Huawei AnyOffice Mobile

Security Solution

HUAWEI TECHNOLOGIES CO., LTD.

Huawei AnyOffice Mobile

Security Solution

Huawei AnyOffice Mobile

Security Solution

Huawei AnyOffice Mobile

Security Solution

1 Overview
In 2012, 20% of global employees brought their own mobile devices to work, such as the iPhone, iPad, or Android based devices.
Along with huge IT consumption, Bring Your Own Device (BYOD) is gradually becoming the new norm. Originally thought to be just
a trend concept, BYOD is now changing the way people work with quite an unstoppable momentum. With our own devices, we can
exchange emails, conduct research and follow-up on potential sales opportunities more flexibly, promote information management
over enterprise, flatten user interfaces, increase response times, and enhance decision-making efficiency. However, the openness
of BYOD comes with enormous security and management risks. Therefore, is your enterprise ready for today's BYOD challenges?

2 Trend and Challenge

BYOD makes an office borderless. Users can simultaneously work and play Web games on the same mobile devices. Personal
and office applications are crossing the boundary in between. For most enterprises, prohibiting the use of BYOD is just not
practical. Majority of today's working staff (especially new entrants) are quite familiar with handling mobile technologies and
have urged for BYOD support from enterprises. This need is forcing enterprises' IT management teams to not only adopts
BYOD technologies but change the way they conduct business and operate in the workplace. At the same time, BYOD brings
various problems and risks where an open and intelligent mobile platform leads to critical issues, including malicious code
embedding, data leakage, mix of both personal and enterprise applications, and multiple platforms with different structures.
IT departments are finding themselves in a rather unsettling position where standards policies and configuration rules of the enterprise
and those of the mobile devices are overlapping. Moreover, it is fairly difficult to graft security and management policies based on
traditional PCs onto mobile devices, especially mobile devices belonging to employees. Enterprises must employ strategies for BYOD,
including policy defining and management, and what mobile device to allow access to company information or levels of clearance.
Intelligent mobile devices function very much like PCs. However, they are completely without protection when accessing
company information through web pages, downloading applications, or sending emails. So far, there are more than 20,000
types of malicious mobile software, 30% of which are Trojan horses, aiming to steal privacy and sensitive data. With the abuse
of the root permission and the development of hack technologies, mobile devices are becoming the new hotbed for securityrelated risks. 71% of enterprises consider mobile devices, especially android devices, as a key security hazard.
Migrating enterprise applications to various mobile devices is a nightmare for IT departments. These challenges include: how
to seamlessly and quickly transfer business to a mobile environment, how to avoid the high cost of in-house development,
and how to cope with a highly complex mobile environment.
With the thriving use of mobile applications, enterprises are in short of corresponding management measures. Employees can
download and install whatever application they want, which may reduce system availability, create huge security risks, or even
disable the device.

Huawei AnyOffice Mobile

Security Solution

Mobile devices are mostly of a small size and are prone to loss or theft. 47% of the companies interviewed say that large amounts
of data are stored on mobile devices, including sensitive client information and classified data from emails. The loss of a single mobile
office device not only indicates the potential leaking of confidential business information, but also possibly incurs law violations.

3 Overview of Huawei AnyOffice

Mobile Security Solution
Targeting on the conflict between employee needs and company policy compliance, Huawei provides a balanced solution.
The solution not only enables employees to access their company's intranet at any time, at any location, from any device,
but also ensures strong security protection. Huawei is dedicated to providing an end-to-end mobile security solution and
flexible application launching. Paying high regards to mobile device security, network transmission security, application security,
sensitive data security, and security management, Huawei offers a unique balance between high efficiency and security of
mobile office. Huawei provides a simple platform that supports the migration of all applications with excellent expandability
and low cost to help companies cope with the complex mobilization.

3.1 Architecture and Key Components

Mobile security and management essentially resolve three issues: identity, privacy, and compliance. Focusing on these three key
issues, Huawei provides enterprise clients with the most secure and user-friendly management solution in the industry today.

Terminal

Access

DMZ

Office-based

Intranet

Security
management
Asset
management

3G/4G

Unified policy
Management
Platform*

Firewall/UTM
AnyOffice client

Development platform
Business object
Workflow

Application
interface

SSL

Mobile Security
Access Gateway
AnyOffice SVN

Application compilation
Application release and
maintenance
LDAP

AnyOffice client
Non-Office-based

UI design
Application
integration

Device interface

Enterprise
WiFi

Application
distribution
IT services

Email

Supporting platform

Firewall/UTM

MEAP

Public Wi-Fi

OA and other
servers

AnyOffice security platform

Identity
Authentication
and authorization
Strong mobile
authentication

Privacy
Access control
Mobile NAC*

Link security
SSL or UDP tunnel
encryption
L3/L4 VPN

Threat defense
DDoS
Network antivirus
Network IDS/IPS

Compliance
Data protection

Mobile sandbox
Web, email, and DLP
Anti-theft

* indicates a feature to be supported by later versions of Huawei AnyOffice Mobile Security Solution.

