Title: OneBridge Mobile Secure
1OneBridge Mobile Secure Overview on Security 25th
February 2005
2Agenda
- Overview of Market
- Product Offering
- Upcoming Releases
- OBMS 1.5
- OBMS 2.0
- OBMS 2.5
- Credant Relationship
- Competitive Differentiators
3Device trends
- Stand alone devices
- The GPS market is powering standalone PDA sales
in Europe, and it's a market that is driven by
price. Medion has been very successful in this
arena, and it's now joined by Mitac and, more
recently, Yakumo and Anubis. PalmOne is
attempting to fight back with Zire 72- and Zire
31-based GPS bundles. Latest devices from
PalmOne is the treo 650 T5 - smart phones.
- Shipments totalled 1.85m units during the same
period, up 38 per cent on Q3 2003's 1.34m total,
info from IDC - RIM's Blackberry managed to grab almost seven per
cent of the smart phone market, this is up by
300 percent due an order in the UK from Vodafone. - Applications
- More than email, Service management, Sales
management, Bespoke Healthcare etc
4Why do Organisations protect data ?
Can you keep a Secret ?
5 _at_RISK The Consensus Security Vulnerability
AlertFebruary 24, 2005 Vol. 4.
Week 8
- -- Third Party Windows Apps
- 05.8.1 - fallback-reboot Remote Denial of Service
- 05.8.2 - WebConnect Multiple Remote
Vulnerabilities - 05.8.3 - SD Server Directory Traversal
Vulnerability - 05.8.4 - Bontago Game Server Remote Nickname
Buffer Overrun - 05.8.5 - Xinkaa WEB Station Directory Traversal
- 05.8.6 - Arkeia Network Backup Agent Remote
Unauthorized Access - 05.8.7 - PuTTY, PSFTP and PSCP Multiple Remote
Integer Overflow Vulnerabilities - 05.8.8 - TrackerCam Multiple Remote
Vulnerabilities - -- Linux
- 05.8.9 - OpenLDAP SlapD Remote Denial of Service
- -- Unix
- 05.8.10 - Information Resource Manager
Authentication Unspecified Vulnerability - 05.8.11 - Arkeia Type 77 Request Remote Buffer
Overrun - 05.8.12 - GProFTPD GProstats Remote Format
String Vulnerability - 05.8.13 - glFTPD ZIP Plugins Directory Traversal
- -- Cross Platform
- 05.8.14 - UnAce Archive Directory Traversal
- 05.8.15 - Mono Multiple Cross-Site Scripting
Vulnerabilities
6Why we use security!!!!!!!
--University of California at San Diego
Computers Compromised Again (18 January 2005) For
the third time in one year, computers containing
information belonging to at University of
California San Diego students and alumni have
been breached. The university has been phasing
out the use of Social Security numbers as
identifiers, but these computers were among the
last that still contained this data. While there
is no evidence that the data has been used to
steal identities, those whose personal information
was compromised have been informed in compliance
with California law. The intruder used the
servers to store music and video files. http//www
.nbcsandiego.com/education/4103051/detail.html
SANS NewsBites Vol. 7 Num. 4
7Ebay- in the news again
--eBay Sellers Offering eMail Addresses, Spam
Tools (20 January 2005) Despite eBay's recent
effort to protect its customers from spam,
sellers on the auction site are offering millions
of email addresses and spamming tools. Certain
lots have been removed from the site, but
Steve Linford of anti-spam organization Spamhaus
believes eBay should pay closer attention to what
is sold on its site and be a leader in the fight
against spam.
SANS NewsBites Vol. 7 Num. 4
8USA rules OK!
--US Considers Reviewing IBM/Levono Deal for
National Security Risks (25 January 2005) The
Committee on Foreign Investments in the United
States is considering launching an investigation
into whether IBM's proposed sale of IBM's PC
business to Chinese computer manufacturer Levono
Group Ltd. poses a threat to national security.
