Zenprise ctia 10-11-2011_v02
•
2 j'aime•817 vues
From Mobile Device Management to Entperise
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (18)
Similaire à Zenprise ctia 10-11-2011_v02
Similaire à Zenprise ctia 10-11-2011_v02 (20)
Dernier
Dernier (20)
Zenprise ctia 10-11-2011_v02
- 1. Zenprise Protect the Enterprise In Your Pocket Shafaq Abdullah Principal/Architect, Software Twitter:@shafaq110 : shafaq.abdullah@zenprise.com © 2011 Zenprise, Inc. All rights reserved. 0
- 2. Mobile Is A Top Priority Across The Board 69% higher than $6,600 their prediction earlier this year $3,400 $1,800 $300 $700 $200 2010 2011 2012 2013 2014 2015 Forrester 59% 3x 17,000 Forrester Aberdeen Research2Guidance 1 | © 2011 Zenprise, Inc. All rights reserved. © 2011 Zenprise, Inc. All rights reserved. 1
- 3. The Problem: The Mobile Blind Spot © 2011 Zenprise, Inc. All rights reserved. 2
- 4. Three Enterprise Mobility Use Cases CEO at Starbucks Employee at Office VP Lands in China Viewing Corporate Data Loading Photos to Accessing M&A on Personal iPad via Facebook on Corporate Documents from Dropbox Unrestricted WiFi Android on Personal iPhone On Any Device Are your data Which apps Is the connection protected? are safe? secure? © 2011 Zenprise, Inc. All rights reserved. 3
- 5. Zenprise Offerings Complete Management Solution ZENPRISE Industry’s Only Solution for All Devices MOBILEMANAGER™ With Security At All iPhone, iPad, Android, Software Solution Layers Windows Mobile, Blackberry, Symbian…. ZENCLOUD™ Public, Private, Hybrid Cloud-based Offering 100% SLA © 2011 Zenprise, Inc. All rights reserved. 4
- 6. Zenprise Differentiated Value: Protection At All Layers CEO Employee Board of Directors DEVICES APPLICATIONS NETWORK DATA + + + Any Connection Repository Any and All Ever Increasing to Enterprise Integration DATA (IP, non-public financial, BI, customer data, employee data) Real-Time Security At All Layers © 2011 Zenprise, Inc. All rights reserved. 5
- 7. Differentiated Value At The Device Layer Dynamic Defense Dynamic Defense • Dynamic, context-aware policies for device resource or app usage based on time of day or location • Granular device and data governance and control reduces risk and enables compliance © 2011 Zenprise, Inc. All rights reserved. 6
- 8. Differentiated Value At The App Layer Mobile App Tunnels Mobile App Tunnels • Secure, dedicated, VPN-like connection from user to app • Granular access vs. all-or-nothing with VPN • Segregate critical business apps • Better performance, reliability, and cost through data compression and continuity even with poor connectivity © 2011 Zenprise, Inc. All rights reserved. 7
- 9. Differentiated Value At The Network Layer Mobile Security Intelligence Mobile Network Intelligence • Visibility into mobile network traffic and behavior by device, user, system, or application • Identifies unauthorized access, insider threats, leakage of sensitive corporate data, and compliance violations • SIEM integration © 2011 Zenprise, Inc. All rights reserved. 8
- 10. Differentiated Value At The Data Layer • The industry’s first mobile DLP solution that addresses sensitive data • Secure file synch in document container • Provides context- and content-aware mobile DLP • Leverages SharePoint – the primary enterprise collaboration tool © 2011 Zenprise, Inc. All rights reserved. 9
- 11. Secure Data Container on Android • (app + ciphering) + sqlite = encrypted data container • app + (sqlite (with ciphering)) = encrypted data container © 2011 Zenprise, Inc. All rights reserved. 10
- 12. Enterprise Virtual Machine on Mobile Devices Office Phone, Personal Phone paradox! Isolating Personal Content from Enterprise one © 2011 Zenprise, Inc. All rights reserved. 11
