enterprise mobile security for peoplesoft
TRANSCRIPT
1 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
Mobile Security for PeopleSoft
A Roadmap
2 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
Table of Contents
Overview…………………………………………………………………………………………… 3
Authentication…………………………………………………………………………………… 4 - 6
Managing Identities on Corporate Systems………………………………………… 7
Controlling Mobile Access to Data & Processes………………………………….. 8
Protecting Application Data Stored on Devices………………………………….. 9 - 10
Device Loss or Theft…………………………………………………………………………… 11
Logging & Auditing…………………………………………………………………………….. 12
3 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
Overview The rapid adoption of mobile technologies is both a boon to corporate productivity and end -user
engagement and a nightmare as organizations try to keep up with the security/infrastructure
requirements. According to Forrester Research, in 2016 350 million employees will use smartphones,
200 million of which will bring their own devices to use against corporate systems.
In addition, Forrester Research contends that mobile is the flash point for a much more holistic, far-
reaching change. This means that organizations will:
Empower people by focusing on their tasks and context in their moments of decision.
Protect business value by provisioning partners with tools in their daily workflow and context.
Accelerate business decisions by putting data dashboards into executives’ hands
Control smart products from mobile devices and extend the value of products with an app
ecosystem.
In order to achieve these benefits, organizations must provide mobile access to their systems, data, and
processes while managing the security risks inherent in mobile technology:
Security/infrastructure tools to help organizations manage and administer mobile security risks
are being developed and perfected
With the advent of Bring Your Own Device (BYOD) in the enterprise, standardization on mobile
devices is much more problematic than for desktops or laptops
Because mobile devices aggregate personal, business, and collaboration information, security
risks are high
Implementing physical security policies with mobile devices is problematic
This white paper will examine the risks and solutions for providing mobile access to enterprise systems.
We will cover the following topics:
Authenticating users from mobile devices
Managing the user’s identity to corporate systems
Controlling mobile access to data and processes
Protecting application data
Protecting your corporate network
Dealing with the loss or theft of devices
Analyzing system activity
4 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
GreyHeller’s Single Signon
product, used by 50+
organizations to externalize
authentication credentials from
PeopleSoft, is foundational to
our mobile solution,
PeopleMobile™.
Authentication The first step to using any corporate system is authenticating the user. The authentication process
generally involves a user providing identification as well as one or more correct responses to a system
authentication challenge. Once the user has been authenticated, the system grants access to its data
and business processes based on the user’s identity/role.
When looking at the authentication process, organizations should consider the following:
Is there a consistent identity for the user across all applications he/she accesses?
Is there a need to protect against password fatigue?
Is there a need to protect against user id / password theft?
Externalizing the authentication process
The best way to protect against authentication risks is to externalize the authentication credentials from
each application accessed by an end-user. Implementing a common infrastructure for authentication
across all corporate systems allows the following:
Provide a single set of credentials that a user can remember for all corporate resources
Provide a single choke-point for shutting down access when a user is terminated
Ensuring that password controls are consistently enforced across all corporate systems
Probably the most common means of accomplishing this is to leverage the protocols in place for
managing a user’s identity on an organization’s network and using a single signon solution to allow each
system to leverage those protocols. These solutions generally
leverage Active Directory (LDAP) for the credentials, and
utilize protocols such as NTLM, Kerberos, and WML for
securely authenticating users with those credentials.
GreyHeller believes this is best practice regardless of
whether a user is accessing from a desktop machine or a
mobile device.
What about authenticating from outside the
corporate network?
Obviously, one of the most important benefits of mobile
access to corporate systems is allowing users to perform tasks regardless of their location. However,
allowing users to authenticate remotely raises the following considerations:
1. If you’re leveraging your network for a validating a user’s credentials, how do you authenticate
when the user is external to the network?
