© 2015 IBM Corporation

Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authentication

Jason Hardy

WW Market Segment Manager, Mobile Security

Jason Keenaghan

Program Director, Access Management & Cloud IAM

IBM Mobile Security

2© 2015 IBM Corporation

Enterprise mobile trends

“Enterprise mobility will continue to be one of the hottest topics in IT,and high on the list of priorities for all CIOs.”

Ovum

“IT organizations will dedicate at least 25% of their software budget

to mobile application development, deployment, and management by 2017.”IDC

The number of smartphone users worldwide will surpass

2 billionin 2016

eMarketer

Mobile downloadswill increase to

268 billionby 2017

Gartner

3© 2015 IBM Corporation

As mobile grows, so do security threats

“With the growing penetration of mobile devices in the enterprise, security testing

and protection of mobile applications and data become mandatory.” Gartner

“Enterprise mobility… new systems of engagement. These new systems help

firms empower their customers, partners, and employees with context-aware

apps and smart products.”Forrester

Arxan

Top mobile devices and apps hacked

97%Android 87%

iOS

38 new threats every minute

and six every second

McAfee

4© 2015 IBM Corporation

What concerns does this create for the enterprise?

Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity”

32% are concerned about

fraudulent transactions

Only 18% can detect

malware / jailbreaks

50% say content and data leakage

are their top security concern

60% use secure containers

for data security

57% say a lost or stolen

device is top concern

60% use passcodes

for device security

52% worry about

application vulnerabilities

Only 23% have

tamper-proofing capabilities

5© 2015 IBM Corporation

MobileFirst

Protect (MaaS360)

AppScan, Arxan, Trusteer M;

bile SDK

IBM Mobile Security Framework

AirWatch, MobileIron, Good,

Citrix, Microsoft, MocanaHP Fortify, Veracode, Proguard CA, Oracle, RSA

• Manage multi-OS BYOD environment

• Mitigate risks of lost and compromised devices

• Separate enterprise and personal data

• Enforce compliance with security policies

• Distribute and control enterprise apps

• Build and secure apps and protect them “in the wild”

• Provide secure web, mobile, API access and identify device risk

• Meet authentication ease-of-use expectation

Extend Security Intelligence

• Extend security information and event management (SIEM) to mobile platform

• Incorporate mobile log management, anomaly detection, configuration and vulnerability management

Manage Access and Fraud

SafeguardApplications and Data

Secure Content and Collaboration

Protect Devices

6© 2015 IBM Corporation

IBM Security Access

Manager

IBMDataPowerGateway

IBMBigFix

IBMMobileFirst

Platform

Executing a strategy with IBM Mobile Security

IBM MobileFirst

ProtectMaaS360

IBMSecurity AppScan

ArxanApplication Protection

for IBMSolutions

IBMQRadarSecurity

Intelligence Platform

IBMSecurity Trusteer

IBMMobile

Security Services

© 2015 IBM Corporation

Securing mobile access with risk-based authentication

8© 2015 IBM Corporation

IBM Identity and Access Management helps secure the digital identities for an open enterprise

Identity Management Access Management

Threat-aware Identity and Access Management

Directory Services

• Identity Governance and Intelligence

• Identity Lifecycle Management

• Privileged Identity Control

• Adaptive Access Control and Federation

• Application Content Protection

• Authentication and Single Sign On

Datacenter Web Social Mobile Cloud

Software-as-a-

Service

On Premise

Appliances

Cloud Managed /

Hosted ServicesPlatform-as-a-

Service

9© 2015 IBM Corporation

Take back control of Access Management

Consumers Employees Partners &

Contractors

Enterprise Applications Cloud Workloads SaaS Applications

ISAM

10© 2015 IBM Corporation

Adopt a graded trust posture to help achieve secure transactions & risk-based enforcement

Consumer / Employee

Applications

Manage consistentsecurity policiesConsumers

EmployeesBYOD

Security Team ApplicationTeam

DataApplications

On/Off-premiseResources

Cloud Mobile

Internet

Fraud & Threat-aware application access across multiple channels

Strong Authentication, SSO, session management for secure

B2E, B2B and B2C use cases

Context-based access and stronger assurance for transactions

from partners and consumers

Transparently enforce security access

policies for web and mobile applications

Enforce security access polices without

modifying the applications

Access Management

11© 2015 IBM Corporation

Enforce risk-based access and strong authentication for transactions

Reduce risk associated with mobile user and service transactions

Example: transactions performed in the user‘s state of residence can proceed with normal authentication

User attempts to transfer funds in another state or another country – requires an OTP for stronger authentication and additional identity assurance

User attempts transaction

from unexpected locationStrong authentication

challengeTransaction completes

12© 2015 IBM Corporation

IBM Security Access Manager supports five main context domains for adaptive access control

Identity:Groups, roles, credential attributes, organization

Endpoints:There are various unique attributes (device fingerprint).

Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, device model & UUID

Environment:Geographic location, network, local time . . . etc

Resource / Action:The application being requested and what is being done.

Behavior:Analytics of user historical and current resource usage.

User activity monitoring, specific business activity monitoring

13© 2015 IBM Corporation

Common requirements for strong authentication and context-aware access from mobile customers

Improved end user experience:

– Eliminate usernames and passwords for mobile devices users

– Situation awareness and graded trust

Step-up authentication for additional identity assurance:

– Unknown device

– High-risk or infected device

– High-value transactions

Risk-elevation factors:

– IP reputation

– Geo-political location

– Behavioral anomalies (e.g., time of day)

Continuous authentication:

– Soft biometrics

– User presence detection (e.g., motion, WiFi networks, Bluetooth devices)

14© 2015 IBM Corporation

Additional sources of context appear as policy information points

IBM Security

Access Manager

Servers Databases Applications APIs

Fiberlink

MaaS360

LDAP

Server

Trusteer

Mobile &

Pinpoint

Malware

Detection

Server

Connection

Policy Information Point Users

Managed mobile device contextMalware / fraud indicators

User AttributesContext from external DB

or service

15© 2015 IBM Corporation

Simplify fraud protection

ISAM

Automatically protect users and organizations from fraud with strong authentication

Risk-based access controls built around malware and fraud risk score from

Trusteer

– High risk transactions can be prompted to change behavior (e.g. open secure browser) or

perform step-up authentication

ISAM adds Trusteer fraud protection to applications without requiring any code

changes on the protected applications themselves

Protected

ApplicationsUsers

Fraud Context

and Risk Score

QRadar

Security

Intelligence

Fraud and

Access Context

16© 2015 IBM Corporation

Remove barriers to mobile productivity

Enable more convenient and secure access to enterprise resources from mobile

MaaS360 App

Username

Password

Sign In

Enterprise Web

Applications

Single Sign-on

User

Authenticates

to MaaS360

MaaS360-enabled

enterprise mobile apps

Allows users to easily access enterprise resources with minimal authentication

friction

Utilizes existing access management infrastructure to prevent the need for

application changes while enabling access from mobile devices

Risk-based access controls can utilize context from MaaS360 in access

decision (e.g., compliance state, jail broken status, ownership status, etc.)

SaaS

Applications

ISAM

17© 2015 IBM Corporation

Implementation pattern for providing advanced API security

IBM API Management provides developer portal, API analytics, and development

acceleration for ISAM integration on DataPower Gateway appliances

IBM DataPower Gateway provides API runtime policy enforcement point and integration to

other dynamic decision engines (e.g., ISAM)

IBM Security Access Manager provides advanced mobile/API security capabilities for

enhanced protection of API resources.

DataPower is the API Gateway for IBM API Management to secure & integrate API traffic

DataPower

“API Gateway”IBM

MobileFirst

Mobile

Application

DMZ Trusted ZoneInternet

APIm

ISAM Module

ISAM

1

3

42

Define Policies

Invoke API

Consult Decision Engine

Invoke Backend

Service

18© 2015 IBM Corporation

IBM architecture for risk-based access with strong authentication

Easy to deploy, easy to manage, and highly scalable virtual and physical appliances

ISAM

Proxy

Or

Data

Power

(PEP)

Policy Server (PAP)

Runtime Services (PDP)

Risk EngineAuthentication

Framework

Access Policy Authoring

Extensible Authentication & Verification Methods Extensible Context

Applications and Data

Context

SSO / FSSO / Context based Access

User on Mobile

or Desktop

Mobile

Client

Extensible Multi-modal Authentication

PEP

ISA

M

© 2015 IBM Corporation

Q&A

20© 2015 IBM Corporation

133 countries where IBM delivers

managed security services

20 industry analyst reports rank

IBM Security as a LEADER

TOP 3 enterprise security software vendor in total revenue

10K clients protected including…

24 of the top 33 banks in Japan,

North America, and Australia

Learn more about IBM Security

Visit our web page

IBM.com/Security

Watch our videos

IBM Security YouTube Channel

Read new blog posts

SecurityIntelligence.com

Follow us on Twitter

@ibmsecurity

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security