ES3

Security Overview
Version 3.5.2

ES3

Security Overview

Contents
3 - 8

Architecture and Deployment

Architecture Overview

Architecture Details

4 - 7

Deployment Options

8 - 12

End-To-End Security

End-To-End Security Overview

Portal Security

10

Transmission Security

11

Roambi App Level Security

12

Device Level Security

13

Contact

Copyright 2010 Mellmo Inc. All Rights Reserved.

ES3

Architecture and Deployment

Architecture Overview
Roambi ES3 leverages a multitiered architecture, with persistency of files stored within your existing business intelligence infrastructure. Below is a
high level architecture diagram.

Roambi Publisher

Roambi Server

Accessed from any standard

browser, lets users easily
create Roambi files from
existing reports and data
sources.

Communicates via native API/

SDK with your BI System to
leverage data sources, storage
and security infrastructure.

Roambi App

Native application downloaded

from the Apple App Store.
Communicates with server via
HTTPS for secure data transfer.

Your Existing Enterprise BI System

Copyright 2010 Mellmo Inc. All Rights Reserved.

ES3

Architecture and Deployment

Architecture Details
The Roambi ES3 Server handles the connection, creation and distribution of Roambi files (mobile dashboard style analytics). It is a Java based
application delivered as a single .war file that runs on Tomcat and Jboss application servers.
The Roambi ES3 Server communicates to various BI servers via their native API/SDK to provide:

User/Group Management

Single Sign On
Object Level Security

Row Level Security

File Management

Completed Roambi mobile analytics and dashboards are stored in your BI system, and leverage its storage repository and security infrastructure.
Roambi file access is controlled by your BI systems security settings.

Deployment Options
Roambi ES3 can be setup in several deployment configurations to ensure the data security your company requires, while giving your mobile
workers access to their critical business data on-the-go.

Copyright 2010 Mellmo Inc. All Rights Reserved.

ES3

Architecture and Deployment

Deployment Options
Roambi ES3 Server Deployed Inside Your DMZ
1. The Roambi ES3 Server resides inside the DMZ (Demilitarized Zone)
2. Mobile users connect directly to the Roambi ES3 Server via https
3. Additional security techniques are required to prevent unauthorized access to the Roambi ES3 Server
NOTE: This is the least secure deployment option

Roambi Publisher

Roambi App

Roambi Server

Ports would be opened on

the firewall to allow phone
users to access Roambi
and to allow Roambi to
access your BI System

BI
System

Inner
Firewall

Copyright 2010 Mellmo Inc. All Rights Reserved.

Outer
Firewall

ES3

Architecture and Deployment

Deployment Options
Roambi ES3 Server Deployed Inside The Corporate Network
1. The Roambi ES3 Server resides behind both corporate firewalls
2. Mobile workers use the VPN configuration on the accessing mobile device
3. VPN can be either user-invoked or on-demand (on-demand must be preconfigured using the iPhone/iPad configuration utility)
NOTE: This is the most secure deployment option

Roambi Publisher

Roambi App

Roambi Server

BI
System

Outer
Firewall

Copyright 2010 Mellmo Inc. All Rights Reserved.

ES3

Architecture and Deployment

Deployment Options
Using a Reverse Proxy Inside Your DMZ
1. The Roambi ES3 Server resides inside the corporate network
2. It is fronted by a software (e.g. Apache) or hardware (e.g. Cisco) proxy
3. Mobile users hit the reverse proxy URL from their devices and are redirected to the Roambi ES3 Server inside the corporate network
4. This configuration is widely used for extranet deployments
NOTE: This deployment option provides a high level of security

Roambi Publisher

Roambi App

Roambi Server

Reverse
Proxy
BI
System

Inner
Firewall

Copyright 2010 Mellmo Inc. All Rights Reserved.

Outer
Firewall

ES3

End-To-End Security

End-To-End Security Overview

We know the security of your companys data is critical for your competitiveness and peace-of-mind. So Roambi was designed, from the ground up,
to ensure data security at every step in the mobile reporting process. From your existing data servers and BI system, all the way down to your
users devices, and everywhere in between, Roambi end-to-end security features let you deliver the information you need, without risking its
confidentiality.

Existing BI Portals

Roambi Leverages Your

Existing BI System To Provide:

User/Group Management
Single Sign On
Object Level Security
Row Level Security
File Management

Copyright 2010 Mellmo Inc. All Rights Reserved.

