers faced password scenarios that required more than just single sign-on and how some of the less well known tools in the Oracle ESSO suite “kitbag” helped solve these challenges.

Case #1

One of the issues often faced by our customers is how to keep their applications compliant. I had a client who liked the idea of automated single sign-on for most of his applications but had a key requirement to actually increase the security for one specific SOX application. For the SOX application he wanted to secure access by using two-factor authentication with a smartcard. The problem was that the application did not support two-factor authentication. The solution was to use a feature from the Oracle ESSO suite called authentication manager. This feature enables you to have multiple authentication methods for the same user which in this case was a smartcard and the Windows password.  Within authentication manager each authenticator can be configured with a security grade so we gave the smartcard a high grade and the Windows password a normal grade. Security grading in Oracle ESSO can be configured on a per application basis so we set the SOX application to require the higher grade smartcard authenticator.

The end result for the user was that they enjoyed automated single sign-on for most of the applications apart from the SOX application. When the SOX application was launched, the user was required by ESSO to present their smartcard before being given access to the application.

Case #2

Another example solving compliance issues was in the case of a large energy company who had a number of core billing applications. New regulations required that users change their password regularly and use a complex password. The problem facing the customer was that the core billing applications did not have any native user password change functionality. The customer could not replace the core applications because of the cost and time required to re-develop them. With a reputation for innovation aurionPro SENA were approached to provide a solution to this problem using Oracle ESSO.

Oracle ESSO has a password expiry feature that can be triggered periodically based on the timestamp of the users’ last password creation therefore our strategy here was to leverage this feature to provide the password change experience. The trigger can launch an application change password event however in this scenario there was no native change password feature that could be launched therefore a “dummy” change password screen was created that could imitate the missing change password function and connect to the application database on behalf of the user.

Oracle ESSO was configured to trigger a change password event every 60 days. After this period if the user launched the application Oracle ESSO would detect the logon screen and invoke the password expiry feature. Oracle ESSO would trigger the “dummy screen,” detect it automatically as the application change password screen and insert a complex password on behalf of the user. After the password event had completed the user was logged on to the application with their new password. All this was provided at a fraction of the cost of re-developing the core applications.

Case #3

Recent popular initiatives such as the BYOD and working from home schemes bring with them many challenges in administering “unmanaged machines” and sometimes “unmanageable users.”

In a recent case, a client had a dispersed community of casual contractors who worked for the business using their own laptops to access applications. To improve security the around password management the security goal was to provision the passwords directly to these contractors. In a previous article we saw how Oracle ESSO has the capability to provision passwords through Provisioning Gateway but the challenge in this scenario was how to get the Oracle ESSO agent to the casual contractor on an unmanaged machine.

The answer was to use another tool in the suite, Oracle ESSO Anywhere. This component can compile the normal Oracle ESSO functionality into a deployment package that can be made available from a website in a similar way to a streamed application. The ESSO Anywhere agent does not actually install into the registry or program files but runs in a folder within the user’s profile therefore no local administrator rights are required for installation. The ESSO Anywhere package can also be configured to stay persistent or disable itself at the end of the user’s session.

In this case the user just needed to be told where the website package was located and download the package. Once the download was complete the agent started automatically and the user was provided with single sign-on to their applications without ever knowing the application passwords.

Finally, as we have seen in these series Oracle ESSO not only has great utilities in its own tool box but also has direct integration with Oracle Privileged Account Manager, Oracle Identity Manager and Oracle Access Manager. Integrated together with these tools provides a complete and complementary platform to address even the most complex identity and access management requirements.

So what next for Oracle ESSO?

“Agentless ESSO available in the cloud” – but that will be a subject for a future Oracle ESSO series!

                                                                                                                              

Monday Mar 18, 2013

Do You Trust Social, Mobile and Cloud?

The last decade or so there has been a complete transformation in the way we work or how we consume information. Work is no longer about geography, it is an activity. “Company resources” are not just servers and systems in your server room, these could be in a data center, in the cloud or even the employees’ smart phones, iPads, tablets and more. Users of these “company resources” could be employees with physical badges, vendors, partners or customers connecting through the social media channels as Facebook, Twitter or Pinterest. Work can happen anywhere, via any device, through any network (intranet/social media channels/internet) leveraging company resources.

