of your mobile
business intelligence
Contents
2 Executive summary
3 Securing BI on mobile devices
4 Apple iPad native application and device security 7 BlackBerry native application and device security 10 Web application security
11 Conclusion
11 About IBM Business Analytics 12 For more information
Executive summary
The number of mobile devices has now surpassed personal computers in sales. They are increasingly being used for business, which means that users expect to access all the applications they need to do their jobs, including business intelligence (BI), on these devices. Because BI can be sensitive and confidential, they also want to be sure it is protected from unauthorized users such as hackers and that it can’t be accessed if the device is lost or stolen.
IBM
®Cognos
®Mobile software has been delivering relevant information to smart phones such as the BlackBerry for some time. However, enhancements to Cognos Mobile now make it possible for users to interact with trusted BI content on their Apple iPad, BlackBerry PlayBook and Android 3.0 tablet computers, for a rich and visual experience that enables uninterrupted productivity. Making Cognos Business Intelligence available to more mobile device users invariably raises questions about the security of the BI they view and work with.
IBM is aware of these concerns and has gone to significant
lengths to ensure the security of IBM Cognos Mobile
operating on smart phones and tablet devices. Cognos Mobile
security is derived from a combination of sources. From IBM,
you get the same security provided to all IBM Cognos
Business Intelligence 10.1.1 environments through the
Cognos platform, along with other security features specific
to Cognos Mobile. Other features are provided from device
vendors or your IT department. This paper describes how
IBM Cognos Mobile is secured.
Securing BI on mobile devices
One of the biggest concerns organizations have when it comes to adopting mobile business intelligence (BI) is security. This is hardly surprising, given that the term “mobile” conjures up an image of important data being transmitted over unsecured networks, increasing fears of unauthorized access to or loss of sensitive corporate data.
Mobile security can be broken down into several areas:
š
Data access, or providing users with only the data they are authorized to see
š
Data transmission, or securing communication channels
š
Data storage, or protecting data stored on the device
š
Device security, or protecting the device from unauthorized usage
š
Deployment security, or configuring, provisioning, implementing or monitoring the mobile solution safely
To ensure the security of Cognos Mobile, IBM addressed these areas as they relate to the ways that users access BI on their devices:
š
The Apple iPad native application (available for download from the Apple iTunes app store)
š
The BlackBerry smart phone native application
š
The web application, which can be used on your Apple iPhone, BlackBerry Playbook and tablets that use the Android 3.0 operating system.
In addition, no matter how you access Cognos Mobile—from a native application or the web—your underlying security base will be the Cognos platform. The Cognos platform provides integration with enterprise authentication and a central place to control access and authorization for all Cognos Business Intelligence objects, capabilities and data. This integration makes single sign-on for authentication possible, simplifying the login process and restricting access to data according to business requirements.
In addition, the Cognos platform supports LDAP, NTLM,
Microsoft Active Directory, Netegrity and SAP Business
Information Warehouse, among others. In essence, it makes
the most of your existing enterprise security deployments and
includes the ability to link to one or more security systems
simultaneously, as you require.
Apple iPad native application and device security
The Cognos Mobile native application for the Apple iPad uses a combination of Cognos platform, IT and device (or Apple iOS) enabled security (Figure 1) to address the five areas of security mentioned in the previous section.
Securing data access on the Apple iPad
For secure data access on the iPad, Cognos Mobile uses Cognos platform authentication and role-based security.
A device lease key prevents access to disconnected Cognos content when a timeout period elapses. A good analogy of the lease key functionality is the concept of a hotel key. The key is enabled for the duration (lease) of your stay. Then, at the checkout time on the last day of your stay, your key is disabled (your lease has expired) and you are unable to access the room.
The room is still there, but you will not be able to gain access until you make appropriate arrangements.
Mobile Device Management Solution
IBM Cognos Platform IBM Cognos
BI IBM Cognos
Mobile Service
IT
VPNCorporate Firewall
IBM Cognos Content Store Report Data
Source
OTA iPad configuration (device level securitypolicies, VPN settings, passcodes, etc.)
Leverage platform and role based security Application sandboxing
Device wipe etc.
Local encryption BI server authentication
Device lease key
Cognos Enabled Security IT Enabled Security MDM/iOS Enabled Security
Figure 1
: Cognos Mobile native iPad application securityIn the case of IBM Cognos Mobile, upon expiration of the lease key, content is not accessible until the user authenticates and a new key is granted. This ensures that disconnected content is inaccessible without wiping the entire device.
Securing Apple iPad data transmission
Cognos Mobile takes advantage of standard VPN protocols or an SSL connection to ensure a secure communication channel.