- 13. Enterprise-Grade Architecture • Proven in production Number of Devices Managed deployments with 10s of 1,000s of users and devices Fortune 500 Tech 25K • Managing 65,000 devices on Fortune 500 Manufacturing 30K a single Zenprise server Government Agency 30K • Six years of technology development in scalability and Global Carrier 28K service management Fortune 500 Conglomerate 65K • High availability at web, app, and data tiers • 100% uptime SLA with cloud Proven to Meet Needs of Any Size Organization © 2011 Zenprise, Inc. All rights reserved. 12
- 14. Recognized As The Leader By Gartner Zenprise © 2011 Zenprise, Inc. All rights reserved. 13
- 15. How It Works: Full Lifecycle Management Configure Decom- Provision mission Monitor Support and report © 2011 Zenprise, Inc. All rights reserved. 14
- 16. How It Works: Configure, Set Policies, Define Apps © 2011 Zenprise, Inc. All rights reserved. 15
- 17. How It Works: Users Self-Enroll In Minutes 1 2 3 4 Begin Enter Install cert Download enterprise enrollment credentials and profile recommended apps © 2011 Zenprise, Inc. All rights reserved. 16
- 18. How It Works: Enterprise-Grade Architecture © 2011 Zenprise, Inc. All rights reserved. 17
- 19. How It Works: Enterprise-Grade Architecture © 2011 Zenprise, Inc. All rights reserved. 18
- 20. ZencloudTM: Flexible Deployment Options © 2011 Zenprise, Inc. All rights reserved. 19
- 21. Customer Case Study: Aerospace • Fortune 100 aerospace company • Challenges - Management Dozens of devices types, operating systems, applications, carrier and support plans - Security Lost or stolen devices exposing data, mobile threats via browser - Visibility Installed applications, user activity • Chose Zenprise over MobileIron because - Best fit with security and technical requirements - Actionable intelligence about carrier expenses and service • Foundational to multi-thousand device global roll-out © 2011 Zenprise, Inc. All rights reserved. 20
- 22. Customer Case Study: Telecommunications • Fortune 100 global telecommunications company • Challenges • Scalability Centrally manage tens of thousands of employees around the world • Management Diverse array of operating systems (iOS, Android, BlackBerry, WinMo, and Symbian) • Enterprise integration Active Directory, integration with business process management system, single sign-on • Chose Zenprise over MobileIron, AirWatch, BoxTone, and Good because • Simple, well-supported integration and configuration • Strong match with current and future requirements (roadmap) • Result: 30%+ reduction in device-enablement service requests © 2011 Zenprise, Inc. All rights reserved. 21
- 23. The Top Five Win Customers While Planting Competitive Landmines Protection across ALL LAYERS: 1 device, app, network, data 2 Security ARCHITECTED in; no data exposed in the DMZ The most SCALABLE cloud and on-prem solution in the 3 market; proven in production 4 …with the HIGHEST AVAILABILITY (fully-redundant at all levels) 5 The LEADER in Critical Capabilities, per Gartner © 2011 Zenprise, Inc. All rights reserved. 22
- 24. Android Security and best Practices © 2011 Zenprise, Inc. All rights reserved. 23
- 25. Android Apps SECURITY • UIDs • Application Sandbox with distinct permission • Application signing using self-signing certificates • Permissions on Manifest © 2011 Zenprise, Inc. All rights reserved. 24
- 26. Levels of Permission • Normal • Dangerous • Signature • SignatureOrSystem © 2011 Zenprise, Inc. All rights reserved. 25
- 27. Intent Filter • IntentFilters are not a security boundary they cannot be associated with permissions • Categories when added to Intent, help to avoid unintented consequences • android:permission attribute in an <activity> • When are Activities Private • Intent arugments: Command-line © 2011 Zenprise, Inc. All rights reserved. 26
- 28. Broadcast Listener • Securing BroadcastReceivers with permissions © 2011 Zenprise, Inc. All rights reserved. 27
- 29. Questions? © 2011 Zenprise, Inc. All rights reserved. 28
