cis13: beyond the building: secure identity services for mobile and cloud apps

© 2004-‐2012. Centrify Corporation. All Rights Reserved.

Beyond the Building: Secure Identity Services for Mobile and Cloud Apps

2 © 2004-‐2012. Centrify Corporation. All Rights Reserved.

| Identify. Unify. Centrify.

•  The Shift to a People Oriented IT is driving BYO

•  Users are bringing their own Devices, Laptops, Mobile and SaaS Apps

•  This creates risk as users end up with too many accounts and passwords

•  IT must control and secure the applications and data

•  Centralizing control over these new mobile and SaaS Applications

•  Embracing Federated Authentication for SaaS and Mobile Apps

•  Extending the Enterprise login to SaaS applications •  Federated Authentication for Mobile Apps and Containers

Secure Identity Services for Mobile & Cloud Apps



IT is evolving from an IT asset-‐centric perspective to a user-‐centric perspective

The New Challenges of a People Oriented IT

15 Years Ago Current Environment

Enterprise IT Systems Just core processes All the business processes

Application Users A few transaction experts Most employees

Access Device Desktop PC Desktop, Laptop, Tablet or Smartphone

Access Location Your desk Anywhere

Application usage modality

Specific data entry and access

On demand, ongoing, mostly for access to information

Security risk Limited – access by specific individuals, from known locations for predictable purposes

Much Larger – potentially from any device, located anywhere



•  Organizations are increasingly allowing employees to bring their own devices

•  Enterprise Device Alliance (EDA) polled 277 organizations representing ~1.5M users

Bring Your Own: Laptop, Smartphone, Tablet

66%

85%

67%

78% 75%

10000+ 2-10,000 500-2,000 100-500 All Responding Organizations by Number of

Employees

EDA: 3/4 of All Organizations Condone BYOD



•  Organizations are increasingly allowing employees to bring their own devices

•  Laptops are no different: •  Given a choice, many users will

choose an Apple MacBook

•  Forrester predicts that Mac systems will grow by 52% in the Enterprise

Bring Your Own: Laptop, Smartphone, Tablet

0%

10%

20%

30%

40%

50%

60%

70%

10000+ 2000-10,000 500-2,000 100-500

35% 31%

22%

36%

60%

50% 48% 45%

Mac Laptops Windows Laptops

Macs make up over 1/3 of all Laptops in the Enterprise



•  Consumer oriented features present security challenges for the Enterprise

•  OS X Internet/File/Screen Sharing

•  iCloud Document and Data Sharing

•  “Day 1” effect for new products

•  Consumers want to use new products and updates the day that they are launched

•  Users tend to update devices every 2 years

•  End User is the “admin”

•  IT has much less control over configuration

•  Enforcing security is challenging

Bring Your Own Presents New Challenges



BYOD Drives Mobile App and SaaS Adoption Which creates risk •  Multiple logins for users •  Multiple identity infrastructures for IT to manage

ID

Smartphones and Tablets

End Users

Laptops

ID

ID

ID

ID

ID

ID

ID ID

ID

ID

ID

ID ID

ID

ID

ID

ID

ID

ID

ID

ID

ID



IT Must Ensure Compliance with Regulations

•  Security Policies are designed to protect: •  Government, business and financial data

•  Consumer and patient privacy

•  The Rules are well defined for IT:

•  Establish separation of duties

•  Enforce system security policies

•  Enforce network access policies

•  Encrypt data-‐in-‐motion and at rest

•  Enforce “least access”

•  Grant privileges to individuals granularly

•  Audit user access and privileged user activities

Payment Card Industry Data

Security Standard

Federal Information Security Management Act

NIST Special Publication 800-53

Basel II. FFIEC Information Security

Booklet

Health Insurance Portability and

Accountability Act

Sarbanes-Oxley Act Section 404



1.  Enable employee productivity •  They can access data they need for work, anywhere at anytime

•  IT and security don’t get in the way

2.  Ensure compliance requirements are addressed •  IT can enforce requires security policies on business data •  IT is able to maintain access controls over business applications

3.  Efficient management •  Security officers can easily describe the security policies to be enforced

•  Helpdesk can easily take on the responsibilities of managing

Requirements for Enabling People Oriented IT



IT Needs a Unified Identity Service Where users have one login ID and password And IT has one Federated Identity Infrastructure to manage

Smartphones and Tablets

Laptops

ID

End Users



•  Federated Identity ensures that users only need to use their AD userid/password

