6 | SOLUTION BRIEF: MOBILE SECURITY ca.com. Self-Service .... Developer Portal makes it simple for developers to registe
SOLUTION BRIEF MOBILE SECURITY
Securely Accelerate Your Mobile Business
SOLUTION BRIEF
CA DATABASE MANAGEMENT FOR DB2 FOR z/OS
CA Technologies allows you to accelerate mobile innovation for customers and employees without risking your enterprise data or applications.
Healthcare Security Solutions: Protecting Your Organization, Patients, And Information
DRAFT
3 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Executive Summary Challenge As consumers expect a better mobile engagement experience, teams look to improve employee productivity, and BYOD takes hold within the enterprise, the business must deal with a consistent dilemma, accelerating business initiatives while mitigating risk. No longer is a device only security solution adequate, often compromising the privacy of users. But, of course, lack of visibility and control on the mobile device is no solution at all. Organizations need to take a comprehensive device, app and data-centric approach to mobile security – a solution that balances business enablement with protection while maintaining the privacy of the users and convenience of using the mobile device.
Opportunity CA Technologies enables organizations to securely deliver mobile initiatives faster while helping to solve the security and privacy implications of BYOD - all without compromising convenience. By taking an identity-centric approach to mobile security, CA Technologies delivers solutions across the following three areas: • Mobile Device Security • Mobile App Security • Mobile Data Security
Benefits CA Technologies delivers a mobile security solution that enables enterprises to securely deliver new mobile services for consumers and employees alike. Organizations are able to securely accelerate mobile app development and market reach, support multi-channel engagement, reduce fraud to enterprise and third-party mobile apps and enable employee collaboration improving business productivity. This comprehensive approach to mobile security enables organizations to unlock the value of their business through the mobile channel while mitigating enterprise security and compliance risks.
4 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Section 1: Challenge
Balancing the Mobile Business with Mobile Protection As organizations look to accelerate mobile innovation and business initiatives to drive business forward, IT and security can no longer afford to be inhibitors to the overall goals of the business. Mobility offers tremendous opportunity to the business and an opportunity for IT and security to contribute to business success. No longer is blocking and preventing access acceptable. Instead IT and security must balance growing the business with protecting the business as cost efficiently as possible.
Extending Web Investments for New Mobile Development Initiatives To deliver new mobile apps and services, organizations will need a way to open up enterprise data and applications to both mobile developers and apps. For most organizations this represents conceptually a similar undertaking to previous efforts to open up data and applications to end-users via the Web. But a combination of existing and legacy web application infrastructures, mobile development resource constraints and mobile security risks prevent them from meeting their mobile business goals. Existing web application environments often don’t seamlessly integrate with mobile applications such as REST-style architectures. This may require organizations to develop new or rip and replace existing web environments to engage with their mobile customers, resulting in significant cost implications, and duplication of efforts. And, as organizations discover ways to expose services and data to mobile channels through APIs, the threat of critical business services being compromised is a real risk.
Not Just Securing the Mobile Device but the Mobile App End-to-End As customers demand access to products and services via the mobile platform and employees require the usage of their personal device to access enterprise applications anywhere and anytime, mobile security solutions must evolve. No longer is protection at the device level sufficient, given consumer and employee privacy and potential legal implications. When securing the device, organizations can often have unsuitable control over a broad set of device features, giving them access to personal employee apps and data. Liability issues can arise if personal data is viewed or removed from the device. Instead, organizations must expand beyond a device only security approach to an application and datacentric approach. This will provide organizations flexible and precise control, help maintain privacy of the user and mitigate additional liability risk.
Supporting IT Consumerization Without Compromising Security As employees adopt cloud and mobile services, organizations can realize tremendous business productivity gains but at the potential cost of information leakage. As sensitive information is shared outside the organization across cloud services and public, mobile apps, businesses are put at risk of data compromise and regulatory non-compliance. Organizations are put in a difficult situation. Do they completely block access to mitigate risk but inhibit business, or open up access to enable business but incur risk? Businesses need a way to improve collaboration but in a secure manner. CA Technologies provides the security tools to support IT consumerization trends without compromising security.
