Executive Summary

Mobility has forever transformed the way we work, communicate and socialize. Personal devices brought employees and all their social connections into corporate networks, compelling organizations to rapidly embrace mobility practices as a way to boost employee productivity and customer engagement.

This was no orderly process. Employees have forced IT’s hand, starting at the C-suite, to allow unmanaged devices into corporate networks. Consumers rapidly adopted mobile applications as a preferred way to access personal, health and financial information. IT security and mobility teams had to play catchup. They had to provide what the business needed but to also manage a new set of threats: Lost/stolen devices, malware targeting vulnerable applications and new social engineering tactics increased the risk of a data breach and the use of mobile devices for criminal and fraudulent activity.

Applying enterprise controls to employee owned devices was a necessary first step. Securing enterprise data followed, as data loss presented a big risk to the business. As enterprises explore the use of mobile applications for employees, partners and customers, new processes had to be built to secure these applications against compromise. Finally, mobile access to enterprise resources had to be managed as part of an overall breach prevention strategy.

Point products address specific mobile security needs and require enterprises to integrate them together into a coherent solution. Many IT organizations are challenged by this complex and multi faceted endeavor and a holistic, integrated and scalable solution is sorely needed.

This paper discusses the unique risks associated with mobile devices and the capabilities enterprises should consider when building their roadmap to a secure mobile enterprise. We introduce the IBM® Mobile Security Framework, an end to end strategy and solution that addresses mobile security requirements across the device, the content, developed and transferred between devices, the mobile application, mobile transactions and mobile identity and access management requirements. Built on IBM’s unique threat intelligence platform, the Mobile Security Framework automatically fuses context and risk awareness into each component of mobile security, to maximize mobility management and security effectiveness.

Opportunities and Threats to the Mobile Enterprise

Mobility is driving a deep change for consumers in the way they interact with their social circles shop and access information. Organizations tap the benefits of mobility for business by enabling employees to access work resources such as email, calendar and contacts on the road. Extending mobile access to enterprise content, application and services further boosts employee productivity, increasing overall competitiveness and improves customer service. Customers are looking to engage businesses through the mobile channel because it provides a convenient way to get things done. For example, mobile banking has seen early success in enabling anytime and anywhere access to financial data and transactions.

Both employees and customers share the expectation for an excellent, frictionless user experience. In fact, mobile adoption by consumers has raised the bar for employee facing applications. The so-called “IT consumerization” became the driving force behind the emergence of Bring Your Own Device (BYOD) programs and the pursuit of a better enterprise applications user experience.¹

Opportunities

Mobility in business represents a new paradigm, not merely a new access device. It has these unique characteristics:

  • Mobile devices easily travel distances: Mobile devices travel quickly and are always within reach.² We can’t expect usage to follow rigid patterns relative to location or time of day, as was the case with desktops and even laptops.
  • Mobile devices have a flexible usage model: The traditional separation between work and personal devices is rapidly disappearing. Users expect to use a single device for the full range of activities throughout the day. For example, employees want to blend their favorite social apps with access to work-related business content. Customers want to use a smartphone or a tablet for mobile banking, stock trading and setting doctor appointments as well as online gaming and content consumption.
  • Mobile devices are difficult to secure: Businesses are facing an increasing loss of control over mobile endpoints. Users can compromise device security by installing malicious apps and then still expect to use the device to conduct sensitive business transactions. Matters are even more complicated because Android and iOS mobile operating systems are built and maintained in a way that minimizes visibility and control over device state and security risks.

