IBM MobileFirst Security solution outline

To understand how IBM Worklight helps organizations to integrate security into the overall mobile app lifecycle, this section provides details about the different components of IBM Worklight. Additionally, this section introduces the IBM security products that ensure security on mobile devices, over the network, in the enterprise, and within the mobile app itself.

1.5.1 IBM Worklight platform as the basis for mobile security

As shown in Figure 1-4 on page 15, the platform consists of five main components, providing a robust solution for mobile app security:

򐂰 IBM Worklight Studio is an Eclipse-based integrated development environment (IDE) that enables you to perform the coding and integration that is required to develop apps for various mobile operating systems.

򐂰 IBM Worklight Application Center is a web-based, internal enterprise application store for centralized application distribution, installation, and feedback. Using the application catalog service and application install service, internal users can download apps, track installed apps, and provide feedback by rating the app versions. During the development lifecycle, Worklight Application Center can also be used to streamline new app versions from development to test.

򐂰 IBM Worklight device runtime components consist of runtime customer application programming interfaces (APIs). These are essential libraries complementing the server by exposing APIs to access server functionality, implement customer-side portions of security features, use JavaScript and HTML for cross-platform development, and facilitate the interaction between, for example, JavaScript and native code.

򐂰 IBM Worklight server is a Java-based server that works as a security-rich and scalable gateway between applications, external services, and the enterprise back-end

infrastructure. This server facilitates secure connectivity, multi-source data extraction and manipulation, authentication, direct updates of web and hybrid applications, analytics, and operational management functions.

Offline mode usage capability

No Yes Yes

Cost to implement and maintain

Low High Low

Mobile web apps Native apps Hybrid apps

򐂰 IBM Worklight console is a web-based administrative console supporting the ongoing monitoring and administration of the Worklight Server and its deployed apps, adapters, and push notifications. Additionally, based on configurable preset rules of the app version and device type, it helps to control and manage the access of apps to the enterprise network.

In a typical Worklight platform setup, the Worklight Server is installed behind a firewall or web reverse proxy, such as IBM Security Access Manager or WebSphere DataPower, and the mobile apps are installed and run on mobile devices, which at least partly exist outside the enterprise network. The Worklight Server acts as a gateway, mediating the communication and access of mobile apps to back-end systems. It can be further secured using IBM Security Access Manager or WebSphere DataPower.

Figure 1-4 shows the five main components of the IBM Worklight platform.

Figure 1-4 IBM Worklight platform components

To provide secure transactions with employees using their own mobile devices, accessing corporate resources from around the world, your IT team needs to gain close control over those devices to keep your networks safe and efficient. In the following sections, you can see an overview of what the IBM security products and appliances are able to accomplish.

1.5.2 User protection with IBM Security Access Manager

IBM Security Access Manager for Cloud and Mobile extends user access protection to mobile and cloud environments using federated single sign-on (SSO), user authentication, and risk scoring. IBM Security Access Manager includes the following features:

򐂰 Context-based access management for mobile end points, such as smartphones and tablets, to avoid inadvertent exposure of sensitive IT assets in an insecure environment

򐂰 Authentication and authorization of mobile app users and devices, with advanced session management and supported integration with IBM Worklight

򐂰 Centralized user access management to private and public cloud applications and services

򐂰 Risk-based access as a pluggable and configurable component

򐂰 Advanced web application protection from mobile devices

򐂰 A fast time-to-value and low total cost of ownership solution that makes minimal demands on the organization's IT staff

򐂰 Enhanced user productivity, better user experience, and reduced administration costs For more information, see the following website:

http://www-03.ibm.com/software/products/us/en/samcm

Chapter 6, “Integration with IBM Security Access Manager” on page 101, provides information about IBM Security Access Manager and its integration with IBM Worklight.

1.5.3 Application security testing with IBM Security AppScan

IBM Security AppScan is designed to manage vulnerability testing throughout your company’s software development lifecycle. It scans and tests all common web application vulnerabilities:

򐂰 SQL-injection

򐂰 Cross-site scripting

򐂰 Buffer overflow

򐂰 New flash and flex applications

򐂰 Web 2.0 exposure scans.