5 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Section 2: Opportunity
Mobile Security Solutions CA Technologies provides organizations the right balance of mobile business enablement and business protection. CA Technologies takes a comprehensive identity-centric approach to enabling BYOD, accelerating mobile app development, managing and securing mobile apps, and protecting mobile data.
Figure A.
Mobile Device Security
Secure the mobile device, app and data through identity.
AT&T
Mobile App Security
Identity
Mobile Content Security
Mobile Device Security CA Mobile Device Manager (CA MDM) provides comprehensive capabilities to manage the configuration and availability of mobile devices, whether personally or corporate owned. CA MDM provides comprehensive device lifecycle management, from device enrollment to user device de-registering. On-boarding Users have the ability to enroll their own devices via a self-service portal. During on-boarding the user authenticates to prove their identity and to enable the system to record the user’s custody of the device. Policies may be applied on a per user or group basis. Configuration Management CA MDM provides rich and granular configuration policies, which enables the enterprise to control the operation of individual devices. During the device enrollment process, the system applies the configuration policy associated with that user and/or their device type. Besides configuring security settings, a configuration policy can also automatically provision the user’s corporate VPN access, email account and other corporate-specific information such as user credentials. These configurations are automatically removed when the user removes the device from management. This means the user can become immediately productive with their device without having to follow a complicated “how-to-configure-your-email” guide. Everything is provisioned for them automatically and securely.
6 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Self-Service Mobile devices are pervasive, with many users owning multiple devices. Therefore, a solution that relied on central administration for every intervention on a user’s device would not scale. To further complicate things, users are generally not willing to part with a mobile device even for a few minutes. Self-service is therefore imperative and is a core component of the mobility solution. • Enrolling and de-enrolling devices. With mobile devices, device refresh and upgrade cycles are much more rapid than with traditional desktop and laptop PCs. When users upgrade or replace their devices, they can remove their old device from management, removing all corporate data and applications while leaving the user’s own data and apps untouched. • Handling “lost device” scenarios. Users with mobile devices could be operating in almost any geography or time zone. Therefore, in the event of a lost or stolen device a dependency on central corporate administrator availability would be very unwelcome. Via the self-service portal, users can locate the last known position of their mobile device and send instructions to remotely lock and if necessary, remotely wipe their device. • End of service. When the time comes for the user’s device to be removed from device management, the user can unregister the device themselves via the self-service portal. This removes all corporate configuration data, application data, applications, user credentials, etc. while leaving the user’s own data untouched. The administrator also has the ability to unregister the device from the user. Monitoring, Reporting and Analytics CA MDM enables the administrator to monitor the detailed hardware and software configuration of each device, as well as information about the device’s environment such as the mobile network it is registered to, its use of roaming, and whether the device has registered to any WiFi access points. This level of reporting is essential for monitoring the compliance status of devices, including whether devices have been “rooted” or “jailbroken.” There is also a fully customizable analytics capability, enabling customized reports to be executed against the central CA MDM database repository. In particular, the analytics module provides extensive options for data visualization, which is essential for understanding trend data, especially for a large number of mobile devices.
Mobile App Security The lean, restricted functionality of mobile apps makes them both convenient and task-oriented – and a major reason why they’re so attractive to consumers and employees. This experience demanded by users has elevated the development and delivery of mobile apps to a top priority for any organization looking to improve consumer engagement, employee productivity and business growth. But this comes at a cost. The ease with which sensitive information can be shared, processed and stored outside the traditional enterprise boundary has increased while raising the bar for security. Security must adapt to this new open enterprise that’s enabling business innovation and agility, while mitigating the new risks the mobile channel exposes. CA Technologies delivers an identity-centric mobile app solution that unifies security across the Web and API channels to meet the needs of the business and security. CA Single Sign-On (previously CA SiteMinder) controls access to the Web while CA Mobile Application Management (CA MAM) and CA’s API security solution helps secure the mobile app. This comprehensive solution delivers a seamless yet secure user experience from Web to mobile, protects a wide range of app types from the mobile client to the backend of the enterprise, and securely accelerates mobile app development and delivery while improving operational performance and availability.