Threats

These characteristics present organizations with a new and heightened set of risks:

  • Data breach via compromised devices: Users can compromise device security through the process of jailbreaking or rooting a device. These compromised devices are then susceptible to infection via advanced malware that is packaged into fake games, security, banking or other seemingly benign applications. Such malware can tamper with device communications and enable attackers to gain remote access and control of the device.³
  • Data loss via stolen devices: Mobile devices, as many of us know from personal experience, are easily forgotten and/or stolen. While our kids’ photos are critically important to us, loss of business sensitive information on customers, competitors or sales figures can expose our companies to brand, regulatory and financial risks. For example, losing patient records stored on a tablet used during clinical trials may violate a healthcare organization’s HIPPA compliance.
  • Data leak via unauthorized or inadvertent sharing: With data stored on the mobile device, sharing is easier than ever. However, organizations are legitimately concerned about the flow of enterprise data and went to great lengths to control usage of such data on legacy endpoints. Mobile devices offer a more limited control over data sharing which creates a new set of business risks. Imagine an employee mistakenly sharing a draft SEC filing via a public email or posting internal documents to a social network as part of a dispute with the employer.
  • Loss of intellectual property and application level attacks: The primary way of delivering and consuming new mobile capabilities is through mobile applications. Enterprises spend a lot money developing these apps and offer them via public app stores to customers and enterprise app stores to employees. However, software vulnerabilities expose them to malware attacks. Reverse engineering can extract valuable intellectual property and be the basis for repackaging apps with malware. These now-malicious apps are offered via 3rd party app stores or packaged with malware and introduced to victims via SMS messages.⁴ Upon installation they steal credentials and other data used in account takeover.
  • Criminal access and Transaction fraud: Mobile devices extend the long standing challenge of authenticating customers and employees. As criminals steal credentials via phishing and malware attacks, they use mobile devices to access sensitive applications because they are harder to uniquely “fingerprint”.⁵ Enterprises must determine if the “user at the door” is the genuine employee, partner, customer or a criminal pretending to be one. Especially for customers, and increasingly for employees, this assessment of authenticity must be minimally intrusive to preserve the user experience.

A Holistic Approach to Mobile Security: Required Capabilities

Mobile security risks are present at all stages of the lifecycle of our mobile experiences. These risks span the mobile device, the content that is stored on it, the applications used to access that content, mobile access to the enterprise network and the transactions initiated from the mobile device.

A holistic approach to mobile security should tackle all of these risks and address the unique interdependencies between them (for example, how device risks impact content and application risks). Below we discuss the key capabilities required to manage and secure the different pillars of the mobile enterprise.

Protect the Device

The first imperative that must be addressed is the mobile device itself. Enterprises should enforce basic controls on any mobile device connecting to their networks. Devices that are out of compliance will be restricted from accessing some or all enterprise data and services. For example:

  • Secure device registration: Ensures that only devices that where configured for business use, authenticated with enterprise credentials and are registered to a valid user are eligible to use enterprise content and services such as email.
  • Optimal device security posture: Ensure device security posture meets enterprise criteria. For example, the existence of complex passcode (or fingerprint-based authentication), specific OS-level security and privacy settings and device data encryption.

While these steps are valid solutions for employee devices, none of these steps is possible for customer devices. This is why other imperatives (specifically, the safeguard applications and data imperative and the manage access and fraud imperative) are needed to address customer device risks.

Secure Content and Collaboration

The second imperative is to secure the enterprise content accessed from and stored on employees’ mobile devices. Enterprise content includes work email and associated attachments. It also encompasses unstructured data from enterprise content repositories such as Sharepoint, Documentum and Filenet⁶ as well as Cloud storage services like Dropbox. Once on the device, this content must be secured against unintended exposure.

Content and collaboration security includes these core capabilities:

  • Selective enterprise content wipe: If a device is lost or stolen, it is essential enterprises can remove any business content and profile settings on that device. This requires the ability to isolate business content on the device (containerization) so personal content is not affected in case the device is eventually found.
  • Restricted enterprise content sharing: Applications are the primary way to access mobile content. Based on specific enterprise risk analysis, restrictions should be applied to sharing of business content with non-enterprise applications (such as consumer email or social networking apps). Content sharing control can be applied to enterprise data as a whole or within a specific application context.

Safeguard Applications and Data

The third imperative is safeguarding the mobile applications and data. Mobile applications are the primary way for users to access content and enterprise services. Mail, contacts and calendar enable basic, yet sensitive communication with colleagues, partners and customers. Custom and 3rd party applications handle access to CRM and ERP systems as well as collaboration on content from document management systems. Mobile applications, therefore, represent a key target for criminals and hackers.

