Driving Behavioral Change for Information Management through Data-Driven Gree...
Endpoint Evolution
1. Endpoint Evolution
Mobile Device Management – Protecting Sensitive Data
Kawika Takayama
Public Sector – Endpoint Management and Mobility
Mobility, Virtualization and the Emerging Workspace 1
2. Consumerization is Changing the Face of IT
1 Billion Consumer owned Evolving User Focused Management
Smartphones or tables by 2016
365M will own Smartphone or Table
2014
Unmanaged
in the Workplace* 246M Corp PCs
293M Personal PCs
819M Smartphones
Apps/Info/Access
116M Tablets
70M Virtual Desktops
2011
177M Corp PCs
Managed
300M Smartphones
15M Tablets
13M Virtual Desktops
Relevant Devices Today
Future Devices
Traditional Device Focus
Corporate-Owned Personally-Owned
*Forrester Research Device
Mobility, Virtualization and the Emerging Workspace 2
3. Mobility, Cloud and I.T. Mega- Pains
Mobile
Must support to enhance
employees productivity
I do not have the means to
control security, risk, and
Frustration compliance across all of these
new I.T. platforms
Private
Cloud
Cloud Must embrace to drive business
agility and lower costs
Mobility, Virtualization and the Emerging Workspace 3
4. Operating System Diversity Skyrocketing
Corporate Desktops First quarter PC forecast:
2009 to 2011 Windows down
2%, Mac+iPad up 250%
87.3% 11% 1.7%
- asymco, April, 2011
8% 1.3% Android devices outsold the
iPhone 2-to-1 in the past
three months
- PCWorld, September, 2011
Windows Mac Linux
Mobility, Virtualization and the Emerging Workspace 4
5. Stimulating an Evolution in Systems Management
Device Centric User Centric
Device
Software Cloud
User
Services Location
User
Device Device User
Mobile
Data Devices
Patches Location
Virtual
Desktops Apps
Mobility, Virtualization and the Emerging Workspace 5
6. Symantec’s HoneyNet Project – March 8, 2012
The Set Up
Before the 50 smartphones were “lost,” a collection of simulated corporate and personal data was placed on them
to simulate a real phone. While these apps had no actual functionality, they were able to transmit data back to us
which logged what apps were activated and when – and the phone finder was presented with an error message or
other plausible reason for the app not working.
The phones were then dropped in high-traffic areas such as elevators, malls, and office food courts, in New
York, Washington D.C., Los Angeles, the Bay Area, and Ottawa, Canada. As people found the smartphones
and attempted to access apps and data, details were anonymously logged to track the “human threat” of a lost
phone.
What to Expect When You Lose Your Phone
•96% of lost smartphones were accessed by their finders
•89% of devices were accessed for personal-related apps and information
•83% of devices were accessed for corporate-related apps and information
•50% of smartphone finders notified the owner and gave contact information to return the
device – however almost all of these people (86 percent) attempted to access information on
the devices.
.
http://www.msnbc.msn.com/id/46665467
How safe if your smartphone’s Data?
Mobility, Virtualization and the Emerging Workspace 6
7. The Importance of Patching 3rd Party Applications
More than ⅔ of all endpoint
vulnerabilities are found in Internet Security Threat
3rd party desktop applications Report (April 2011)
• 30% increase in the overall number
National Vulnerability
Database of vulnerabilities in 2010 (6,253)
Top 5 Vulnerable Applications
Apple Safari | Mozilla Firefox | Google Chrome | • 161% increase in new vendors
Microsoft Internet Explorer | Adobe Flash Player affected by vulnerabilities in 2010