Application security

Management security

Application
Control

Security management
Application management
Assets management
IT services

Huawei AnyOffice Mobile

Security Solution

3.2 AnyOffice Intelligent Mobile Access Client

AnyOffice is the only mobile client that connects the user and the network/application. A simple client facilitates management
and maintenance capabilities.
AnyOffice is a secure mobile office platform. In one-agent mode, it integrates a series of security applications, including
security sandbox, security email client, security browser, MDM software, L3VPN client, and virtual desktop. This meets universal
mobile office requirements and ensures secure, convenient, and efficient intranet access.
In addition, AnyOffice senses the access mode. With the interworking between the Mobile Security Access Gateway SVN
(SVN has the SSL VPN and Radius Proxy Function) of the company, AnyOffice intelligently changes security policies based
on user location (Intranet or the Internet), offering a sound user experience.

3.3 Whole Lifecycle Mobile Device Management

Huawei MDM can manage the mobile device based on the devices whole lifecycle. Discover the new asset and
register it. Check the security status of the device during the deployment phase, such as password complexity, jailbreak
status and so on. Ensure the security of corporate data in the operational phase. In the retirement phase, the recycled
device can be re-registered and deleted enterprises data. Ensure the security of corporate data in BYOD devices.

3.4 Secure VPN Access

VPN mobile security access gateway SVN2000/5000 series is based on Huawei's high-availability hardware platform and
employs dedicated real-time operating system. The gateway provides industry-leading performance, security, and availability,
provides customers with flexible and controllable E2E link encryption, and ensures VPN access security.

3.5 Carrier-Class Mobile Threat Prevention

At the border of the enterprise network, Huawei carrier-class USG firewalls provide in-depth protection at the network side. The
USG firewalls integrate Symantec's advanced intrusion prevention and anti-virus technologies, employ industry-leading Application
identification technologies, and provide content security capabilities, including Anti-virus, IPS, Anti-DDoS, and content filtering.

3.6 Unified Security Policy Management

Huawei AnyOffice solution implements a unified and highly intuitive security policy management platform simplifying
operations and management (O&M) and substantial IT cost savings. Security policies can vary with users, device types,
locations, and time zones, therefore implementing fine-grained security access control.

Huawei AnyOffice Mobile

Security Solution

3.7 Simple Enterprise Mobile Application Launching Platform

Enterprises are having difficulties in transplanting and launching mobile applications. Huawei Mobile Enterprise Application
Platform (MEAP) moves enterprise applications smoothly by providing a more simple and easy integrated development
environment and supporting various application types, such as HTML5, Native, or Hybrid, and realizes multi-platform
launching per one development. This significantly simplifies the development process and tremendously lowers costs.

4 Highlights
C
I

Identity
Unified network
access control

Compliance
Whole lifecycle device
management

Privacy
Comprehensive
data security and
threat prevention

4.1 Identity: Unified Access Control

4.1.1 Environment-Sensitive Network Access Control
AnyOffice can identify any device, user, location, time, and access mode through use of fine-grained access control.
Enterprise IT staff can configure multiple policy templates for one user on the unified policy management platform and
send them to AnyOffice. AnyOffice intelligently senses the network environment and triggers the corresponding security
module. The security module works with SVN to implement precise network access control. From an airport lounge to
the company's branch, users can from the SVN L4VPN channel switch to the internal plaintext automatically. This whole
process is transparent to users. AnyOffice therefore provides a simple and seamless user access experience.
4.1.2 Unified Security Policy Management
The unified policy management platform ensures that all policies come from the same source, which ensures the security
policy compliance. With AnyOffice, literally, anyone can access a company's intranet using any authorized smart phone or
tablet PC over any network (enterprise wireless network or remote wireless network). Furthermore, AnyOffice intuitive and
user-friendly UI not only enhances work efficiency, but also provides visibility and control into of employee mobile devices.