Application security includes the following capabilities:

  • Secure coding and vulnerability detection: Like any enterprise application, mobile developers must follow secure coding methodologies and best practices.⁷ The source code should be checked for vulnerabilities,⁸ which expand the attack surface for malware, during the development stage. 3rd party applications, often available only as executable, should be vetted as well. Remediation would ideally occur before a production rollout.
  • Application hardening: Applications placed in public app stores (such as banking and ecommerce apps), are at risk of reverse engineering. Hackers can extract the application source code, recompile the app with new code designed to capture user credentials and other personal information, and redeploy the malicious app on a 3rd party app store. This is not a theoretical problem – top popular and iOS apps had been hacked.⁹ Enterprises should consider hardening apps against reverse engineering to reduce exposure to account takeover attacks.

Manage Access and Fraud

The fourth imperative is managing mobile access from the device to enterprise resources and fraud detection. Mobile authentication is a common requirement that must tackle the volatile nature of mobile devices (location, time of access) and the need to reduce friction in the login process. Beyond authentication, and specifically for customers, transactional activity must be viewed in context of the user’s historical activity to detect criminal and fraudulent activity.

This imperative includes the following capabilities:

  • Risk-based authentication: Mobile authentication must be context and risk aware. In order to reduce friction. Strong authentication measures (like one time passwords), should be initiated only when access context (new device, new location, odd time of day, concurrent logins from locations that are far apart) suggest a heightened risk profile, in order to preserve the user experience.
  • Mobile Single sign-on: Because mobile login operations are even more cumbersome than with a full size PC keyboard, users will benefit from logging into an enterprise service once, and then seamlessly accessing any other service for which they are authorized.
  • Transaction fraud risk detection: Within the context of a specific user account, analyzing incoming transactions against the account history and the presence of account risk indicators (like malware and phishing attacks) can help detect criminal access and protect the enterprise and its customers against account takeover and fraudulent activity.

A Robust Platform for Secure Enterprise Mobility

"By making the mobile security framework context and risk aware, organizations adopt a smarter way to addressing the unique risks of the mobile channel."

In the previous sections we discussed the four imperatives that must be addressed to have a truly secure mobile enterprise. However, for maximum and sustained effectiveness, these capabilities must be powered by context and risk awareness as well as global security and threat intelligence.

Integrating context and risk awareness into the mobile enterprise infrastructure

As enterprises empower employees with mobile access to enterprise content and apps it is critical to gauge the risk of the underlying device and apply appropriate controls. For example, enterprises may want to prevent the delivery of enterprise content to high-risk devices, remove content from devices that fall out of compliance and limit access to enterprise resources based on risk profile.

Determining if a device is “high risk” depends on the following considerations:

  • Is the device jailbroken or rooted? Users that are looking to install apps that have not been vetted by Apple or Google often run a process known as jailbreaking (for iOS) or rooting (for Android) on their devices. This process is developed by hackers and is updated as new OS versions are introduced. While it enables users to install any app they like, it breaks the device security model and makes it highly susceptible to malware attacks. We strongly advise businesses to prevent such devices from entering their enterprise network.
  • Is the device infected with mobile malware? A device may already be infected with malware when enterprise access is requested, or may become infected over time. Malware can tamper with critical services such as SMS, contacts and email and capture personal information including credentials, call records and photos. Detecting the presence of malware, in real time, is critical to assessing device risk and enforcing the relevant enterprise policies on the device.
  • Is the device using the latest software and all security patches? Similar to other enterprise platforms, users should have the latest security patches (packaged with the latest OS build) on their devices. Especially with Android OS, some devices never get updated or fall behind with critical unpatched vulnerabilities present.
  • Is the device used in a suspicious context? Suspicious usage can be derived from context. Where and when is the device used, is this a new device or one that has been registered before. For examples, accessing the account from a foreign country when previous access always occurred within the United States west coast.