• Chrome and Safari vulnerabilities
on the rise
• 346 vulnerabilities affecting
browser plug-ins
Mobility, Virtualization and the Emerging Workspace 7
8. Mobile Marketplace
Of the 1 Billion consumer Smartphone and
Tablets, Apple, Google, and Microsoft control
90% of the marketplace*
Mobility, Virtualization and the Emerging Workspace 8
9. Endpoint Management Building Blocks
Mobile
• Enterprise enablement
• Greater need for data security
• Central enterprise app store
Unified Application Management
• More application types to manage
3 • Faster delivery of service
• Greater need to enforce compliance
Cross Platform Patch
2 Management
• Greater threats to other
platforms
• Third party applications
Consistent Tool Sets
1 • Reduce errors and training costs
• Fewer steps for routine tasks
• Reduce IT silo’s
Mobility, Virtualization and the Emerging Workspace 9
10. Use Symantec Mobile Management to enforce policy
and compliance controls
Secure
Protect enterprise data and
infrastructure from attack and theft
Enable
Activate enterprise access, apps and
data easily and automatically
Manage
Control inventory and configuration
with massive scalability
Redefining Mobile Protection 10
11. Now Selling!
Odyssey Athena/Mobile Management for SCCM
• Managed through the Microsoft SCCM platform
• Provides a similar feature set to Symantec Mobile Management
11
12. 3
Mobile Platform Enhancements
Enables “Powered by Symantec”
Multiple Consoles
Global Policy Editor Configuration Profile Service
Tenant Administration Service Device Notification Service
Symantec Services Device Enrollment Service Notification Feedback Service
Device Provisioning Service Console Integrator
Device Inventory Service Certificate Management
Multiple OSs
Core products Add-ons
Symantec Mobile Management (existing product) Symantec DLP for Tablets (existing product)
Symantec Mobile Management for SCCM (new product) Symantec Managed PKI (existing product)
Symantec Advances Enterprise Mobility Strategy 12
13. Symantec Mobile Superiority
• Symantec IS Security
– Secure architecture satisfies DOD requirements
– More than just MDM – DLP, SEP Mobile
• Scalability/Robustness
– Most clients per server (40,000+)
– Proven platform (can’t be built overnight)
• Unified Management
– Any MDM will solve today’s tactical issues (executive iPads)
– As mobile becomes mainstream, a silo solution is the wrong answer
• Future Proofing
– MDM is commoditizing, converging with security and PCLCM solutions.
Where will “pure play” vendors be a year from now? We are already
there.
Mobility, Virtualization and the Emerging Workspace
14. Symantec Mobile Management
Robust mobile policy and compliance
• Enterprise Enablement
• Activation of devices across platforms
• Software Delivery via Mobile App Store & Mobile Library
• Configuration & policy management
• Mobile Security
• Security configuration, alerts, jailbreak protection
• Corporate / personal separation / remote wipe
• Identity and certificate management
• Enterprise Management
• Asset reporting
• Single infrastructure console
• Scalable architecture
Mobility, Virtualization and the Emerging Workspace 14
15. Actual Customers Challenges
Banking &
Finance
VP of Desktop Operations
• Cost containment for over 4,000 “Streaming is a stepping
applications
• Support Brick and Mortar reduction stone to any device
initiative
• Pressure to support personal devices
anywhere”
Healthcare &
Pharmaceuticals
VP of Client Architecture “Any app, any device,
Key Challenges
• 75% of current workforce is mobile anytime in a secure
• Self Service permeates all IT projects fashion”
Entertainment &
Gaming VP of Desktop Operations “Self Service across
• Creative atmosphere driven towards Mac
• Enable end user choice in hardware & devices is
devices
• Consistent software management across
key to our IT business
platforms model”
Mobility, Virtualization and the Emerging Workspace 15
16. Symantec Mobile Device Solutions Today
Mobile Device Security Mobile Device Management
Inventory
Symantec MMS
Threat Protection
(SEP Mobile Ed)
Configuration
Symantec MMS
Network Access
Control Intelligent Software
(SNAC Mobile Ed) Management
Symantec MMS
Remote
Assistance
Symantec MMS
Mobility, Virtualization and the Emerging Workspace 16
17. Symantec Mobile Management 7.1
Advanced iPhone/iPad/iOS Management
• Key Requirements/Features
– Native iOS integration
• Native agent for iPads and iPhones
– Removal of dependency on MS Exchange
• Easy device enrollment
– User authentication
– Automatic download of a device certificate
– Automatic initial download of all security and management policies, including the Apple Configuration Utility settings
– Identify and block jailbroken phone and other non-compliant devices (min OS, hardware type, etc.)
• Collection of detailed asset inventory, e.g. device is jailbroken, what apps are installed, etc.
• Confirms security and management policies have been applied to the device
– Apple Configuration in Mobile Management 7.1 Console
• Support for all of the native MDM features in iOS 4.0 and 5.0
• Define and deploy settings from the Mobile Management 7.1/SMP console
– VPN/Wireless settings, Proxy settings, Control iTunes, Safari and other features, etc.
