enterprise mobile security for peoplesoft

1 Enterprise Mobile Security - A Roadmap

©GreyHeller 2012

Mobile Security for PeopleSoft

A Roadmap


©GreyHeller 2012

Table of Contents

Overview…………………………………………………………………………………………… 3

Authentication…………………………………………………………………………………… 4 - 6

Managing Identities on Corporate Systems………………………………………… 7

Controlling Mobile Access to Data & Processes………………………………….. 8

Protecting Application Data Stored on Devices………………………………….. 9 - 10

Device Loss or Theft…………………………………………………………………………… 11

Logging & Auditing…………………………………………………………………………….. 12


©GreyHeller 2012

Overview The rapid adoption of mobile technologies is both a boon to corporate productivity and end -user

engagement and a nightmare as organizations try to keep up with the security/infrastructure

requirements. According to Forrester Research, in 2016 350 million employees will use smartphones,

200 million of which will bring their own devices to use against corporate systems.

In addition, Forrester Research contends that mobile is the flash point for a much more holistic, far-

reaching change. This means that organizations will:

Empower people by focusing on their tasks and context in their moments of decision.

Protect business value by provisioning partners with tools in their daily workflow and context.

Accelerate business decisions by putting data dashboards into executives’ hands

Control smart products from mobile devices and extend the value of products with an app

ecosystem.

In order to achieve these benefits, organizations must provide mobile access to their systems, data, and

processes while managing the security risks inherent in mobile technology:

Security/infrastructure tools to help organizations manage and administer mobile security risks

are being developed and perfected

With the advent of Bring Your Own Device (BYOD) in the enterprise, standardization on mobile

devices is much more problematic than for desktops or laptops

Because mobile devices aggregate personal, business, and collaboration information, security

risks are high

Implementing physical security policies with mobile devices is problematic

This white paper will examine the risks and solutions for providing mobile access to enterprise systems.

We will cover the following topics:

Authenticating users from mobile devices

Managing the user’s identity to corporate systems

Controlling mobile access to data and processes

Protecting application data

Protecting your corporate network

Dealing with the loss or theft of devices

Analyzing system activity


©GreyHeller 2012

GreyHeller’s Single Signon

product, used by 50+

organizations to externalize

authentication credentials from

PeopleSoft, is foundational to

our mobile solution,

PeopleMobile™.

Authentication The first step to using any corporate system is authenticating the user. The authentication process

generally involves a user providing identification as well as one or more correct responses to a system

authentication challenge. Once the user has been authenticated, the system grants access to its data

and business processes based on the user’s identity/role.

When looking at the authentication process, organizations should consider the following:

Is there a consistent identity for the user across all applications he/she accesses?

Is there a need to protect against password fatigue?

Is there a need to protect against user id / password theft?

Externalizing the authentication process

The best way to protect against authentication risks is to externalize the authentication credentials from

each application accessed by an end-user. Implementing a common infrastructure for authentication

across all corporate systems allows the following:

Provide a single set of credentials that a user can remember for all corporate resources

Provide a single choke-point for shutting down access when a user is terminated

Ensuring that password controls are consistently enforced across all corporate systems

Probably the most common means of accomplishing this is to leverage the protocols in place for

managing a user’s identity on an organization’s network and using a single signon solution to allow each

system to leverage those protocols. These solutions generally

leverage Active Directory (LDAP) for the credentials, and

utilize protocols such as NTLM, Kerberos, and WML for

securely authenticating users with those credentials.

GreyHeller believes this is best practice regardless of

whether a user is accessing from a desktop machine or a

mobile device.

What about authenticating from outside the

corporate network?

Obviously, one of the most important benefits of mobile

access to corporate systems is allowing users to perform tasks regardless of their location. However,

allowing users to authenticate remotely raises the following considerations:

1. If you’re leveraging your network for a validating a user’s credentials, how do you authenticate

when the user is external to the network?