Some have expressed concern that Chinese computer
experts could use an IBM facility to
conduct industrial espionage.
SANS NewsBites Vol. 7 Num. 4
9Stolen?
- Somebody placed an advertisement on eBay that
advertised a Blackberry RIM "sold as is." A
Seattle computer consultant sent in a bid of
US15.50. His bid was accepted, making him the
new owner of the pager-size wireless pocket
communicator with 4 MB of memory. - He soon discovered that he was the of a Senior
Vice Presidents of a Merchant Banks Blackberry.
It contained a hoard of corporate data, names
addresss, phone numbers, and other very
confidential information. - It was then auctioned on Ebay for an serious
amount of cash..
10Security Policies the Options !
- Trust Everyone all of the Time
- Easiest to in force but impractical
- One bad apple can ruin the whole barrel
- Trust No One at Any Time
- Most restrictive, but also impractical
- Difficult for staff positions
- Trust some of the people some of the time!
- Exercise caution on the amount of trust given
- Access is given out as needed
- Technical controls need to ensure trust is not
violated
11The need for a Win-Win policy
People view policies as An impediment to
productivity Measures to control behaviour People
have different views about needs for security
controls People fear policies will be difficult
to follow implement Policies will affect
everyone within the organisation Tension!!! Users
its stopping me working! Systems support how
do the controls work, will we be
effected? Management concerned about costs v
protection!
12what customers are experiencing
- Explosive growth of mobile computing has
increased productivity and introduced new
opportunities for business - New threats and management issues abound lack
of tools to manage and secure - Difficult to determine who is using mobile
devices - Priceless enterprise data is being synchronized
and stored on devices - Data travels well beyond the safety of the
firewall - Sensitive information travels over public
networks - Mobile devices are too easily lost or stolen
13why be concerned aboutdata security?
- PDAs are very prone to loss and theft. Gartner
estimates more than 250,000 cell phones and PDAs
were lost at airports alone last year. - SANS Institute reports studies show up to 30
loss rate for PDAs. - Tom Walsh of Enterprise Security says, "Robbers
net about 85 per holdup and are caught 80 of
the time. Information thefts average 800,000 in
value and are caught 2 of the time. - Information on employee PDAs can often provide
access to your network, customers and
confidential information. - Company reputation responsibility to
customers/clients.
141995 EU Data Protection Act Directive 95/46/EC
- Multinationals operating across the EU cannot
assume the native individual Countries Data
Protection laws will be mirrored across Europe. - Not all fifteen Member States, (for example
Belgium), have instated a "Data Protection
Officer / Commissioner" to help ensure data
protection law compliance, - One theme consistent throughout the survey was
that all countries have the capability to impose
sanctions for non compliance. - Germany Italy (started Jan 2004), stricter than
the main directive. - Initial requirement All fifteen member states to
implement by 25th October 1998
15what kind of data are your employees likely to
keep on their devices?
- Enterprises cannot control what data the users
can sync onto their device - According to a recent PDA usage survey on mobile
technologies - 85 Business Calendar
- 80 Business Contacts
- 35 Documents
- 33 Passwords
- 32 E-mail
16Addressing Business Mandates
Business Mandates
Benefits
- Enable secure access anytime, anywhere
- Maximizes the protection of mobile
information and limits legal exposure
Limit risk from device loss, theft or attack
Reduces threat of unauthorized access to
business information
Control mobile device usage and synchronization
Easily detects and governs diverse mobile
devices
Secure priceless enterprise mobile data
Protects the enterprise, wireless access and
mobile devices
Meet regulatory and audit requirements
Maximizes the protection of mobile
information and limits legal exposure
Deploy new solutions that address mobile device
disconnected mode
Architected to address the unique
requirements of mobile computing
Deliver cost-effective solution to deploy,
support and manage diverse types of mobile
devices
Reduces cost of ownership by securing the
mobile enterprise with centrally managed,
policy-based security
17business imperative secure the mobile ecosystem
Protect Wireless Access
Protect Mobile Devices
Protect the Enterprise
Limit risk from loss, theft and attack
Take control of mobile device usage
Enable productivity from anywhere
18Why do customers choose to encrypt?
