Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Wednesday Apr 02, 2014

Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements - by Matt Flynn

Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.

Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.

In the MDM model, employees relinquished control of their devices to their employer. Big brother knew what was installed, how the devices were used, what data was on the device, and MDM gave organizations full control to wipe device data at-will. As a result, many people chose to carry two devices; one for personal use and the other for work. As device manufacturers dramatically improved products every six months, people quickly began using personal devices as the primary communication mechanism and work devices as-needed to perform certain tasks. It also drove people to insecurely send work data to personal devices for convenience increasing the risk of data loss. For these reasons and with the upswing of BYOD, MDM has been relegated to playing a supporting role in Enterprise Mobile Security.

Mobile Application Management (MAM) has emerged as a better alternative to MDM in the world of BYOD. MAM solutions create a secure mechanism for employees to interact with corporate data and apps without infringing upon personal apps and data. With MAM, organizations can control application and data access, how data is used on mobile devices, and to enable new mobile access scenarios without compromising security. MAM embraces the BYOD movement and encourages employee mobility while also locking down data, reducing exposure, and responding more efficiently to compliance mandates about how data is used. But MAM isn’t the end of the story.

Mobile access isn’t much different than other types of access. It’s just another access point that should be part of an Enterprise Access Management approach. Securing access via mobile devices shouldn’t require an entirely separate technology silo, another set of management interfaces, and yet another point of integration for corporate Access Governance. Also, most MAM solutions fall short on a variety of use-cases. By rationalizing MAM into an enterprise Access Management approach, organizations gain extremely valuable capabilities that are otherwise unavailable in MAM solutions alone.

For example, MAM-type on-device virtual workspace approaches don’t work very well in B2C scenarios where apps are delivered via well-known public app stores. Nor do they make sense from a user experience perspective in those scenarios. Also, for advanced Access Management scenarios such as risk-based transaction authorization, integrating basic app security with back-end adaptive access solutions provides extremely compelling benefits. With apps looking to leverage modern protocols such as REST to access legacy system data, there are benefit from Access Management infrastructure such as API Gateways that provide those services. Providing support for these advanced scenarios in a solution that provides a single point of management, single infrastructure, and unified audit trail is where Mobile security is heading.

Next generation mobile security solutions will see MDM and MAM features integrated into more traditional and enterprise-centric Access Management solutions. This single platform approach simplifies management, reduces cost, and enables an improved user experience. But more importantly, incorporating the capabilities of a robust Access Management platform opens new avenues through which to do business and engage with customers, partners, and the extended community. Oracle has a focus on providing exactly this kind of integrated and consolidated approach to securing the mobile platform through securing the device, applications and the access with the Oracle Mobile Security Suite.

In our next post in this series, we’ll look at the various deployment phases through which cloud technologies are being adopted by increasingly mobile workforces starting with cloud-based file sharing services.

Wednesday Mar 26, 2014

Multi Channel Architecture & Securing The Mobile Channel - by Ricardo Diaz

This brand NEW series from Oracle's Global Sales Support team will be dive into mobile security risks, dissect MDM, MAM and changes in the wind, device management, fraud, secure containers, extending IdM to mobile, application development and much more.

Multi-Channel Architecture (MCA) projects are trans-formative business trends brought on by I.T. modernization initiatives across industries.  As these customer, partner, vendor or employee channel's technology evolve to meet today's new business opportunities, security and privacy risks have never been greater.  Especially, the Mobile Channel.         


Let's look at one of my favorite industry's multi-channel architectures, BANKING, and why securing the mobile channel is a quickly becoming a priority for businesses globally.

A banks channels, ATM, Branches, Online, IVR, POS, PSE and Mobile, all need air tight information protection policy and rock solid security/privacy controls.  The Mobile channel on the surface, looms as the 800 pound gorilla in the room with many bank enterprise security architects because mobile security, to many, is so new.  In reality, with he right technology partner it doesn’t have to be. 

One of interesting and risky trend I noticed  working with Colombia, Mexico and Australia banks and their MCA projects is where the mobile application development group sits in the enterprise org.  These critical development teams were sitting outside of I.T. !  NO governance.  Weak security.  They did this to speed the development process of their apps.  I get it but this is a good example of what probably is more common than you'd think when it comes to the risks of mobile application development.   So is bringing these development teams under the I.T. umbrella going to secure their apps?  Not necessarily but his type of security challenge highlights the need for not just a good mobile security solution but one that isn't bound by organizational or political barriers.  All these MCA Banking projects had this challenge as a key business driver for a robust secure mobile channel.  Take a look INSIDE your organization.   Is security ubiquitous within your mobile business channel? Are short cuts being taken to speed up development and meet business demand?  Can you extend your enterprise security policy to these mobile devices if these apps were not built to your corporate enterprise architecture or security standard?