Once these risks can be detected and analyzed various remediation steps can be taken. For example, an enterprise mobility management system can erase any enterprise content from compromised devices, prevent the delivery of new content and remove malicious apps. Access to enterprise resources can be restricted until the device risk is remediated. Mobile applications can disable or restrict sensitive functions based on device risk. The access control layer can restrict vulnerable device access with risk-based authentication (so strong authentication is only used in truly high risk situations).

By making the mobile security framework context and risk aware, organizations adopt a smarter way to addressing the unique risks of the mobile channel.

Sustain mobile security controls with expert research and threat intelligence

One of the challenges facing security controls is continuous adaptation to emerging threats. Mobile security controls are no different. For example, jailbreak detection logic must address the evolution of jailbreak hiders¹⁰ that are designed to conceal the fact that a device is jail broken so it is not flagged as a high risk device. Similarly, as more behavioral and contextual controls are created, hackers are looking to closely imitate the victims to evade detection.

Overall, keeping mobile security controls viable requires dedicated research teams and a credible source for real time, global threat intelligence.

Integrate mobile security into the broader enterprise security context

Mobile devices create a new enterprise access channel. Mobile security events should therefore be managed as part of the overall enterprise security context. By feeding mobile security events into an enterprise security information and event management system (SIEM), mobile-centric threats and attack vectors can be incorporated into the enterprise incident response processes.

The IBM Mobile Security Framework

The IBM Mobile Security Framework is IBM’s holistic solution for securing the mobile enterprise across all imperatives. It brings together best-of-breed products for specific secure mobility needs and integrates them to maximize impact and reduce time to value. The IBM foundation for mobile security makes our overall solution stronger and more effective.

We will present the framework components by walking through two common mobility initiatives.

Securing the Mobile Workforce and Enabling a BYOD Program (B2E)

Organizations want to provide their employees with secure mobile access to enterprise resources. With BYOD programs becoming table stakes in mobility projects, there is a need to manage and secure devices that are outside IT control. Beyond device risk, the coexistence of personal and business data introduces additional complexity for IT security and mobility teams.

Securing the employee device and critical business content

IBM’s MaaS360 Protect enables customers to quickly enroll devices and enforce granular policies on corporate-owned and managed employee-owned devices over the air. These policies ensure proper device security posture and secure device registration.

Learn more about MaaS360

IBM MobileFirst Protect uses containerization and application wrapping technologies to isolate and control corporate data on the mobile device. This enables selective wipe of business data without impacting personal information such as photos. To ensure content does not leak, MobileFirst Protect delivers a separate workspace with secure productivity apps that includes email, contact, calendar and content editors as well as a secure browser and gateway for secure connectivity to corporate networks. This ensures enterprise assets are only accessed in a controlled manner and content sharing is restricted based on business risk and enterprise policies.

IBM MobileFirst Protect Threat Management, powered by IBM Security Trusteer, adds a unique risk awareness capability and enables enterprises to dynamically enforce policies based on device risk. This is especially important for a BYOD program, as employees may introduce vulnerable or compromised devices into the enterprise environment. For example, enterprises may restrict access to internal web applications or content repositories for malware infected devices to mitigate the risk of data exposure and network breach.

IBM MobileFirst Platform Foundation (also known as Worklight) provides an integrated development and runtime environment for native and hybrid mobile applications. IBM MobileFirst Platform includes a security engine that can enforce application-specific rules to control application usage and functionality based on underlying device risks and other context parameters. This is useful when mobile security requirements are tied to specific applications and should be weighed against a more comprehensive infrastructure we discuss in this paper. IBM MobileFirst Platform Application Scanning seamlessly augments this environment with source code vulnerability scanning. It enables a secure development life cycle and the reduction of risk from malware attacks. Applications available from 3rd parties as an executable can be analyzed using IBM Security Appscan Mobile Analyzer, a cloud-based mobile application security service. Mobile Analyzer scans apps and reports on potential code vulnerabilities such as cross-site scripting and broken cryptography. IT security can authorize or prohibit adding mobile apps to internal app stores based on security risk.