Support for your enterprise network Wi-Fi enables secure access to your corporate network when you are on premises.
This secure access can be enabled with the VPN client that is part of the Apple iPad operating system or third-party applications from Juniper, Cisco and F5 networks. Your iPad comes with support for Cisco IPSec, Layer 2 Tunneling Protocol (L2TP) over IPSec and Point-to-Point Tunneling Protocol (PPTP). If your company supports one of these protocols, you do not have to make any additional config- urations to connect your iPad to your VPN. Applications from Juniper and Cisco are also available for enabling SSL VPN. You can configure these connections manually or use the Apple Configuration Profile.
Your iPad also supports IPv6, proxy servers, split tunneling and other industry standards to ensure you have a rich VPN experience when connecting to your network. It also works with a number of authentication methods, such as passwords, two-factor tokens and digital certificates. VPN On Demand, which initiates a VPN session dynamically when connecting to specific domains, is also available to streamline environments that use digital certificates.
Securing data storage on the Apple iPad
Cognos Mobile fully supports the Apple hardware encryption that secures any data you store on the device.
Apple Sandbox prevents other applications from accessing Cognos Business Intelligence data on the device. Apple Sandbox protects your system by limiting application operations, such as opening documents or accessing the network. Sandboxing makes it more difficult for a security threat to take advantage of an issue in a specific application to affect the greater system. The Apple Sandbox system consists of a set of user space library functions for initializing and configuring the sandbox for each process, a Mach server for handling logging from the kernel, a kernel extension using the TrustedBSD API for enforcing individual policies and a kernel support extension providing regular expression matching for policy enforcement.
If a device that is storing Cognos Business Intelligence data
is lost or stolen, it’s important to deactivate and erase the
device. In the case of the Apple iPad application, the Cognos
Business Intelligence content stored on the device is protected
by an Apple feature called remote wipe. With this feature,
your administrator or device owner can issue a command that
removes all data and deactivate the device.
Securing your Apple iPad device
Cognos Mobile fully exploits the ability to establish strong policies for device access that is provided by the Apple iPad platform. All devices have password (which Apple calls
“passcode”) formats that can be configured and enforced over the air. An extensive set of passcode formatting options can be set to meet security requirements, including timeout periods, passcode strength and how often the passcode must be changed. These methods provide flexible options for establish- ing a standard level of protection for all authorized users.
A local wipe feature is also part of your Apple iPad device security. By default, iPad automatically wipes the device after 10 failed passcode attempts. However, you can configure your iPad to wipe the device after a different maximum number of failed attempts using a configuration profile.
Secure Apple iPad deployment
Apple iPad configuration is managed by the Apple iPad Configuration Utility, which enables an administrator to set up the corporate resources that the mobile users can use. This utility provides a centralized configuration of settings, such as Wi-Fi network connectivity, LDAP authentication information and secure VPN access. It can also be used to load provisioning profiles onto a device. Such centralized administration ensures that devices are configured correctly and according to security standards set by your organization. There is also an Apple iPhone Configuration Utility that can install configuration profiles on devices when connected by USB.
The configuration profile—an XML file that is distributed to users and loaded on the mobile device—is protected by a password only known to the administrator. After the profile has been loaded on the iPad, the settings cannot be changed from that profile unless someone uses the profile password.
The profile can also be locked to the device and cannot be removed without completely erasing all of the device contents.
Configuration profiles can be both signed and encrypted.
Signing a configuration profile ensures that the settings being enforced cannot be altered in any way. Encrypting a configuration profile protects the contents of that profile and ensures installation only on the devices for which it was created. Configuration profiles are encrypted using CMS (Cryptographic Message Syntax, RFC 3852), supporting 3DES and AES 128.
There are several ways that a configuration profile can be loaded on to the device:
š
The device can be connected directly to the computer or server where the Apple Configuration Utility is installed.
š
A link can be provided on a web page that will load the profile onto the device after it is accessed from a web browser on the device.
š
An email message can provide a link that will load the
configuration profile.
In addition, Apple iOS over-the-air enrollment and
configuration provide an automated way to configure devices securely. This process provides IT with assurance that only trusted users are accessing corporate services and that their devices are properly configured to comply with established policies. Because configuration profiles can be both encrypted and locked, the settings cannot be removed, altered or shared with others.
For geographically distributed enterprises, an over-the-air profile service enables you to enroll iOS-based devices without physically connecting them to an Apple Configuration Utility host.
Secure mobile device management
With mobile device management capabilities provided by Apple, IT can easily scale the iPad application deployment for your entire organization. It provides a central point for managing all mobile devices that makes it possible to take advantage of configuration profiles, over the air enrollment and Apple push notification to enroll, configure, update settings, monitor compliance and remote wipe or lock iPads. Updates can be automatically installed on devices without any user intervention. In addition, monitoring capabilities make it possible to query devices for information to ensure compliance.