– Automatic download and application of new policies
• Enterprise app store (“library”)
– Enables delivery of in-house apps and content to device
– Supports links to Third party apps in Apple App Store
Mobility, Virtualization and the Emerging Workspace 17
18. Apple Configuration Profiles (Policies)
• Passcode Profile • Restrictions
– Require passcode – App installation
– Allow simple value – Camera
– Require alphanumeric value – Screen capture
– Passcode length – Automatic sync of mail accounts while
– Number of complex characters roaming
– Maximum passcode age – Voice dialing when locked
– Time before auto-lock – In-application purchasing
– Number of unique passcodes before reuse – Require encrypted backups to iTunes
– Grace period for device lock – Explicit music & podcasts in iTunes
– Number of failed attempts before wipe – Allowed content ratings for movies, TV
– Control Configuration Profile removal by user shows, apps
• Certificates and identities – Safari security preferences
– Credentials – YouTube
– SCEP – iTunes Store
• Exchange ActiveSync – App Store
• Email (IMAP/ POP) – Safari
• VPN (L2TP, PPTP, IPSec, Cisco, Juniper, • LDAP
F5, custom) • CalDAV
• Wi-Fi (Open, WEP, WPA, WPA2, WEP • CardDAV
Enterprise, WPA Enterprise, etc.) • Subscribed calendars
• Advanced – APN, Proxy settings • Web Clips
Mobility, Virtualization and the Emerging Workspace 18
19. Apple iOS 4 and 5 MDM Actions and Asset Info
• Mgmt Console Actions • Inventory Data
– Remote wipe – Device information
• Unique Device Identifier (UDID)
– Remote lock • Device name
– Reset passcode • iOS and build version
• Model name and number
– Update Policies • Serial number
• Updates configuration and Provisioning • Capacity and space available
• IMEI
Profiles over the air • Modem firmware
• Performs selective wipe of specific • Location (Lat./Long.)
settings/email when selected policies are – Network information
removed • ICCID
• Bluetooth® and Wi-Fi MAC addresses
– Send Inventory • Current carrier network
– Remove MDM and reset agent • SIM carrier network
• Carrier settings version
• Provides full selective wipe by removal of all • Phone number
profiles and content • Data roaming setting (on/off)
– Configuration profile targeting – Compliance and security information
• Based on standard policy targeting • Configuration Profiles installed
• Certificates installed with expiry dates
• Admin defined list of policies • List of all restrictions enforced
• Hardware encryption capability
• Passcode present
– Applications
• Applications installed (app ID, name, version, size,
and app data size)
• Provisioning Profiles installed with expiry dates
Mobility, Virtualization and the Emerging Workspace 19
20. Athena MDM Agent for Android
• Policies – Minimum symbols required in
– Wipe data1 password2
– Lock now – Minimum numerical digits
required in password2
– Reset password
– Minimum uppercase letters
– Password enabled required in password2
– Set maximum failed passwords – Password expiration (number
for wipe of days)2
– Set maximum inactivity time to – Password history (max
lock number of past passwords
– Set password minimum length stored)2
– Alphanumeric password – Password complex characters
required required2
– Minimum letters required in – Data Encryption2
password2 – Camera Disable3
– Minimum lowercase letters 1 - Wipes user data on device; does
required in password2 not wipe memory (SD) card
– Minimum non-letter characters 2 - Android 3.x+ required
required in password2 3 - Android 4.x+ required
Presentation Identifier Goes Here 20
21. Athena MDM Agent for BlackBerry®
• Premium support for BlackBerry smartphones
– Simplified enrollment with AD authentication
– Extended hardware and software inventory
– Zero-touch management
– Live remote assistance – remote control, etc.
Presentation Identifier Goes Here 21
22. Enterprise Mobility Roadmap
Advancing our mobility strategy
DLP
Sept 2011 March 2012 Summer/Fall 2012*
Comprehensive iOS Support Single Sign-On for Cloud/Web Advancing MDM Support
Public and Enterprise Apps Services (O3) (iOS, Android, WP7/8)
Symantec Mobile Management IT Analytics for Mobile
iOS Document Library &
for SCCM (Odyssey Athena)
Enterprise Appstore Secure Sync & Share
June 2012 Collaboration
Q1 2012
DLP for Tablets & SMM - Advanced Android
SMM DLP enhancements (Jan) Management
Mobile Security - Android Agent
VeriSign MPKI Integration (Feb)
Symantec Confidential and Proprietary 22
*Disclaimer - Roadmap contents and timing subject to change without notice
23. Introducing DLP for Tablets
New Technology = New Challenges
Introduced Nov 2011
Execs pushing
How do you say adoption
“Yes”? Access to
corporate email
and network
How do you
demonstrate
compliance?