- 30. © 2011 Zenprise, Inc. All rights reserved. 29
Notes de l'éditeur
- Slide 1. Enterprise mobility is a top 1 or 2 initiative across virtually every industry, size of company, and around the world. The market has blown estimates and forecasts out of the water as companies seize the business opportunity mobile devices bring. Please indulge me for a few data points that hopefully illustrate this point. Forrester revised its estimate from earlier this year upward by nearly 70%, predicting this will be a $6.6B market by 2015. 59% - the number of organizations, according to Forrester, who are employing a “bring your own device” program at work. BYOD is the big driver that everyone talks about but beyond that, and where it starts to get interesting, is that businesses around the globe are pursuing mobile strategies to gain business advantage anddrive top line growth. 3x – In a recent report about Mobility and ERP, Aberdeen noted that best in class enterprises are 3 times more likely than other enterprises to have business process workflow tied to employees’ mobile devices. And finally, 17,000 – diving into one vertical alone, this is the number of healthcare applications in major app stores today. It’s an example of one industry putting its money where its mouth is and representative of the business opportunity in that vertical alone. ? $6.6M market Chart: Forrester’s new projection for the Mobile Management Services market, up 69% from the prior projection earlier this year59%: The percent of companies now supporting BYOD, per Forrester via GigaOM (http://gigaom.com/mobile/forrester-more-than-half-of-enterprises-support-consumer-phones/). This is here and now. Companies don’t have a choice.3x: The greater likelihood than all others of “best in class” enterprises, per Aberdeen’s framework, to have business process workflow tied to their mobile device, per Aberdeen report, “Mobility in ERP 2011”, May 2011. Mobility is also a business opportunity that executives recognize and want to seize on.17,000: Diving into one vertical, the number of healthcare applications in major app stores today. An example of the business opportunity in one vertical alone.
- Slide 2. 2010. The problem we’re addressing is the mobile blindspot. Organizations have spent the last ten years or so – not to mention billions of dollars – securing the information in their businesses with technologies like firewalls and anti-malware…but then mobile devices come along and threaten all that because they’re coming into enterprise networks, IT can’t see them, can’t audit them, can’t control what they’re accessing, and can’t claw back sensitive data once it’s been downloaded onto a device.
- Slide 3. Here’s a look into three specific use cases we address: 1. Dealing with users accessing important business apps and data over insecure networks; 2. Employees using non-compliant apps or apps that could put their business at risk, especially during the workday. Think about the trader whose investment bank was fined $6B for an insider tip that he sent via the Facebook IM function while on the trading floor during market hours; and 3. Employee access to sensitive business data with no ability for the enterprise to lock down that data.
- Slide 7. We have two mobile device management offerings that address management and security of mobile devices across their lifecycle: ZenpriseMobileManager, our on-premise offering, and Zencloud, our cloud-based offering available as public, private, or hybrid cloud.
- Need to make sure the layers are mapped to correct entiities, data is not a layerSlide 8. Our customers’ primary requirement – and the vision we’re delivering on – is what we’re calling real-time security at all layers of the mobile enterprise. Zenprise has unique differentiators at each of the mobile device, application, network, and data layer.