2. How can you protect against unauthorized use of somebody else’s credentials?
5 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
GreyHeller Single Signon works
with Web VPN Proxy solutions
for authentication outside a
corporation’s network
PeopleMobile™ works with the
leading enterprise
Browser/Email applications
External Network Validation
Historically, organizations have utilized VPN (Virtual Private Network) tunneling to allow users to
authenticate themselves to networks and access network resources. This technique works well for
workstations that need full access to all network resources. However, mobile devices do not access
network resources in the same manner as workstations. In addition, VPN clients must be specially
installed and configured for use.
Therefore, the following techniques are generally used for mobile device authentication:
Web VPN Proxies
Special-purpose Browser / Email client applications
It’s important to note that both techniques leverage server-side components that utilize common
networking protocols for authentication: NTLM, Kerberos, and WML and can leverage single signon
solutions that utilize these protocols.
Web VPN Proxies
A web VPN proxy allows a user to authenticate through a
web browser. The server performs the validation and
passes credentials to other systems such as a proxy server.
Because the server is configured to communicate with
these other services and manage the process, the device
does not require software to be installed or configured.
Common VPN proxies include Microsoft UAG and Cisco
Web VPN.
Special-purpose Browser/Email client application
Another option is to utilize a special-purpose mobile application that isolates access from other
resources on the mobile device. These applications have special logic for calling corporate servers for
authentication and managing access to corporate resources. The application would authenticate itself
to its server component, and the server would grant access to the servers and services that have been
configured. Probably the most common solution in this
category is Good Technologies’ Enterprise Server.
From an authentication perspective, the servers would be
configured to leverage common networking protocols,
allowing single signon solutions to provide access to those
systems.
6 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
GreyHeller’s ERP Firewall
software product is embedded
into PeopleMobile™. It enforces
two-factor authentication based
on location and/or content
requested.
Two Factor Authentication
One technique for protecting mobile users from unauthorized use of their credentials is to require
additional authentication when accessing information from an insecure location or when accessing
sensitive information or processes. For example, it is common practice today for banks to require
additional authentication.
There are a number of ways that the additional authentication can be implemented:
Prompting for and sending a PIN for the user to enter. PIN can be sent through a number of
channels:
o SMS message
o Telephone Call
o Email
Pre-defining a one-time password the user
can provide
Tying access to device identification
Utilizing a token, such as a SecureID token
Although this additional validation can be prompted
upon initial access to the system, it is best practice to prompt for the additional validation at the point in
time when the user is accessing sensitive data or processes.
7 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
With PeopleMobile™ and
embedded ERP Firewall, users
have the same identity, rights,
and privileges as non-mobile
systems without the need for
synchronization between mobile
and non-mobile systems.
Managing User Identity on Corporate Systems What does it mean to be a given user on a given system? This is an important question, because the
rights and privileges granted to that system are driven by this answer. Organizations typically spend
significant time and effort defining, testing, and auditing this access.
When looking at the architectures that drive mobile access, organizations must also look at the risks
related to managing users’ identities on their corporate systems.
Do users have consistent privileges across
mobile and non-mobile systems?
How are changes in privileges propagated
across mobile and non-mobile systems?
How do organizations prove to auditors that
sufficient controls are enforced across mobile
and non-mobile systems?
As such, organizations must develop a comprehensive
strategy for managing the identity of users across mobile and non-mobile systems.
8 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
PeopleMobile™ with embedded
ERP Firewall meets all
requirements for controlling
remote access to data and
processes
Controlling Mobile Access to Data and Processes In order to realize the benefits of utilizing mobile technologies, organizations, must allow access to the
data and systems that drive those processes. This doesn’t mean, however, that organizations should
provide unfettered access to all parts of these systems under all conditions.
As part of providing remote access to data and processes, organizations should consider the following
threats:
Lack of oversight of employees utilizing corporate systems
How do you protect your organization against unauthorized use by employees when they are remote? Should users have
mobile access to transactions such as entering grades or
administering payroll?
Risks related to compromised system credentials
How do you protect your organization against remote, unauthorized external parties using compromised system
credentials?