No control
off-network
How do you All the access,
secure IP? few of the
controls
Mobility, Virtualization and the Emerging Workspace 24
24. Why use Symantec DLP for Tablets?
Comprehensive
Coverage
Corporate Email Personal Email Social Media Cloud Apps
Most User Works over Wi-Fi and 3G
Friendly
Enables full use and productivity of the device. Our approach does NOT
• Require a restrictive “sandbox” approach, or
• Break business processes by restricting what data can go to the iPad
Lowest TCO
Symantec DLP for Tablets™ is tightly integrated w/ Symantec DLP Suite:
• Common, advanced technologies for detecting confidential information
• Consistent application of DLP policy
• Seamless, integrated reporting & analytics
Redefining Mobile Protection 25
25. Symantec™ Data Loss Prevention for Tablets
• Extends DLP to the newest endpoint
– Bridges the BYOD gap
• Prevents IP and PII data loss
– Corporate and Web email
– Web uploads and postings
– Popular Apps
• Demonstrate compliance to auditors
• Educate your users
• Standalone or as part of the Symantec™ Data Loss Prevention
Suite
Mobility, Virtualization and the Emerging Workspace 26
26. Data Loss Prevention for Tablets – Sample Use Case
Similar to Data Loss Prevention for Endpoint capability
Problem DLP Policy DLP Actions Results
• Users send • DLP inspects all • Monitor only, • User behavioral
sensitive data outbound email notify, block or change
via email remove sensitive • Automated
data compliance
• Risk reduced
Mobility, Virtualization and the Emerging Workspace 27
27. Cross Platform Asset Lifecycle Management
New Applications Update Applications Retire Applications
(Purchased Software) (Version Control) (Recover Licenses)
Policy
Management
Issues
Visibility
Control
Effort
Mobility, Virtualization and the Emerging Workspace 28
28. Altiris Client Management Suite for Mac
Discovery and
Inventory
Intelligent Software &
Patch Management
Remote
Assistance
Imaging and
Deployment
29
Mobility, Virtualization and the Emerging Workspace
29. Application Streaming and Virtualization
Separating the things that matter
Streaming Server
Operating System Operating System
Traditionally Installed Streamed and Virtualized
Mobility, Virtualization and the Emerging Workspace 30
30. Securely Deliver and Manage Any Service
to Any User in Any Location
Support any device Manage applications Enable services
regardless of ownership regardless of type regardless of location
Laptops Desktops &
Tablets SaaS Social & Physical
Thin Clients Delivery Cloud Apps
Services
App Store Delivery Models
Virtual Apps & Desktops
Mobility, Virtualization and the Emerging Workspace 31
31. Introducing Symantec O3
A New Cloud Information Protection Platform
Symantec O3™
Access Information Cloud
Control Security Compliance
Control Protection Visibility
Private
Cloud
Redefining Mobile Protection 32
32. How Symantec O3 Works – User View
End-User
Any Device
Symantec O3™
Symantec O3 Symantec O3
Symantec O3™
Gateway Intelligence Center
Identity and Access Broker Context-based Policies
Information Gateway Status Monitoring
Layered Protection Log and Audit Services
2F Authentication
DLP
Encryption
Cloud, SaaS and Web Applications
Public Cloud Services Datacenter / Private Cloud
Redefining Mobile Protection 33
33. Symantec Service Offering
Accelerated Adoption Program
A free 2 day workshop that supports customer migrations from 6.x to 7.1
Distance Learning Assessment
A free service offering to Education Accounts to provide insight on how to establish a
world class distance learning program
Mobile Security Assessment
5 week evaluation to identify risk inherent in the enterprise from the use of iPhones,
iPads, and Android devices
Malicious Activity Assessment
Free non-intrusive evaluation of network traffic on a customer’s entire network or a
specific network segment
Mobility, Virtualization and the Emerging Workspace 34
34. EMM Partner Solution Integrators
ITS Partners Privilege Management and Lockdown
Mobile Management-as-
a-Service
Device Lockdown Network Resource Management
Intuitive Network Mgmt
Endpoint Management-as-
a-Service
Cloud Services ITMS
eiPower
Green Energy Power Management and Control
Service Catalog
Request Fulfillment and Service
Catalog
Mobile
Deployment
App Package Mobile Solutions & Support for SCCM
(Now Apart of Symantec)
DeployExpert and HiiS
Install, License Entitlement, App
Delivery
Public Sector SE Management Team 35