- Slide 3. First, tackling the device. At the device we offer table stakes functionality like lock and wipe, selective wipe, configuration, device inventory, continuous compliance, integration with enterprise resources like AD, PKI, WiFi, VPN, etc…as well as the broadest and deepest device support in the market. But beyond these minimum requirements, and where we’re unique, is we also bring dynamic, context-aware policies based on role, device type, location, time of day, and whether the device is company-issued or personally-owned. An example is the ability to limit the camera function for government employees with a certain clearance level who are working in a certain location, or as is the use case here, in blocking a specific application, in this case, Facebook, for traders during market hours. We call this Dynamic Defense, it’s one of our key features, and it’s unique to usFlexibility in the policy
- Slide 4. Next, the app layer. At the app layer it’s about enabling secure access to applications, granular app features, BL, WL, enterprise app store, app inventory, the ability to do a number of things including not just block the device from entering the network, but also shutting an app down…A lot of the leading MDM providers offer these features. But where we’re unique is that Zenprise provides something we call Mobile App Tunnels, which are like VPNs, dedicated encrypted connections between a user and an app regardless of VPN connectivity. So it can work if the device is connected via VPN or not. The value of this is it solves the all-or-nothing issue that we see with VPNs – where a user who has VPN access for one app can fairly easily access any corporate app to which he has desktop access but may or may not have permission on a mobile device. App tunnels put the control and governance into the hands of IT, so they can granularly offer secure app access by role on a per app basis. It also solves the app segregation issue. You don’t want to be exposing your sensitive business apps to the rest of the apps on a device, especially a personally-owned device. This protects the rest of your corporate network if something bad like malware infects one device. Finally, a non-security benefit of app tunnels is that they maintain state in the case of spotty networks or dead zones. So if I’m on one network and need to change, I don’t need to start a new session; the solution will maintain state and then resume the connection when I have better network connectivity. Nobody else does this; it’s unique to Zenprise.
- Slide 5. Next, the network layer. The network layer is where our Secure Mobile Gateway does heavy lifting enforcing policies such as blocking of blacklisted apps and proxying ActiveSync traffic. What’s unique to us, though, is it’s where administrators have visibility into devices and user behavior, such as whether mobile users are accessing secure content on their mobile devices. It lets our customers protect the corporate network from mobile and insider threats and provides log intelligence to SIEM tools for correlation, alerting, reporting, and forensics. In fact, we were just recognized as the top new security vendor at the HP Protect show for our solution, and our Mobile Security Intelligence had a lot to do with it. It is unique to Zenprise – nobody else provides this.SIEM app; SplunkOnly integration with Splunk
- Slide 6. Finally, the data layer. This is our new Enterprise Mobile DLP solution. It’s the first in the industry to address sensitive data at the data layer. Mobile data leakage has been an issue for years, but the industry has tried to solve it by securing proxies for the data – like securing the device (which is necessary but doesn’t go far enough), or like building coarse-grained email sandboxes, which are cumbersome and don’t really protect data because users can bypass them. What we’ve built is a secure document container that uses mobile-to-enterprise connectivity and lets users do secure document synchronization, but lets the enterprise govern the data through context- and content-aware policies, and integrates with Microsoft Sharepoint.
- . Another differentiator is that Zenprise is enterprise-grade, meeting the requirements of large enterprises or enterprises that have high availability service levels. We have proven ourselves in multi-tens of thousands of device production deployments in the Fortune 100. We have high availability throughout – at the web, app, and data tiers, and in the case of our cloud offering, at the datacenter level. We feature active-to-active clustering so that failover and failback are seamless events for your users. In fact, we’re so committed to our highly-available architecture that we’re offering a 100% uptime guarantee as part of our Zencloud PREMIUM offering
- This is one of the reasons Gartner has recognized us as #1 in their Critical Capabilities report.
- Slide 9. How does it work? A core capability of mobile device management is support for the entire device lifecycle. Zenprise supports the device from cradle to grave in a seamless way. This includes: 1. Configuring devices by type, role, or group; setting up access to corporate resources such as VPN and Wi-Fi; setting security policies such as passcode enforcement, restricting access to content and resources, application blacklisting and whitelisting, and specifying application packages for users; 2. Provisioning devices by enabling fast and simple user self-service enrollment, and delivering configurations, policies, packages, and files in a secure, automated way over-the-air; 3. Providing remote support and helpdesk functions, such as remote lock, wipe, selective-wipe, and locate, or troubleshooting service or access problems. Also, enabling some basic user self-service support; 4. Monitoring and reporting on devices, device details, compliance, and user behavior; and 5. Decommissioning devices upon employee departure. Since we have visibility into which devices are company-issued vs. user-owned, we can enable your customer to choose different decommissioning techniques (e.g., full wipe vs. selective wipe) for each type of device.