2. How can you protect against unauthorized use of somebody else’s credentials?


©GreyHeller 2012

GreyHeller Single Signon works

with Web VPN Proxy solutions

for authentication outside a

corporation’s network

PeopleMobile™ works with the

leading enterprise

Browser/Email applications

External Network Validation

Historically, organizations have utilized VPN (Virtual Private Network) tunneling to allow users to

authenticate themselves to networks and access network resources. This technique works well for

workstations that need full access to all network resources. However, mobile devices do not access

network resources in the same manner as workstations. In addition, VPN clients must be specially

installed and configured for use.

Therefore, the following techniques are generally used for mobile device authentication:

Web VPN Proxies

Special-purpose Browser / Email client applications

It’s important to note that both techniques leverage server-side components that utilize common

networking protocols for authentication: NTLM, Kerberos, and WML and can leverage single signon

solutions that utilize these protocols.

Web VPN Proxies

A web VPN proxy allows a user to authenticate through a

web browser. The server performs the validation and

passes credentials to other systems such as a proxy server.

Because the server is configured to communicate with

these other services and manage the process, the device

does not require software to be installed or configured.

Common VPN proxies include Microsoft UAG and Cisco

Web VPN.

Special-purpose Browser/Email client application

Another option is to utilize a special-purpose mobile application that isolates access from other

resources on the mobile device. These applications have special logic for calling corporate servers for

authentication and managing access to corporate resources. The application would authenticate itself

to its server component, and the server would grant access to the servers and services that have been

configured. Probably the most common solution in this

category is Good Technologies’ Enterprise Server.

From an authentication perspective, the servers would be

configured to leverage common networking protocols,

allowing single signon solutions to provide access to those

systems.


©GreyHeller 2012

GreyHeller’s ERP Firewall

software product is embedded

into PeopleMobile™. It enforces

two-factor authentication based

on location and/or content

requested.

Two Factor Authentication

One technique for protecting mobile users from unauthorized use of their credentials is to require

additional authentication when accessing information from an insecure location or when accessing

sensitive information or processes. For example, it is common practice today for banks to require

additional authentication.

There are a number of ways that the additional authentication can be implemented:

Prompting for and sending a PIN for the user to enter. PIN can be sent through a number of

channels:

o SMS message

o Telephone Call

o Email

Pre-defining a one-time password the user

can provide

Tying access to device identification

Utilizing a token, such as a SecureID token

Although this additional validation can be prompted

upon initial access to the system, it is best practice to prompt for the additional validation at the point in

time when the user is accessing sensitive data or processes.


©GreyHeller 2012

With PeopleMobile™ and

embedded ERP Firewall, users

have the same identity, rights,

and privileges as non-mobile

systems without the need for

synchronization between mobile

and non-mobile systems.

Managing User Identity on Corporate Systems What does it mean to be a given user on a given system? This is an important question, because the

rights and privileges granted to that system are driven by this answer. Organizations typically spend

significant time and effort defining, testing, and auditing this access.

When looking at the architectures that drive mobile access, organizations must also look at the risks

related to managing users’ identities on their corporate systems.

Do users have consistent privileges across

mobile and non-mobile systems?

How are changes in privileges propagated

across mobile and non-mobile systems?

How do organizations prove to auditors that

sufficient controls are enforced across mobile

and non-mobile systems?

As such, organizations must develop a comprehensive

strategy for managing the identity of users across mobile and non-mobile systems.


©GreyHeller 2012

PeopleMobile™ with embedded

ERP Firewall meets all

requirements for controlling

remote access to data and

processes

Controlling Mobile Access to Data and Processes In order to realize the benefits of utilizing mobile technologies, organizations, must allow access to the

data and systems that drive those processes. This doesn’t mean, however, that organizations should

provide unfettered access to all parts of these systems under all conditions.

As part of providing remote access to data and processes, organizations should consider the following

threats:

Lack of oversight of employees utilizing corporate systems

How do you protect your organization against unauthorized use by employees when they are remote? Should users have

mobile access to transactions such as entering grades or

administering payroll?

Risks related to compromised system credentials

How do you protect your organization against remote, unauthorized external parties using compromised system

credentials?