Huawei AnyOffice Mobile

Security Solution

4.2 Privacy: Comprehensive Data Security and Threat Prevention

4.2.1 End-to-End Data Leak Prevention
Data on the device: AnyOffice client creates a secure zone between personal and company affairs all on one mobile device
using sandbox technology. This considerably minimizes the risks associated with data leakage, network viruses, and malicious
intrusions brought by the mix of personal and corporate information, and strikes a balance between employee daily use of
technology and enterprise policies. When a user logs in to the AnyOffice platform, all company data assets, applications, and
services are encrypted and kept in a secure environment away from personal applications. The AnyOffice process functions as
the core of the system, monitoring all running applications. Personal applications cannot access company applications. Data
access, copying, modifying and saving between personal and company applications are blocked. Users/Administrators can also
customize policies to enable or disable applications from being uploaded or downloaded. AnyOffice can also erase temporary
or confidential files upon logoff to prevent data leakage.

Personal Application

Enterprise Application

Mail

Personal Data

Create
Forcible separation
Storage encryption

OA

CRM

Enterprise Data

Operate
Behavior monitoring

Log off
Trace cleaning after logoff

Data during transmission

The mobile security access gateway SVN VPN provides strong Layer-3/Layer-4 encryption, ensuring data privacy and
preventing malicious data sniffing and tampering.
Data on the server
Mobile devices are vulnerable to theft and loss. Each year, the list of data leaks caused by mobile device loss or theft grows.
AnyOffice, interworking with the management back end, provides functions, including remote lock, remote data wiping,
data backup and restoration, GPS, and auto-alarm, to ensure data security in case of device losses.
4.2.2 Carrier-Class Mobile Threat Prevention on the Network Side
At the border of the enterprise network, Huawei carrier-class USG firewalls provide protection at the network side.
Prevent threats from the Internet: DDoS attacks, illegitimate access control, hacker intrusion, virus, Trojan horses, and
malicious mails.

Huawei AnyOffice Mobile

Security Solution

Prevent threats between mobile devices at the LAN and the server side: Control over unauthorized access to the intranet
server, malicious intrusion of employees, and the spread of network viruses, worms and Trojan horses.
Prevent information from being leaked between the mobile office terminal and the Internet

ui

p
De

re

4.3 Compliance: Lifecycle-Based Mobile Device Management

lo

Ac
q
e
tir

Re

Device
Lifecycle
Ru

4.3.1 Acquire
Huawei AnyOffice mobile security solution complies with the ITIL Asset Management Standards, supports the discovery,
registration, and password initialization of standard devices and personal devices, and provides the customized templates of
the letter of commitment of mobile device usage.
4.3.2 Deploy
Enterprises must ensure the level of security and standard compliance of mobile devices. Huawei AnyOffice mobile
security solution supports and enforces security policies, configuration and management delivery over a host firewall,
VPN, and WiFi network.
The core of the solution is the secure allocation of mobile applications. Huawei AnyOffice mobile security solution
integrates company App stores and secures allocation, installation, and configuration of applications. Moreover,
companies can use AnyOffice to define policies for whitelisted and blacklisted applications, ensuring that the right person
accesses the right application and data. AnyOffice provides signature authentication. Authorized services cannot be
tampered or uninstalled, which adds extra protection and maintains the application integrity on the mobile device.
4.3.3 Run
Much attention must be paid to the security of data and applications during daily business operations. Huawei
AnyOffice supports password policies, jail breaking detection and isolation, and control over possible data leaking
channel, including the SIM card, SD card, camera, Bluetooth, WIFI, USB, GPS, and recording. Mobile device is
vulnerable to loss. AnyOffice provides key data encryption, remote data backup/recovery/synchronization, and remote
lock and data wiping options. What's more, IT departments can enhance application security by remote upgrading
and patching. On the management back end, IT departments can query and audit the model, operating system, and

Huawei AnyOffice Mobile

Security Solution

version of all mobile devices, and export asset audit report.

A company's daily IT workload is a key indicator of a mobile office. Huawei AnyOffice supports the self-service portal where
employees can perform operations, including registration, password resetting, loss report generation, remote locking, data
backup and recovery, and data wiping. This significantly lightens the burden of the IP department. The management back end
also supports more complex management functions, including message push and fault location. In addition, the management
API can be integrated with the existing company's Helpdesk system, enhancing IT service efficiency.
4.3.4 Retire
Upon employee resignation or device loss, to prevent data leakage, the IT department can uninstall the application on the
device, wipe away any remaining data, and finally annul the device. If a company issued device needs to be recycled, the
recycled device can be re-registered, re-bound, and reinstalled with security policies and applications.