And why are organizations adapting this “work anywhere, anytime” model? The reasons are plenty - to improve efficiency, bring agility, build user productivity, offer seamless user experience to its customers or to simply establish a trust relationship with the customer. Social, Mobile and Cloud (SoMoClo) together is a business opportunity, a competitive advantage that organizations are seeking. And Security is the lynchpin in this new work order. Without a secure, seamless digital experience, it all falls apart.

With each new experience, the security risk increases. Each channel presents its own security points of failure. How can my company enable social trust as a means of connecting to customers & employees? How do I accommodate dynamic workgroups and teams of people around the globe that need to be part of my value chain? Is the Bring Your Own Device (BYOD) threatening the security of my digital and intellectual property? How can I securely connect mobile devices to my enterprise without compromising security? Are my applications secure enough to be cloud ready?

The security solution, thus, needs to scale and span across all the channels, encompass the growing breadth of both the “company resources” and the user population. The solution needs to provide the foundation (a platform) that feeds uniform security policies and extends identity context to the complete digital experience.

Naresh Persaud, Director, Security and Identity Management at Oracle, discusses the IT transformation driven by SoMoClo and underscores the need for a sound security solution. Catch this brief screencast on Securing the New Digital Experience to learn how the latest advances in Oracle Identity Management and Oracle Fusion Middleware solutions are fueling the transformation that is driving innovation in IT today.

For more information on Oracle Identity Management, visit us or join the conversation on our blog, Facebook page or catch us on Twitter.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Thursday Dec 20, 2012

Webcast Replay Now Available: Developing and Enforcing a BYOD Policy

Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.

Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey.  In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective.  And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.

Click this link to register and listen to the replay: Webcast Registration

The presentation for this webcast is posted below.

Thursday Sep 01, 2011

Access Management Sessions at Oracle OpenWorld

Oracle OpenWorld 2011

If you are a security professional, we are giving you a lot of reasons to be excited about this year’s Oracle OpenWorld. Every year Oracle OpenWorld brings together some of the most celebrated subject matter experts in the identity management and security industry. That naturally leads to an exchange of some brilliant and thought-provoking ideas. Our Oracle Access Management team has worked hard this year to put together a set of interesting topics that should give you a lot of food for thought. Whether you are interested in securing your online or cloud applications or whether you are thinking about securing access from those quickly proliferating unmanaged mobile devices or even if you are just  thinking about securing access to your enterprise’s on-premise applications, then Oracle Access Management has the answers you need.

Here is a list of Access Management sessions that you just don’t wanna miss. Feel free to use OpenWorld's Schedule Builder to pre-register for these and map out your own personal conference agenda. Over the next few weeks, I will be previewing some of these topics in more detail.

T I M E

T I T L E

L O C A T I O N

Tuesday Oct 4

10:15 am 11:15 am

Mobile Security Trade-offs: Balancing Strength and Usability

Mark Karlstrand, Senior Product Management , Oracle

Joshua Walderbach, Information Security Analyst, Principal Financial Group

Moscone West

Room 3022

Tuesday Oct 4

10:15 am 11:15 am

BYODW (Bring Your Own Device to Work): Securing the Mobile Enterprise

Clayton Donley, Sr. Director Development, Oracle

Daniel Killmer, Principal Product Manager, Oracle

Moscone West

Room 3020

Tuesday Oct 4

1:15 pm 2:15 pm

Applying Authorization to Solve the Right Problems

Roger Wigenstam, Senior Director Product Management, Oracle

Subbu Devulapalli, Principal Product Management, Oracle

Moscone West

Room 3022

Wednesday Oct 5

11:30 am 12:30 pm

Single Thread of Identity: Freddie Mac Case Study

Kavya Muthanna, Principal Product Manager, Oracle

Luke Paris, Director, Information Security, Freddie Mac

Moscone West

Room 3022

Thursday Oct 6

12:00 pm 1:00 pm

Implementing Oracle Access Manager 11g: Oracle Case Study

Eric Leach, Director Product Management, Oracle

Chirag Andani, Architect, Oracle

Moscone West

Room 3022


For a complete listing of all Identity Management sessions, hands-on labs, demos and more, download the Identity Management FocusOn now. Join the discussion on OracleIDM blog here, twitter and Facebook or visit www.oracle.com/identity.  #OracleIDM

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today