Organizations can also make their applications risk aware via the use of the IBM Trusteer® Mobile SDK. The Trusteer Mobile SDK is pre-integrated with IBM MobileFirst Platform Foundation and enables runtime enforcement of application security policies when applications execute on compromised or vulnerable devices. The same risk awareness can also be embedded directly into any mobile app and utilize device risk data to adapt the application business logic based on device risk. For example, a mobile ERP app could disable purchase order approvals on high-risk devices.

When employees connect to the enterprise network and resources from a mobile device, IBM Security Access Manager (ISAM) analyzes the connection request. It utilizes context awareness across many domains (time of access, device location, device identification and device risk factors) to apply access control policies to the connection.

ISAM is integrated with IBM MobileFirst Platform, IBM MobileFirst Protect and Trusteer Mobile Browser to inform its policy engine with specific device risk and contextual indicators. For example, it can prevent malware infected devices from connecting to the network, initiate the use of two-factor authentication for access via new device or a new location, or enforce the use of a secure browser to access specific resources.

In addition, ISAM integrates with IBM MobileFirst Protect to offer Single Sign-On from the mobile devices into enterprise applications.

Securing mobile customers represents a different set of challenges than addressing mobile workforce security. In the case of mobile customers and partners, enterprises have no control over these devices (“unmanaged devices”) and these users are unlikely to agree to grant such control over their devices. Enterprises must therefore assume the unmanaged device could be compromised and that no sensitive enterprise content should be deployed onto the device. The touch points that need to be secured are the customer facing applications as well as the customer’s login and transactions.

Enterprises engage their customers and partners through publicly available mobile applications. The mobile applications should be vetted for vulnerabilities, either during source code development or as executable (as we previously discussed). However, because these applications are publicly available, enterprises should also consider application hardening with solutions like Arxan Application Protection for IBM Solutions. Application hardening prevents hackers from reverse engineering mobile apps, incorporating malicious code into them and then redeploying on 3rd party app stores to lure unsuspecting customers. Once installed and launched these apps often capture customer credentials or initiate fraud schemes.

Furthermore, as unmanaged device security posture is often weak, organizations should embed Trusteer Mobile SDK into their externally facing apps to dynamically assess the risk of the underlying device. For example, mobile banking apps may disable transactional activity on vulnerable devices.

Customers use mobile applications and browsers to access services such as mobile banking and mobile commerce. Often, customers’ credentials are exposed via phishing and malware attacks on either mobile devices or personal computers. Criminals use these credentials to take over customer accounts using their own mobile devices and the security and fraud team have the difficult task of identify such incidents. IBM Security Trusteer Pinpoint Criminal Detection correlates a large number of risk factors associated with account logins and transactional activity to accurately flag high risk access. Among the risk factors, it considers strong device identification, device usage patterns and past account compromise incidents by malware and phishing attacks across all channels (desktops, laptops and mobile). By relying on proprietary, dynamic and realtime risk data it can enable rapid response to criminal activity and minimize false positives.

The Trusteer Mobile SDK accurately detects compromised and vulnerable devices including:

  • Rooted and jailbroken devices, including devices that were jailbroken in a way designed to hid the fact that they are no longer secure.
  • Malware infected device, both financially focused threats and general enterprise threats
  • Outdated Mobile OSes and missing security patches

In addition the Trusteer Mobile SDK provides a strong device ID to specifically identify each device.

Trusteer Mobile SDK is pre-integrated with multiple IBM offerings to provide risk awareness to inform smarter policy enforcement:

  • IBM MobileFirst Protect Threat Management (MaaS360): this integration allows organizations to take specific mitigating actions, such as removal of enterprise content, from malware compromised devices until the device risk is eliminated.
  • IBM MobileFirst Platform (Worklight): the integration with the application development and runtime platform, allows developers to incorporate risk awareness directly into their applications without any coding. The application runtime engine enforces security policies to restrict usage of the applications depending on the type and scope of underlying device risk.
  • IBM Security Access Manager: ISAM consumes device risk attributes relayed by MobileFirst Platform, MobileFirst Protect Threat Management and the Trusteer Mobile Browser. Its rule- based policy engine can enforce access control to enterprise resources based on these dynamic real time attributes.