5 Mobile Application Security

5.1 Security Browser
With more and more enterprise applications emerging, Web-based applications and services for systems, such as meeting
system, attendance system, file query system, and CRM, a unified browser for accessing all applications is becoming the norm.
The secure browser provides key security defense capabilities. First, the security browser is based on the security sandbox
module of AnyOffice. It can separate personal applications from company ones, and limit access to the enterprise application
through browsers. Second, the security browser comes with the Layer-4 VPN function. You do not need to install or enable
other VPN software to access the company intranet. Third, the secure browser supports incognito browsing. Temporary files,
cookies, and histories are deleted upon user logout. In addition, the data saved on the local disk is also encrypted. At last, the
secure browser also supports the blacklist, which helps prevent phishing and malicious software.

5.2 Security Pushmail

Email is the most widely used of all the mobile office applications. The security mail client can receive and send mails using
protocols, including SMTP, POP3, and PMAP4, and can push mails in real time.
Meanwhile, Security Pushmail reduces the data leakage and malicious virus risks brought by mobile mails. It supports Layer-4
VPN, implementing automatic transmission encryption. Mails are encrypted on the terminal device with complex algorithms.
The key is dynamically obtained and is not saved on the terminal device. In addition, the secure mail supports comprehensive
security policies, including whether to permit the mail forwarding, attachment download and upload, and attachment online
browsing. The IT department can deliver role-specific control policies.

Huawei AnyOffice Mobile

Security Solution

5.3 Security SDK

The sheer variety of mobile devices and complexity of enterprise application pose enormous difficulties for secure
mobile application development. Huawei AnyOffice solution has powerful security SDK, provides application-level data
encryption interfaces for enterprise self-development mobile applications, supports mainstream operating systems such
as iOS, Android, make the mobile applications more secure.

6 Choosing Huawei
Huawei provides enterprise and industry clients with a leading mobile office security solution. Mobile office involves the
terminal device, lower layer firmware, system software, and applications. It is an integrated ecological chain that requires
the cooperation between the upstream and downstream vendors. Huawei, with great openness, works with OEM vendors,
integrators, and mobile and wireless carriers to realize the unique value of AnyOffice, provide device-based and applicationlevel security, facilitate enterprise mobile office, and enhance ROI.
With Huawei AnyOffice, you can:
Create a secure zone that separates the enterprise and personal environment, reaching the equilibrium between the
security and efficiency of mobile office.
Prevent E2E leak of sensitive data that is stored, transmitted, and accessed.
Employ the industry-leading secure access and unified security policy management platform.
Implement device-based and application-level security control.
Manage mobile devices through the whole lifecycle, including the acquisition, deployment, running, and recycling.

Components
Component

Product

Mobile client

AnyOffice Agent

Mobile security access gateway

AnyOffice SVN2000-M /SVN5000-M Series

Intelligent mobile terminal

Huawei MediaPad and Ascend Phone

Unified threat management gateway (UTM)

USG 2000/5000

MDM data server

MDM business server

Unified policy management platform*

AnyOffice Manager

Huawei AnyOffice Mobile

Security Solution

Platforms supported by AnyOffice Agent

Device

Platform Version

iPad / iPhone

iOS 5.0 or later

Android mobile phone (Huawei, Samsung, or others)

Android 4.0 or later

Android tablet (Huawei, Samsung, or others)

Android 4.0 or later

* Huawei AnyOffice mobile security solution will support the platform marked with "*" in the in the later version.

10

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and

are trademarks or registered trademarks of Huawei Technologies Co., Ltd.

Other trademarks, product, service and company names mentioned are the property of their respective owners.

General Disclaimer
THE INFORMATION IN THIS DOCUMENT MAY CONTAIN PREDICTIVE STATEMENTS
INCLUDING, WITHOUT LIMITATION, STATEMENTS REGARDING THE FUTURE FINANCIAL
AND OPERATING RESULTS, FUTURE PRODUCT PORTFOLIO, NEW TECHNOLOGY, ETC.
THERE ARE A NUMBER OF FACTORS THAT COULD CAUSE ACTUAL RESULTS AND
DEVELOPMENTS TO DIFFER MATERIALLY FROM THOSE EXPRESSED OR IMPLIED IN THE
PREDICTIVE STATEMENTS. THEREFORE, SUCH INFORMATION IS PROVIDED FOR REFERENCE

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-035026-20140101-C-4.0

PURPOSE ONLY AND CONSTITUTES NEITHER AN OFFER NOR AN ACCEPTANCE. HUAWEI

MAY CHANGE THE INFORMATION AT ANY TIME WITHOUT NOTICE.

www.huawei.com