According to research firm, Strategy Analytics, 66.9 million tablets shipped worldwide in 2011, up a staggering 260 percent from the previous year. In 2010, Apple’s famous iPad controlled nearly 70 percent of the tablet market, but just one year later, Android-based tablets secured just under 40 percent of the market. NFC – Near Field Communications to generate $74B in transactions by 2015 Juniper Networks (http://www.mobilemarketingwatch.com/juniper-says-nfc-will-drive-74-billion-in-transactions-by-2015-21588/)
Odyssey’s Athena mobile management product shares considerable code with Symantec Mobile Management, but is integrated with Microsoft System Center Configuration Manager.While there are some differences due to use of SCCM instead of the Symantec Management Platform, most features are similar or the same (e.g. Mobile Library, configuration editing, legacy Windows Mobile software delivery, etc.).The Odyssey product will be renamed “Symantec Mobile Management for SCCM” mid-year.
Console Agnostic, Cloud & Mobile PlatformThis shows how Symantec’s platform approach to mobility can greatly simplify an enterprise’s ability to integrate with and leverage existing and future consoles and devices, in a seamless and agnostic way.
Extended iOS5 MDM features: Enhanced Email Configuration – Enable S/MIME encryptionPrevent sending email via third party applications and moving messages across different email accountsPrevent apps from sending email so that corporate email addresses don't inadvertently leakTurn off e-mail forwarding so that corporate email cannot be forwarded through a personal accountEnhanced Wi-Fi Configuration – Configure Wi-Fi proxy settings Enable automatic joins to Wi-Fi networksManage Roaming Configuration – Enable/disable voice roaming featuresEnable/disable data roaming featuresiCloud Configuration – Enable/disable iCloud back-up, document sync and Photo StreamUtilize iOS5 layer to report additional device detailsBattery life statusWireless carrier informationManage iTunes password entry Require an iTunes password to make iTunes access more secureManage certificates from non-trusted sources Set whether or not an end-user can accept a certificate from a non-trusted sourcePrevent certificates from being accepted from a non-trusted source.
Monitor, block, remove content from outbound iPad traffic Protects HTTP/HTTPS, including:General Web traffic (including Webmail)Active SyncMost-common iPad applications (Dropbox, Facebook, & Twitter)FTPSupports: iPad 1 & 2 (iOS 4.2.1 and higher)3G and WiFi, on and off networkStandard DLP detection methods (DCM, EDM, IDM, VML)General and specialized response rules (including block & remove content)Provides:Flexibility to create Tablet-specific policiesSeparate Tablet incident type
As of February 28th Symantec made generally available the first release of Symantec O3. The molecular symbol of O3 stand for Ozone. Ozone provides layer of protection for living things on earth by filtering out dangerous ultraviolet radiation. Symantec O3 similarly protects IT and users “above the cloud” when they access cloud applications and services, even from mobile devices.
Let’s take a look now at how Symantec O3 works – first from the perspective of the user, then from the perspective of IT, and particularly operations and security.1. The user experience for Symantec O3 is exceedingly easy to grasp. First the user, on any device he or she might be using, accesses the Symantec O3 gateway through a URL – it is just like going to Google Maps. Next the user is prompted for one userid/password credential, just like he or she were logging onto your corporate network.Symantec O3 federates the passwords, and based one access policy, creates a simple portal of icons showing the Cloud apps and services the user has access to – after that the user never need enter another credential – he/she has single sign on to the Cloud, except in the cases where3b. Policy dictates the need for a second password. The user runs an app, typically on a mobile device, that generates the OTP – one time password, and the user enters that second factor, enabling access to the app. Note that with Symantec O3 we bypass the need for the app to support two factor authentication – the strong authentication is handled entirely by Symantec O3.That is it. The simple portal the user receives listing the apps they have access to remains open if they want, and they can click and launch without entering further credentials. The portal works on mobile devices, PCs, and client device that supports HTTP through a browser interface of some type.