In addition to these pre-built integrations, application developers can embed the Trusteer Mobile SDK into any application. By invoking the SDK, real time device risks are detected and delivered to the app code. For example, mobile banking apps can restrict money transfers based on underlying device risk such as malware infection and associate a strong device ID with each transaction generated through the app.

The threat landscape is constantly shifting as attackers look for new ways to go through and around security controls. IBM X-Force uses global research operations to keep track of the threat landscape and adapt security defenses with the latest techniques and counter-measures.

IBM X-Force tracks evolving mobile malware, new techniques to root and jailbreak devices and new tactics used by criminals to penetrate customers and employees accounts. Research findings are applied as policy rules and code enhancements across the mobile security controls to maintain accurate detection and prevention of mobile threats.¹¹

The various mobile security products are integrated, when applicable, with IBM Security QRadar. IBM Security QRadar consolidates and correlates all security related events across the enterprise. By incorporating mobile security events, an appropriate enterprise response can be developed against sophisticated attacks that use the mobile channel.

The Path to Mobile Security Maturity

"You can now help the business embrace the benefits of mobility for both employees and customers while minimizing risk and reducing cost and complexity."

In late 2014 IBM launched a survey to explore what capabilities enterprises are currently deploying vis-à-vis the IBM Security Framework imperatives. We also looked at the short-to-medium term plans to extend these capabilities in what we called the “path to mobile security maturity”.

What we found indicates that enterprises are “half way there”. Naturally, there is a continuous focus on the basic imperatives of device and content security. Enterprises are still facing the risk of data loss from a stolen device, and the use of enterprise mobility management (EMM) suites helps to address that scenario. We expect that in the foreseeable future virtually all enterprises will have some form of an EMM deployed to ensure mobile devices conform to their policies before allowing access to enterprise resources. And, that enterprise content can be selectively wiped out or protected if a device is lost or stolen.

The next big challenge for enterprises is the development of secure enterprise applications. Here, the need to establish a secure application development lifecycle has been inherited from the existing paradigm of secure Web development. A subset of the responders are using vulnerability scanning tools for their app source code, while a smaller subset does so for binaries (3rd party or even public apps). Ensuring these business applications are vulnerability free is a critical capability for any enterprise that wants to realize the benefits of mobility while reducing exposure to malware and other attacks.

Finally, managing access and transaction fraud risk is an emerging capability. Transaction risk is related to all interactions between the mobile device and the backend system: Accessing the network, login and access of data and services. To effectively protect transactions, enterprises will have to consider underlying device risk and user access patterns to determine the business exposure associated with specific sessions and interactions. This can help detect account takeover and fraudulent transactions before the enterprise data and customer assets are exposed.

The IBM Mobile Security Framework offers a holistic solution and a comprehensive roadmap for securing your mobile enterprise. You can now help the business embrace the benefits of mobility for both employees and customers while minimizing risk and reducing cost and complexity.

Next Step

Learn how IBM Mobile Security Solutions can Secure the Mobile Enterprise

¹ IBM/Apple mobile enterprise alliance is responding to this heightened level of expectation of how vertical mobile applications should be built and delivered.

² https://www.cmocouncil.org/facts-stats-categories.php?view=all&category=mobile-marketing

³ https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/

⁴ https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html

⁵ http://securityintelligence.com/can-you-trust-it-mobile-authentication-must-become-context-and-risk-aware

⁶ For IBM enterprise content management solutions visit http://www-03.ibm.com/software/products/en/category/enterprise- content-management

⁷ https://www.owasp.org/index.php/OWASP_Mobile_Security_ Project#tab=Home

⁸ Gartner Hype Cycle for Enterprise Mobile Security 2014 indicates that: “…With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory precautions against attacks

⁹ https://www.arxan.com/arxan-annual-report-state-of-mobile-app-security-reveals-an-increase-in-app-hacks-for-top-100-mobile-apps/

¹⁰ http://lifehacker.com/5864300/xcon-unblocks-iphone-apps-with-jailbreak-detection

¹¹ IBM X-Force releases thought leadership reports that summarize key developments in the global cybercrime threat landscape. For the latest report please visit http://www.ibm.com/security/xforce