7 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Figure B. Secure all app types across both the Web and mobile channel.
Take a Blended Approach Depending on the business objective, customer lifecycle or employee enablement plan, organizations will no doubt adopt different mobile app strategies. Whether the plan is to extend existing application environments to mobile platforms, develop new native mobile apps or partner with 3rd-party providers like Salesforce.com, a blended mobile app security approach is usually best. That’s why as new mobile app projects are taken on, the existing Web engagement channel should not be left out. Both should be managed together to deliver a seamless experience to the user. Multi-Device Universe Today, consumers and employees access data from multiple devices and locations. An employee may log into an enterprise application using their laptop, then moments later, access this same resource from their personal tablet or smartphone via a native app. The user expectation for seamless app access and transition across environments is high as organizations begin to expand from web only engagement to mobile app engagement. The combination of CA Single Sign-On and CA API Gateway delivers a unified access solution across Web, APIs and mobile, improving administration as well as the user’s experience when moving across device channels. Users are able to move between native apps effortlessly without having to login again while social login is supported to simplify the login and registration process for mobile prospects. • Multi-Channel Authentication. Through the usage of the mobile SDK that is available with the CA Mobile API Gateway, Web SSO credentials are shared with native mobile apps. This allows users to experience a very smooth transition as they move from browser-based login to native mobile app login. This integration between SiteMinder session cookies and the Mobile SDK, enables convenient authentication across mobile app types. • Mobile SSO. The mobile form factor was not built with username and password entry in mind. The process is often time consuming and error-prone, causing tremendous frustration. Mobile SSO removes these inhibitors, enabling a convenient mobile app experience. Users no longer have to remember a unique username and password for each mobile app. Instead users are delivered a secure, convenient
8 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
and seamless experience when working between apps, never having to enter a second username and password, thereby improving productivity and business engagement. • Mobile Social Login. Signing into a small mobile screen can be a frustrating experience for consumers. Mobile social login can eliminate this time consuming registration process by enabling users to gain access through social networking credentials such as Facebook, LinkedIn, Salesforce and Gmail. Social login not only reduces registration process time but has been shown to improve prospect conversion rates while providing insight into new users. • Composite API. Once the app is accessed, the user is provided with an engaging experience. Composite APIs enable mobile apps to aggregate data from disparate internal and external sources, such as Google Maps, into a dynamic environment providing the user with an optimal experience. • Central Web & API Administration. Administrators are able to centrally manage policy across Web, API and Mobile environments, improving efficiency and reducing the risk of human error.
Convenient security enabling the multi-device universe.
End-to-End Mobile Security As users transition from the web to the mobile app, the business requires assurance that security is persistently carried across channels while maintaining usability and user convenience. The CA Mobile Application Management and CA Mobile API Gateway together deliver an end-to-end mobile security solution that controls access to the app through policy-based access controls. Mobile app security can be implemented in the form of app wrapping from CA MAM or a SDK from the CA Mobile API Gateway. Then once users gain access to the mobile app and begin usage, all content communicated to and from the enterprise is secured through SSL encryption while the backend is protected through fine-grained API access controls and threat protection. • Two-Factor Authentication. When accessing the mobile app two factors of authentication are required to prove the identity of the user in and grant access to the mobile app. Additional security is delivered with the storage of credentials in a local, persistent format to avoid inadvertent removal. The software credential can also be locked to the device in order to prevent the reuse of a stolen credential by another device. In addition, the mobile device may be used to verify transaction details, such as a financial transaction amount or payee, as part of an out-of-band authentication process, to help reduce the risk of fraud in online transactions.