Risks related to lost or stolen mobile devices
How do you protect against unauthorized use compromised mobile devices that contain system credentials?
In order to protect against these threats, organizations
should adopt the following techniques:
Enforcement of location-based control over
access to system content
Adoption of 2-factor authentication challenges
when the access location is questionable and/or
the content accessed is sensitive
Implementation of user, location, process, and
data access logging
9 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
PeopleMobile™ protects
application data by not storing it
on the device. PeopleMobile™
controls access to sensitive
documents.
Protecting Application Data Stored on Devices As part of utilizing enterprise systems, users access data that is sensitive, confidential, and/or regulated,
including:
Financial data
HIPPA; FERPA
SSN
Compensation; benefits
Pricing
Supplier Contracts
This information is provided and managed on devices in various ways, each of which requires
protection:
Delivery of Data over networks Implementing and enforcing SSL encryption of all traffic to an organization’s servers
Caching of Application Data for
performance purposes or
disconnected access
Utilizing HTML5 browser-based applications for access to
sensitive data. Alternatively, enforcing data encryption for all
data that is stored on mobile devices.
Storing of documents, such as PDF, word, and excel files
Restricting access to download documents containing sensitive data. Alternatively, implementing device-level capabilities for
remotely wiping or firewalling files on mobile devices
10 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
Network Security Mobile devices access corporate systems from the public internet or through corporate wireless
networks. As with any computing device, organizations must protect their networks against viruses and
other malware that may be resident on mobile devices.
Accessing from the public internet Proper implementation of physical and application firewalls protects your internal network and servers.
Accessing through WIFI – Guest
Access
One technique is to provide WIFI for guest access to mobile
devices. Mobile devices connecting to this network would only have access to the servers that are firewalled off from the rest
of your network.
Accessing through WIFI – Internal
Access
As with any device connecting to an internal network,
enforcement of virus and malware protection tools is critical for protecting the network and servers.
Supporting Mobile Devices on your internal network
It is imperative to define the policy by which you will support these devices connecting to your network,
including:
Enforcing use of antivirus software
Not allowing access by rooted devices
Enforcing that updates on devices are consistently applied
11 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
PeopleMobile™ with embedded
ERP Firewall enables a tiered
strategy for supporting mobile
device access.
Loss or Theft of Device Due to the portability of mobile devices, the loss or theft of a device merits special consideration. In
addition to the obvious risks related to corporate use of these devices, there are legal barriers related to
a corporation’s allowable actions with an employee -owned device. While it is perfectly acceptable for
an organization to wipe the memory of a device it owns, this is not the case in a “br ing your own device”
scenario.
It is imperative to adopt a comprehensive strategy
toward handling of mobile devices:
No access by
Employee Owned
Devices
Usually, this consists of
providing employees with
mobile devices that are
completely controlled by the organization
Restricted access
by Employee Owned devices
Organizations can restrict
access to mobile devices by location and/or type of device
to mitigate risks related to lost or stolen devices.
Tiered access by
Employee Owned
devices
Organizations can grant
different levels of security
depending on whether employees opt-in to allowing
the organization to wipe the
device of its data.
12 Enterprise Mobile Security - A Roadmap
©GreyHeller 2012
Logging and auditing Capturing and analyzing system activity is a critical aspect of any mobile security strategy. This includes
capturing information about who is accessing what content, from what location, and the data and
processes being performed. This allows organizations to:
Proactively administer system
security
Analyze all attempts to access system resources, enabling organizations to find and
counter penetration attempts.
Analyze system use for patterns that indicate unauthorized use and adherence to policies
Gather information needed to take
action
Identify data to support disciplinary action for employees
Gather information to support legal
proceedings
Support Audit and
Controls
Prove system integrity and adherence to
policies and controls
Document and understand scope of breaches
PeopleMobile™
with embedded
ERP Firewall
captures all
information
needed to comply
with logging and
auditing
requirements.