Risks related to lost or stolen mobile devices

How do you protect against unauthorized use compromised mobile devices that contain system credentials?

In order to protect against these threats, organizations

should adopt the following techniques:

Enforcement of location-based control over

access to system content

Adoption of 2-factor authentication challenges

when the access location is questionable and/or

the content accessed is sensitive

Implementation of user, location, process, and

data access logging


©GreyHeller 2012

PeopleMobile™ protects

application data by not storing it

on the device. PeopleMobile™

controls access to sensitive

documents.

Protecting Application Data Stored on Devices As part of utilizing enterprise systems, users access data that is sensitive, confidential, and/or regulated,

including:

Financial data

HIPPA; FERPA

SSN

Compensation; benefits

Pricing

Supplier Contracts

This information is provided and managed on devices in various ways, each of which requires

protection:

Delivery of Data over networks Implementing and enforcing SSL encryption of all traffic to an organization’s servers

Caching of Application Data for

performance purposes or

disconnected access

Utilizing HTML5 browser-based applications for access to

sensitive data. Alternatively, enforcing data encryption for all

data that is stored on mobile devices.

Storing of documents, such as PDF, word, and excel files

Restricting access to download documents containing sensitive data. Alternatively, implementing device-level capabilities for

remotely wiping or firewalling files on mobile devices


©GreyHeller 2012

Network Security Mobile devices access corporate systems from the public internet or through corporate wireless

networks. As with any computing device, organizations must protect their networks against viruses and

other malware that may be resident on mobile devices.

Accessing from the public internet Proper implementation of physical and application firewalls protects your internal network and servers.

Accessing through WIFI – Guest

Access

One technique is to provide WIFI for guest access to mobile

devices. Mobile devices connecting to this network would only have access to the servers that are firewalled off from the rest

of your network.

Accessing through WIFI – Internal

Access

As with any device connecting to an internal network,

enforcement of virus and malware protection tools is critical for protecting the network and servers.

Supporting Mobile Devices on your internal network

It is imperative to define the policy by which you will support these devices connecting to your network,

including:

Enforcing use of antivirus software

Not allowing access by rooted devices

Enforcing that updates on devices are consistently applied


©GreyHeller 2012

PeopleMobile™ with embedded

ERP Firewall enables a tiered

strategy for supporting mobile

device access.

Loss or Theft of Device Due to the portability of mobile devices, the loss or theft of a device merits special consideration. In

addition to the obvious risks related to corporate use of these devices, there are legal barriers related to

a corporation’s allowable actions with an employee -owned device. While it is perfectly acceptable for

an organization to wipe the memory of a device it owns, this is not the case in a “br ing your own device”

scenario.

It is imperative to adopt a comprehensive strategy

toward handling of mobile devices:

No access by

Employee Owned

Devices

Usually, this consists of

providing employees with

mobile devices that are

completely controlled by the organization

Restricted access

by Employee Owned devices

Organizations can restrict

access to mobile devices by location and/or type of device

to mitigate risks related to lost or stolen devices.

Tiered access by

Employee Owned

devices

Organizations can grant

different levels of security

depending on whether employees opt-in to allowing

the organization to wipe the

device of its data.


©GreyHeller 2012

Logging and auditing Capturing and analyzing system activity is a critical aspect of any mobile security strategy. This includes

capturing information about who is accessing what content, from what location, and the data and

processes being performed. This allows organizations to:

Proactively administer system

security

Analyze all attempts to access system resources, enabling organizations to find and

counter penetration attempts.

Analyze system use for patterns that indicate unauthorized use and adherence to policies

Gather information needed to take

action

Identify data to support disciplinary action for employees

Gather information to support legal

proceedings

Support Audit and

Controls

Prove system integrity and adherence to

policies and controls

Document and understand scope of breaches

PeopleMobile™

with embedded

ERP Firewall

captures all

information

needed to comply

with logging and

auditing

requirements.

enterprise mobile security for peoplesoft

Technology