9 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
• Geolocation Access. The risk level of a mobile user accessing enterprise information can change rapidly based on the user and location. In order to mitigate this risk, CA Technologies delivers risk-based mobile access control taking into account various contextual factors such as user identity and location to determine if access should be granted. Either client GPS coordinates, geolocation aggregators or carriers can provide context variables for use in access policies. • Mutual SSL. SSL is a cryptographic protocol designed to provide secure communication from the app to the API. As sensitive content is passed from the mobile app to the API, it is secured through SSL encryption. During mutual SSL both the client and server are authenticated. • Fine-grained API Access Control. API access policies control access from each mobile app to each API based on three attributes: user, app and device. This implementation of OAuth, OpenID Connect and PKI delivers fine-grained access control to sensitive resources based on pre-defined policies. • Threat Protection. Each externalized API is protected from threats including SQL Injections, cross-site scripting and DDOS attacks. Figure C. End-to-security from the mobile client to the backend API.
Not Just Run But Build The DevOps focused enterprise is consistently focused on accelerating mobile app release cycles while improving performance, availability and service levels. To meet these demands, organizations must adopt a set of development and operational practices that reduce build and test time while supporting the volume and scale of mobile app transactions at runtime. • Developer Management. In order to create truly valuable apps, the API publisher must be able to attract talented developers and provide them with the tools to take full advantage of APIs. The CA API Developer Portal makes it simple for developers to register for APIs and access interactive documentation, sample code, testing tools and discussion forums. • Open Security Standards. Secure coding and testing can add significant time to a development cycle. The CA Mobile API Gateway offers a mobile app security SDK that includes authentication standards such as OAuth and OpenID Connect that not only enable secure access within the mobile app but accelerate release time by reducing development and testing time.
10 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
• iOS, Android and PhoneGap Development Framework Support. The mobile SDK supports a broad set of mobile development frameworks including iOS, Android and PhoneGap. Mobile SDK delivers standards-based security and user convenience to mobile apps. • Protocol Adaptation and Orchestration. Existing application environments often are not constructed in a modern and mobile friendly format. The CA Mobile API Gateway allows organizations to leverage existing application investment through the adaptation of services into modern mobile RESTful APIs. • Caching and Performance Optimization. The high volume of mobile apps and backend system access can result in performance and service availability issues. Traffic must be dealt with efficiently to ensure applications built against APIs work consistently and the performance of backend systems is not compromised. The CA Layer 7 Mobile Access Gateway recomposes small backend calls into efficient aggregated mobile requests in order to reduce bandwidth costs and improve user experience.
Figure D. Securely accelerate app delivery while optimizing overall performance.
Mobile Identity & Access Management (IAM) Apps As mobile users drive demand for anywhere/anytime access and a more convenient software usage experience in the workplace the enterprise is pressured to respond. CA Technologies enables a more productive Identity & Access Management (IAM) experience with its software through the delivery of IAM software in the form of mobile apps. Each IAM app is developed with the premise of improving daily work activities for IAM users through a better user interface and workflow process via the mobile phone. CA Identity Manager Mobile App The CA Identity Manager (previously CA IdentityMinder) mobile app includes identity management functionality such as the ability to update profiles, reset passwords, change passwords, and approve requests. The app will also support on-premises as well as CA Secure Cloud (previously CA CloudMinder) deployments. Organizations will benefit from improved user productivity to perform identity management tasks wherever they are and through a streamlined workflow process.
11 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Improve productivity with mobile IAM apps.
Mobile Content Security As organizations attempt to improve productivity through on-premise, cloud and mobile forms of collaboration, sensitive information is often shared putting the business at risk of data compromise and non-compliance. CA Technologies helps control the dissemination of sensitive information shared and communicated over email or through files whether on-premise, in the cloud or through the mobile platform. Secure Mobile Message Control Email remains the most used mode of communication in the workplace and a critical tool for organizations when communicating with customers. But quite often sensitive customer or company information is purposely, mistakenly or maliciously sent out of the organization over email with little to no control. CA Data Protection (previously CA DataMinder), with partnerships through encryption vendors such as Voltage Security, enables organizations to classify sensitive content and then control the email all based on the content and identity of the user. As an employee attempts to send an email to a mobile device, the content is classified and then controlled in the form of a warning, block or encryption. This enables organizations to not solely rely on the policy knowledge of employees, in order to reduce the risk of human error and non-compliance. Secure Mobile File Sync and Sharing Control The advent of cloud models, such as Dropbox, box and SkyDrive, that enable the sharing and collaboration of files have had a significant impact on consumers and enterprises. As consumers uncover the value of using the cloud to share personal content to their mobile device, they immediately attempt to apply the same model to work environments as the opportunity arises. But organizations, as a matter of policy, either block access completely, limiting productivity, or allow access and sharing without control exposing the business to enormous risk. It is a continuing battle - users finding ways to share their files, and IT trying to manage the risk to the enterprise. CA Data Protection solves this problem by applying intelligent control to the sharing of sensitive content in files. As a user attempts to copy or move a file to a folder such as Dropbox, the data is classified and controlled, either warning the user that the action is against policy, blocking the content from being shared or encrypting the file so that it’s protected whether in transit, stored in the cloud or sync’d to the mobile device.