- To gain a benefit
- Faster and more confident technology deployment
- Compliance with legislation or tendering
requirement - To win customer confidence and maintain privacy
- Or to mitigate a risk
- Commercial risk from theft of proprietary
information - Reputation risk from bad publicity
- Legal risk from litigation and compliance failure
19OneBridge Security Evolution
- Multi-tier Public Keys to authenticate users
- Power-On Password to provide basic security to
devices - Over-the-Air Security to protect data
transmission enables via RSA - On-Device Encryption to lock down data enabled
via Credant
20Architecture OneBridge Mobile Secure
Security Policy Editor
Tablet PC with CMG Shield OneBridge Client
OneBridge Helpdesk Console
OneBridge Admin Console
SQL or Advantage Server
SSL
Wired or Wireless connection (128 Bit RSA
Encryption)
OneBridge Server
LDAP, AD, NT, DB, Lotus, Radius, RSA
On WAN or LAN
Palm with CMG Shield OneBridge Client
PPC with CMG Shield OneBridge Client
Sync Cradle (USB, Serial, etc.)
OneBridge Desktop Connector (PC)
128 Bit RSA Encryption
21Architecture OneBridge Mobile Secure
- OBMS Shield
- Provides robust on-device policy enforcement -
access control, data encryption and user
authorizations. - Maximizes the protection of mobile business
information.
- OBMS Administration
- Centralized specification of policy for your PDAs
- Save and load different policy sets for different
groups within your organization - Create installable Shield images for PPC, Palm,
Smartphone or Symbian - Integrated in OneBridge Software Deployment
functionality - Designate corporate security policy for mobile
Devices
LAN/WAN
22OneBridge Mobile Secure overview
- Robust on-device encryption of corporate data on
the device - Centralized management of devices and data
security policies - Ability to receive updated email and data even
while device is locked via our LiveConnect
functionality - Self-service and administrator-assisted password
recovery options available
23What is OBMS?
- Protects mobile devices and applications
- Authentication required to access data on device
- data encryption
- on-device restrictions
- administrator device and data recovery
- Broad platform support for diverse mobile
hardware and operating systems for PDAs and
smartphones - Easy to administer centrally-defined security
policies for consistency across all mobile users - Shield provides industry-leading depth of
security policies - Flexible and cost-effective implementation with
upgrade paths to enterprise-wide solutions - Ease of implementation
- Multiple deployment options
24OneBridge Mobile Secure Features
- Centrally-defined user authentication provides
- Pin, Password and Question/Answer length,
strength, number of retries, expiry, history - Timeouts inactivity
- Self-service password reset via question/answer
- Administrator recovery different between Group
and Enterprise - Fail-safe action if under attack - extend retry
timeout or wipe device (remove all data) - On-device data encryption
- Built in PIM applications email (including
attachments), calendar, contacts - Other applications, including custom applications
- Blowfish 128, 3DES, AES128, AES256
(notebook/tablet) - Port Controls
- Infrared
- Bluetooth
- External Storage
- Network
- Application Controls
- Any application can be disabled , including
cameras - Useful for customizing devices for specific
business applications
25OneBridge Mobile Securekey differentiators
- Ease of implementation and support
- Easily map security, management and control to
meet diverse IT and regulatory compliance
requirements - Minimize costs and maximize existing investments
by integrating with existing enterprise
directories - Over-the-air distribution of shield and policies
for mobile devices - Reduced cost of ownership
- Single administrative package to centrally manage
all mobile devices - Self-service password reset
- Best of breed solution
- Ability to push data to the device even when