In addition, IBM Security AppScan V8.7 features a next-generation dynamic application security scanning engine and the innovative, all-new XSS-Analyzer. It provides the ability to identify and remediate code vulnerabilities by taking advantage of security insights from over 40,000 analyzed iOS and Android APIs.

IBM Security AppScan Enterprise provides the following functionality:

򐂰 A strategic approach to web application security

򐂰 Broad scanning capabilities to scan and test hundreds of applications simultaneously, and then retest them frequently

򐂰 Enterprise-level reporting that facilitates communication of security status and issues

򐂰 Remediation features that issue advisories to help guide developers in effective remediation

For more information, see the following website:

ftp://public.dhe.ibm.com/common/ssi/ecm/en/rab14001usen/RAB14001USEN.PDF

1.5.4 Delivery of services and applications with IBM WebSphere DataPower

WebSphere DataPower Appliances simplify, govern, and optimize the delivery of services and applications, and to enhance the security of XML and IT services. They extend the capabilities of an infrastructure by providing a multitude of functions.

As IBM has grown its line of WebSphere DataPower Appliances, the capabilities have expanded from the core business of service-oriented architecture (SOA) connectivity.

WebSphere DataPower Appliances now serve areas of business-to-business (B2B) connectivity and web application proxying.

These appliances also support Web 2.0 integration with JavaScript Object Notation (JSON) and Representational State Transfer (REST), advanced application caching, rapid integration with cloud-based systems, and more.

For more information about the WebSphere DataPower Appliances including core functions and add-ons see IBM WebSphere DataPower SOA Appliances Part I: Overview and Getting Started, REDP-4327.

Chapter 7, “Integration with IBM WebSphere DataPower” on page 139, provides information about the integration of WebSphere DataPower with IBM Worklight.

1.5.5 Security intelligence with IBM Security QRadar SIEM

IBM Security QRadar security information and event management (SIEM) consolidates log source event data from thousands of devices, endpoints, and applications distributed throughout a network. It performs immediate normalization and correlation activities on raw data to distinguish real threats from false positives.

As an option, this software incorporates IBM Security X-Force® Threat Intelligence, which supplies a list of potentially malicious IP addresses, including malware hosts, spam sources, and other threats. IBM Security QRadar SIEM can also correlate system vulnerabilities with event and network data, helping to prioritize security incidents.

IBM Security QRadar SIEM performs the following functions:

򐂰 Provides near real-time visibility for threat detection and prioritization, delivering surveillance throughout the entire IT infrastructure

򐂰 Reduces and prioritizes alerts to focus investigations on a list of suspected incidents on which you can act

򐂰 Enables more effective threat management while producing detailed data access and user activity reports

򐂰 Supports easier, faster installation, and includes time-saving tools and features

򐂰 Produces detailed data access and user activity reports to help manage compliance For more information, see the following website:

http://public.dhe.ibm.com/common/ssi/ecm/en/wgd03021usen/WGD03021USEN.PDF

1.5.6 VPN software with IBM Mobile Connect

IBM Mobile Connect provides a full-featured, wireless virtual private network (VPN). This software employs data encryption to deliver security-rich access to enterprise applications over wireless and wired networks. IBM Mobile Connect enables access to enterprise

applications and data from virtually any location, while protecting an organization's sensitive information.

IBM Mobile Connect (formerly IBM Lotus® Mobile Connect) provides the following features:

򐂰 Rich security features to protect transmission of sensitive data delivered through customer or customer-less access

򐂰 Fast, continuous network connectivity for uninterrupted access to enterprise information and applications

򐂰 Built-in controls that can help reduce costs through lower connection charges and transmission fees

򐂰 Simple maintenance for administrative ease and control

򐂰 Support for a variety of operating systems, mobile devices, and networks to help satisfy the varying needs of remote users

For more information, see the following website:

http://www-03.ibm.com/software/products/us/en/mobile-connect/

Chapter 2.

Business scenario used in this