The Roambi System

Mobile Devices

The Roambi App and Enterprise

Server provide additional data
security features such as:

Apple iOS4 and devices provide

comprehensive security features
such as:

App Lockout
Remote Wipe
Passcode Lock
File Delete

Hardware Encryption
Device Provisioning
VPN
Device Level Remote Wipe

ES3

End-To-End Security

Portal Security
Data Storage Security
The Roambi ES3 Server is installed on premise behind your companys firewall where users
access the data stored in your existing business intelligence system to create Roambi files
secure, interactive visual analytics and mobile dashboards for any iPhone, iTouch, or iPad.
Roambi ES3 does not store any of your data. The resulting Roambi files (mobile dashboard
style analytics) are stored securely within your BI portal leveraging the security infrastructure
of your business intelligence system.
Data Access Security
One way Roambi ES3 leverages the security of your BI system is by using its established
authentication methods. Roambi does not require a separate security infrastructure. It uses the
security settings and sessions (including row and object level security) you already have setup
inside your BI system. This means that in order for users to access Roambi content either in
the Roambi Publisher or on their iPhone/iPad/iPod Touch they would be required to enter their
BI system username and password.
By leveraging the existing BI System security layer, all security restrictions are applied to each
user at login. So, when a user selects a Roambi file to download or refresh, they will be
presented only with the data they are authorized to access. This enables you to create one
Roambi file that will fulfill the needs of many different users.
In addition to leveraging the inherent security of your existing BI system, Roambi ES3 provides
Device Block which enables administrators to block any specific device from accessing the
company server.

Copyright 2010 Mellmo Inc. All Rights Reserved.

ES3

End-To-End Security

Transmission Security
Data Transmission Security
To ensure your data is secure during the transmission of Roambi files to the iPhone/iPad, Roambi ES3 employs SSL (HTTPS) based data
transmission protocol. This provides the most secure data transmission available between the Roambi ES3 Server and the mobile device.
Roambi can leverage both server and client side certificates also known as two-factor authentication. The server certificate verifies that the ES3
Server is a valid site, and the client side certificate tells the server that the iPhone/iPad is a valid device which is authorized to connect to the ES3
Server. Note that Roambi ES3 can utilize a server certificate only, but the most secure and recommended method is with the addition of a client side
certificate along with the server certificate.

Roambi App
Roambi Server
Are you a trusted device/user?

Are you a trusted site?

Additional information about certificate-based authentication:

Information on two-factor authentication can be found at http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
The iPhone/iPad can use X.509 certificates with RSA keys, recognizing .cer, .crt, and .der file extensions. Certificate chain evaluations are
performed by Safari, Mail, VPN, and other applications.
The iPhone/iPad can also use P12 files which contain exactly one identity, recognizing .p12 and .pfx file extensions. Once an.09 identity is
installed, the user is prompted for the passphrase that protects it.

Copyright 2010 Mellmo Inc. All Rights Reserved.

10

ES3

End-To-End Security

Roambi App Level Security

Roambi ES3 has been designed to maximize your existing security infrastructure, and to protect your critical data as it transfers from your servers to
your users devices. However, its impossible to completely protect against the inherent risk of a lost or stolen device. Thats why Roambi ES3
provides a suite of intelligent, powerful security features to protect your important information from falling into the wrong hands.
Device Lockout:
No one wants to admit they have lost their company or personal mobile phone, especially when it contains critical company information. Roambi
Device Lockout is a user administered feature that allows users to send a command to their device to Lock the Roambi application. Once this
command is issued it is impossible to launch the Roambi App on that device until the user removes the lock. This allows them time to look under the
couch, or call the cab company before reporting their phone as lost, while ensuring data security in the meantime.
Remote Wipe:
If the iPhone/iPad is really lost, or the employee leaves the company, an administrator can delete all Roambi content from that specific device,
remotely in one easy step.
File Delete:
If a Roambi file (mobile analytics) becomes out of date or no longer relevant, an administrator can remove or recall that specific Roambi file from
users mobile devices.
Application Passcode:
If your company requires an added level of data protection, Roambi ES3 lets the admin require users to enter a passcode when they launch the
Roambi App on their mobile device. Admins can control how frequently users are required to enter their passcode by setting it to either Always or
Offline. Offline mode only requires the user to enter their passcode when the application cannot make a connection to the server reducing
inconvenience, while ensuring that unknown users cannot access local information when the network connection is broken.

Copyright 2010 Mellmo Inc. All Rights Reserved.

11

ES3

End-To-End Security

Device Level Security

Securing your companys data on the iPhone/iPad is especially important . So, Roambi ES3 uses the
Apple iPhone/iPad security model (including hardware level encryption) storing the login credentials
in the iPhone/iPad encrypted key chain. For more information about the built in security features and
infrastructure of the iPhone/iPad and iOS, please reference the following links:

iPhone in Business

http://www.apple.com/iphone/business/integration/
iPhone Security Overview

http://images.apple.com/iphone/business/docs/iPhone_Security.pdf
iPhone Deployment

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
iPhone and VPN

http://images.apple.com/iphone/business/docs/iPhone_VPN.pdf
Certificates

http://images.apple.com/iphone/business/docs/iPhone_Certificates.pdf

Copyright 2010 Mellmo Inc. All Rights Reserved.

12

ES3

End-To-End Security

Contact
For more information regarding Roambi ES3,
please contact us:

By Email:

sales@roambi.com
partners@roambi.com

By Phone:

1.858.847.3272

Online:

www.roambi.com

Mellmo Inc.
2002 Jimmy Durante Blvd. #124
Del Mar, California 92014

Copyright 2010 Mellmo Inc. All Rights Reserved.

13