locked - Leverages Credant Mobile Security Platform
- Robust security
- Policy-based on-device security enforcement
- Mutually authenticated synchronization
- Automatic fail-safe action if mobile device is
lost or stolen ensures valuable information is
protected
26OneBridge Mobile Secure Specifications
- Shield Platforms
- Pocket PC 2000 with ARM processor, Pocket PC
2002, Windows Mobile 2003 and Windows Mobile 2003
Second Edition with 2MB free memory - Palm OS 3.5 through 5.x with at least 4MB RAM and
1.5 MB free storage - Smartphone 2003 with 1MB free main memory
- Policy Editor Platforms
- Windows 2000 Professional SP3
- Windows XP Professional SP1
- Encryption Algorithms
- AES 128, Triple DES, Blowfish 128, Lite
- Certifications
- FIPS 140-2
27OBMS Version 1.5 New Key Features
- Features
- Windows Mobile 2003 (Smartphone) Shield
- Samsung i600
- Motorola MPx 220
- Full Encryption on Palm Shield
- New Devices
- PalmOne Treo 650 Support
- Port and Application Blocking
- SD Card Encryption
- French, Italian, German, and Spanish Language
Support - Hotfix for OBMG to provide full functionality on
Software Distribution. - Availability
- Mid March GA
28OBMS Version 2.0 Key Features
- Features
- Fully integrated into OneBridge Admin Console
(part of OneBridge Mobile Groupware 4.5) - Ability to create Temporary Admin Passwords for
Support - Symbian Shield (Authentication)UIQ and Series 80
Devices - Availability
- May 2005
29OBMS Version 2.5 Key Features
- Features
- Full Encryption on Symbian
- Windows 32 Client
- Availability
- Summer 2005
30Device Validation Process
31Development Details
32Device Certification Queue
33Who is Credant?
- The emergence of a highly competitive new
vendor, CREDANT Technologies, has raised the
threshold at which other vendors can
pursue leadership. - CREDANT went furthest by offering the most
features in the fewest number of products. - CREDANTs comprehensiveness of vision
forced a lower comparative ranking of many
incumbent vendors. - CREDANTs strong first-year sales are a
prelude to leadership.
34Relationship Overview
- Sales model
- Territory - Global
- OEM Shield provides on-device core of Mobile
Secure solution - Ability to Resell any Credant products
- Upgrade pricing available between shield versions
(e.g. Group Edition to Enterprise Edition) - Maintenance Support
- ESI provides level 1 2 to customers
- Credant provides level 3 to ESI
- Sales Support
- Credant reps are compensated for partner sales
35Sales Process
- Credant is already working on a number of sales
opportunities with ESI - Rules of engagement under discussion
- Goal is for ESI to take the lead with joint
customers, Credant provide support to close deals
- Credant will support ESI with prospects, pricing
information, sales strategies, Webex
presentations and demos, technical support,
training, joint marketing, collateral
development, etc - Paul Huntingdon (phuntingdon_at_credant.com) is the
prime AE contact for ESI EMEA - Sean Towns (stowns_at_credant.com) is the prime SE
contact for ESI EMEA - Kevin Burchett (kburchett_at_credant.com) is the
prime BD contact for ESI EMEA
36Competitive Comparison
37Competitive Comparison
38Mobile Device Check list
- Security Policy
- Use Policy
- Awareness Training
- Device registration
- Initial Checklist
- Employee Termination Procedure
- Device Authentication
- Anti Virus Software
- Theft protection
- File Encryption
- Device Firewall
- Device Integrity
- Device Management
- Network Connections
- Expansion Slots
39HP raising security profile with HP protect
Tools
- On a number of new devices HP is supplying as
part of the on ROM security, a replacement from
the Microsoft logon password solution. - It is also supplied by Credant.
- Its a personal version only. i.e. no central
policy management - It can be turned off, and replaced by OBMSecure.
- This is a big opportunity HP are doing all the
work sell OBMSecure to these users. See the
following screens..
40(No Transcript)
41(No Transcript)
42(No Transcript)
43(No Transcript)