BlackBerry native application and device security
The Cognos Mobile native application for BlackBerry smart phones uses a combination of Cognos platform and Research in Motion (RIM) enabled security (Figure 2) to address the five areas of security mentioned earlier in this paper.
Securing data access on the BlackBerry smart phone For secure data access on BlackBerry smart phones, Cognos Mobile uses Cognos platform and role-based security. This includes an administration option that allows saved credentials with a timeout period for Cognos Business Intelligence server authentication.
Users must authenticate with the Cognos platform to gain access to local content. A device lease key prevents access to disconnected Cognos content after a specified period elapses.
If a user is using Cognos Mobile on a personal Blackberry smart phone and leaves the company, you can ensure their disconnected content is inaccessible without wiping the entire device.
Securing Blackberry smart phone data transmission All Cognos Business Intelligence data that is transmitted to BlackBerry smart phones is encrypted for secure Over the Air (OTA) data transfer and encrypted when stored on the device.
This prevents unauthorized users from intercepting and
reading sensitive data during transmission or from accessing
data from the device with another application.
Figure 2
: Cognos Mobile native application for Blackberry smart phone securityBlackberry Enterprise Server
IBM Cognos Platform IBM Cognos
BI IBM Cognos
Mobile Service IT
NOC Architecture Encrypted communication
Corporate Firewall
IBM Cognos Content Store Report Data
Source
OTA device configuration(security policies, application distribution, etc.)
Leverage platform and role based security Device wipe
Local encryption etc.
BI server authentication Device lease key
Cognos Enabled Security RIM Enabled Security
Cognos Mobile takes advantage of the two transport encryption options offered by RIM, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between BlackBerry Enterprise Server and BlackBerry smart phones.
Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each
BlackBerry smart phone user. Each secret key is stored only in
the user’s secure enterprise account and on their BlackBerry
smart phone and can be regenerated wirelessly by the user.
Data sent to the BlackBerry smart phone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user’s mailbox. The encrypted information travels securely across the network to the smart phone where it is decrypted with the key stored there. Data remains encrypted in transit and is not decrypted outside of the corporate firewall.
Securing data storage on BlackBerry smart phones Cognos Mobile relies on BlackBerry Enterprise Server to extend corporate security to BlackBerry smart phones and provide administrators with tools to manage this security. To secure information stored on BlackBerry smart phones, you can make password authentication mandatory using the customizable IT policies of the BlackBerry Enterprise Server.
By default, password authentication is limited to 10 attempts after which the smart phone memory is erased.
Local encryption of all data (messages, address book entries, calendar entries, memos and tasks) can also be enforced by IT policy. And with the Password Keeper, AES encryption technology makes it possible to store password entries securely on BlackBerry smart phones.
Additionally, system administrators can create and send wireless commands to remotely change BlackBerry device passwords and lock or delete information from lost or stolen BlackBerry smart phones.
Securing BlackBerry devices
Passwords ensure that only authorized users can utilize their BlackBerry smart phones. Administrators can enforce this password with configurable properties to prevent unauthorized access.
In addition, a security timeout feature automatically locks the BlackBerry smart phone after a predetermined amount of inactivity.
Secure BlackBerry native client deployment and management
You can deploy the BlackBerry client in several ways:
š
OTA application distribution pushes the native application through the BlackBerry Enterprise Server to a device.
š
You can pull the application from a web server by clicking a link that downloads the application.
š
You can install the application using the BlackBerry desktop manager.
Device management capabilities are provided by the
BlackBerry Enterprise Server, which includes device, IT
policy and security updates. BlackBerry Enterprise Server
also manages user settings and control groups with over
450 IT policies.
Web application security
The Cognos Mobile web application for BlackBerry PlayBook, Apple iPhone and Android uses a combination of Cognos platform and web application enabled security (Figure 3) to address the five areas of security mentioned earlier in this paper. Because the web application does not
store anything on your mobile device, there is no risk of unauthorized access to BI content if your device is lost or stolen. In addition, use of the HTTPS protocol prevents caching on your device’s web browser. Device security is also not as critical because there is no stored BI data that could be exploited.
NOC Service Provider Server
IBM Cognos Platform IBM Cognos
BI IBM Cognos
Mobile Service IT
TunnelVPN
Corporate Firewall
IBM Cognos Content Store Report Data
Source
NOC ArchitectureEncrypted communication
Leverage platform and role based security BI server authentication
No local storage Blackberry Playbook
Cognos Enabled Security IT Enabled Security MDM Enabled Security