In the next GSS blog, we will highlight how the MDM/MAM space has evolved and why these technologies are part of the mobile security answer but not the final answer.

Wednesday Feb 26, 2014

Announcing Oracle Mobile Security Suite: Secure Deployment of Applications and Access for Mobile

Today, Oracle has announced a new offering, Oracle Mobile Security Suite, which will provide access to sensitive applications and data on personal or corporate owned devices.  This new offering will give enterprises unparalleled capabilities in how they contain, control and enhance the mobile experience.


A great deal of effort has been placed into analyzing how corporations are leveraging the mobile platform today, as well as how they will use this platform in the future. Corporate IT has spoken loud and clear of the challenges they face around lengthy provisioning times for access to applications and services, as well as the need for managing the increased usage of applications.  Recent industry reports show how significant the risks can be.  1 A detailed assessment of one of the most popular application marketplaces shows that 100% of the top 100 paid apps have some form of rogue variant posted within the same marketplace. As credential theft is on the rise, one of the targets this is being achieved is on the mobile device with rogue apps or Malware with embedded keystroke recorders or collection tools that send back other critical data from the device.

One of the great new features of the Oracle Mobile Security Suite (OMSS)  is through the use of containers.  Containers allow OMSS to create a secure workspace within the device, where corporate applications, email, data and more can reside. This workspace utilizes its own secure communications back to the back end cloud or corporate systems, independent of VPN.  This means that corporate information is maintained and managed separate of the personal content on the device giving end users the added flexibility of using personal devices without impacting the corporate workspace.  Remote wipe of data now doesn't impact the entire device, rather, only the contents of the corporate workspace.  New policies and changes in access and applications can be applied whenever a user authenticates into their workspace, without having to rebuild or re-wrap any applications in the process, unlike other offerings.  This is a very unique approach for Oracle.

More details on this new release at  http://www.oracle.com/us/corporate/press/2157116

Rounding out this offering, are capabilities that enable the complete end to end provisioning of access, Single Sign-on within the container, enterprise app store and much more.  

Technical Whitepaper: Extending Enterprise Access and Governance with Oracle Mobile Security

For the latest information on Oracle's Mobile Strategy, please visit the Oracle Mobile Security Suite product page, or check back for upcoming Mobile Security postings on the Oracle IDM blog page this March. 

1 2013 X-Force Internet Threat Report


Wednesday Dec 11, 2013

Facilitating Secure BYOD: Deep Dive - Simeio Solutions

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain.  This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

  • Works on the concept of 'Sand-boxing' the application execution.
  • Provides a secure run-time container for each managed application and its data.
  • Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application Wrapping
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual Persona
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted Space
Applications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened.  Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Why Containerize Your Apps?
Containerization  improves user experience and productivity as well as ensures enterprise safety and compliance by,

  • Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
  • Restricting a user’s ability to access, copy, paste or edit data held within the application container.
  • Enforcing security policies that govern access to the containerized data
  • Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.


Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile Services
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows

Authentication
Under the hood, the basic Authentication process is powered by Oracle Access Manager.  A typical use case encapsulates the following set of events

  • The user launches the mobile application on his device which the him to the Mobile SSO Agent.
  • Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
  • Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
  • After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.


OAMMS Authentication Process

Authorization
The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

  • The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
  • It orchestrates and manages device registration, risk based authentication.
  • Ensures that the user credentials are never exposed to the mobile business application.
  • It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

Device Registration
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.

  • The OAAM Security Handler Plug-in creates two security handles
    • oaam.device handle, which represents the mobile device
    • oaam.session handle, which represents an OAAM login session for a client application
  • The above mentioned 'handles' drive the 'device registration' process
  • OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

  • If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
  • OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
  • OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.



Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)
  • A protected application is accessed by the user which in turn is intercepted the WebGate.
  • The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
  • The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
  • The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
  • The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
  • Access Manager creates a user session and redirects the user to the protected resource


User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.

  • Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
  • Corporate or community white pages are another common application using User Profile services.
  • These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
  • OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc

SDKs and REST APIs
SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.

  • They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
  • The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
  • OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services

Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.

The SDK functionalities are segregated into four distinct modules

  • Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
  • User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
  • REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
  • Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
  • Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.


Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API Security
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

  • Validating JSON Web Tokens (JWT) embedded within REST calls
  • Mapping of XML to JSON for consumption by mobile devices
  • Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
  • Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
  • Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process

  • A mobile application request which is intercepted  by OAG delegates authentication to OAM.
  • OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
  • After successful authentication and authorization, the user  is granted access to requested resource (business application).
  • Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
  • OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

Conclusion
I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications.  Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.


About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
24
25
26
27
28
29
30
   
       
Today