- Slide 10. How does configuration and provisioning work? Once Zenprise is installed, deployment of configurations and policies is simple and efficient. It’s a question of walking through an easy-to-understand, yet fully-featured set of configuration screens. Set configuration parameters, policies, and specify application packages.
- Slide 11. Let users self-service enroll in minutes with this easy four step process, including starting enrollment, entering in their credentials, installing their certificate and profile, and downloading enterprise-recommended applications and files. The result will be a customized mobile device appropriate for the user’s role and device.
- Slide 12. What does it look like behind the scenes? Zenprise uses a highly available, redundant, scale-out architecture that has allowed us to support some of the world’s largest mobile device deployments, but do so in a way that employs security best practices.
- Slide 12. What does it look like behind the scenes? Zenprise uses a highly available, redundant, scale-out architecture that has allowed us to support some of the world’s largest mobile device deployments, but do so in a way that employs security best practices.
- Slide 14. The solution is available as on-premise or as a public or hybrid cloud offering. Our cloud offering features a 100% uptime service level agreement.
- Slide 14. Don’t just take our word for it. Talk to our customers, like this aerospace company and one of the biggest companies in the world. They needed a solution that was scalable enough to meet their needs, as well as could support all the different device types they were rolling out. But even more importantly, and really the tipping point for their decision to go with Zenprise over MobileIron, was they needed a highly available solution, so when they did something in their Exchange environment, their mobile users didn’t experience downtime, or when there was a failure, the failover and failback process were seamless. An added benefit for them was visibility on carrier expenses, and the ability to use that intelligence to make decisions.
- Slide 15. Same with this global telecommunications company. They chose us over MobileIron, AirWatch, BoxTone, and Good to secure and manage tens of thousands of their devices because of our simple, well-supported integration and configuration as well as strong match with their requirements. We were able to help them reduce device-enablement service requests by 30%.
- Slide 18: As you position Zenprise with your prospects and customers, if you remember these five points, you’ll be set. 1. Zenprise is the ONLY MDM vendor to protect across all layers of the mobile enterprise – the mobile device, app, network, and data; 2. Our offering was architected with security in mind from the get-go. Versus top competitors in the field, who may expose data in the DMZ or have insecure connections to sensitive business data, Zenprise protects your data and is the chosen vendor of some of the most security conscious enterprises and government organizations today; 3. We are the most scalable solution in the market, proven in many production deployments in the tens of thousands of devices; 4. With the highest availability, with full redundancy at all tiers and active-active clustering meaning that technology failures needn’t mean downtime for users or insecurity for your enterprise. We’re so confident in the availability of our offering that we’re the only vendor to offer 100% uptime guarantee in our cloud offering; and 5. Industry analyst Gartner has recognized us as #1 in their recent critical capabilities report.
- All the IPC communicaiton require the same permission. Starting Activities, starting or connecting to Services, accessing ContentProviders, sending and receiving broadcast Intents, and invoking Binder interfaces can all require the same permission. Therefore users don’t need to understand more than “My new contact manager needs to read contacts : e.g. for READ_CONTACTS application.
- Adding category to intent restricts to what it can do. Future categories could (for example) indicate an Intent was from a remote machine or un-trusted source but because this category won’t match the IntentFilters we put on our applications today, the system won’t deliver them to our programs. android:permission attribute in an <activity> declaration will prevent programs lacking the specified permission from directly starting that ActivityWhen defining Activities, those defined without an intent-filter or an android:exported attribute are not Developers need to be careful not just when implementing Activities but when starting them too. Avoid putting data into Intents used to start Activities that would be of interest to an attacker. A password, sensitive Binder or message contents would be prime examples of data not to include
- because Activities can ask the user before acting. However, it is easier to secure sending a broadcast than starting an Activity because broadcasts can assert a manifest permission the receiver must have.
- because Activities can ask the user before acting. However, it is easier to secure sending a broadcast than starting an Activity because broadcasts can assert a manifest permission the receiver must have.