12 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Figure E. Intelligent datacentric security of files and emails.
Section 3: Benefits
Securely Grow Mobile Business and Improve Employee Productivity CA Technologies enables organizations to leverage the mobile platform to securely grow their business and improve employee productivity.
Grow the Business and Enable Innovation The mobile app initiatives are fast becoming the focus of organizations to drive business forward. The emphasis of organizations to identify solutions that enable business growth and innovation could not be greater. With CA Technologies solutions, organizations will be able to accelerate app delivery and improve customer engagement while mitigating the risk of the mobile channel. Securely Accelerate App Delivery As organizations investigate the mobile business opportunity, there are often barriers preventing them from reaching their markets in a timely fashion. CA Technologies securely accelerates the delivery of mobile apps enabling organizations to reach their markets faster. Organizations are able to adapt existing web environments to mobile architectures avoiding having to rip and replace, deliver tools to mobile app developers improving the development and testing of apps, and then secure and govern all mobile transactions at the perimeter avoiding having to build security into the development process. The result is a faster, higher quality and more secure process of releasing mobile apps.
13 | SOLUTION BRIEF: MOBILE SECURITY
ca.com
Securely Improve User Engagement Customers want to engage the business through the channel that suits them best, whether it’s through the web or a mobile app. CA Technologies allows organizations to engage their customers through their channel of choice, and provides a consistent and convenient user experience across all channels.
Improve Mobile Employee Productivity The mobile device has quickly become the communication method of choice to enable better employee and partner collaboration. But the uncontrolled sharing of sensitive content has inhibited organizations from realizing the full potential of the mobile platform. CA Technologies enables enterprises to securely collaborate through the mobile platform while also providing anytime/anyplace access. Enable Secure Collaboration Whether it’s SharePoint, Dropbox or email, users often share dynamic forms of content unknown to the business. CA Technologies allows organizations to continue sharing sensitive information but in a controlled manner that mitigates risk to the business. Through intelligent data-centric security, organizations are able to balance business enablement with business protection. Empower CA Technologies Users CA Technologies enables users to improve their productivity through the usage of CA IAM software on the mobile platform. The convenience of the mobile platform and workflow usability of the mobile app improves the productivity of IAM administrators and other functional groups that work within the IAM workflow process on a daily basis.
14 | SOLUTION BRIEF: MOBILE SECURITY
Section 4
The CA Technologies advantage CA Technologies allows organizations to balance enabling the mobile business with securing it. CA leverages identity to securely accelerate mobile app delivery, improve engagement through secure mobile apps, protect mobile data through intelligent data-centric security and empower mobile IAM users. The CA Technologies mobile security solution is core to any mobility initiative. As organizations evaluate mobility management and service offerings, security should be considered a core component to an overall and comprehensive solution. CA Technologies has been a leader in IT management for over 30 years, has over 1500 security customers, and is committed to continuing to bring innovative management and security capabilities to the marketplace. We have a large and dedicated group of security experts who know how to make security deployments successful, and to help our customers achieve accelerated time-to-value.
Connect with CA Technologies at ca.com
CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate – across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com.
Copyright © 2014 CA. All rights reserved. SkyDrive and SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”)) referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations. CS200-87154_0914