•  Only one password to remember

•  Password is protected by the Enterprise in AD

•  AD-‐based federation provides several advantages for IT

•  Leverages existing account and password policies – simplifying management

•  Ensures that IT controls access eliminating risk of orphaned accounts

Strengthen Security with Federated Identity

Federa&on Trust

ID

Cloud Proxy Server

IDP as a Service

Firewall

ID



Mobilize app and service access

•  Enable mobile access to Enterprise services and applications

•  Design mobile interfaces to seamlessly integrate with the Enterprise services

Containerization to separate work from personal

•  Protect work applications and data from data leakage

•  Provide the laptop experience on mobile, unlock and access all business apps

Centralize mobile and application administration

•  Enabling IT to manage security policies for Mobile, Workstations and Servers

•  Unifying app management into one interface for Mobile, Web and SaaS Apps

•  Leveraging automated lifecycle management through AD

Extend Identity Services to Mobile Platforms



•  Ensure Integrity of the mobile platform, since the user is the admin

•  Prevent unauthorized access to the mobile platform

•  Leverage PKI authentication for SSO to Exchange ActiveSync , Wi-‐Fi and VPN

•  Design mobile apps to use federated SSO where possible

Mobilize App and Service Access

Active Directory-based Security Infrastructure ID



•  Platform Security can be compromised if the mobile platform has been “jailbroken” (iOS) or “rooted” (Android)

•  This then enables unsigned applications to run on the device •  It also enables tampering or modification of the OS

•  And allows malicious applications to access data contained in other applications

•  As long as the device has not been “jailbroken” or “rooted” then Enterprise Apps can be safely run on the device

•  There is no need to worry about Applications that a user may install, IF sandboxing is intact

•  We do need to look at what users can do with data in these apps – this is where containers are needed

Actions:

•  Establish an acceptable use policy that prevents usage of “jailbroken” or “rooted” devices •  Leverage an MDM that provides continuous “jailbreak” or “rooted” device detection,

enforcing this policy

Ensure Integrity of Mobile Platform



•  There are several scenarios that must be addressed to prevent unauthorized access to the device and any applications or data it may have:

•  Misplaced -‐ passcode policy to wipe on X number of invalid unlock attempts

•  Misplaced/Lost – Remove Profiles to ensure no access to corporate resources

•  Lost/Stolen – Remote Wipe to ensure no access to device contents

Actions:

•  Establish policy to auto-‐lock the device •  Establish policy to wipe on max invalid

passcode attempts

•  Leverage MDM for Remote Wipe for lost devices

Prevent Unauthorized Access



•  The goal is to eliminate the weakness of password based authentication

•  Leverage strong PKI Certificate based authentication where possible

•  Eliminates the account lockout issue when multiple devices cache a user’s password

•  Enterprise Networks

•  WiFi should be configured for PKI authentication, eg. EAP-‐TLS

•  VPN should be configured For PKI authentication

•  Exchange ActiveSync •  Only allow access by authorized systems, eg. require PKI authentication

•  Ensure that only register devices access ActiveSync, e.g. turn on automatic mobile device quarantine and grant access only to registered devices for each user.

Provide Secure Access to Enterprise Services

16



Mobilize Apps with Federated Zero Sign-‐On

Cloud Proxy Server

IDP as a Service

Firewall

Integrate Mobile App Authentication

•  Mobile app authenticates and registers AD as it’s identity provider

•  Mobile app can access information about user attributes in AD

•  Mobile app gains SSO to backend services

Hosted Application

Mobile OS

Mobile App

Mobile Auth SDK

MDM

Step 2 One time user authentication

& device registration

Step 1 Web Application Registration

Step 4 Token based Authentication

Step 3 Token Generation

ID



•  Example Sales app integrated into Federated Authentication via Mobile Authentication Service SDK

•  App launch calls EnterpriseAuthentication.getUserInformation()

•  If the app is not registered OR if reauth is required then

•  The EnterpriseAuthentication SDK will:

•  Display enterprise login screen

•  Login to AD

•  Check user authorization

•  Check device Jailbreak status

•  Request Certificate

•  Display “Welcome %username”

•  else

•  Display “Welcome %username”

•  onClick “Profile”

•  Call EnterpriseAuthentication.userLookup()

•  Display User Attributes from AD

•  onClick “Sales Records”

•  Call EnterpriseAuthentication.getSecurityToken(target)

•  Request data from target using SecurityToken to authenticate

Mobile Authentication Service SDK



•  Secure Container built on a Secure OS for both security and usability

•  Provides dual persona usage of popular mobile applications

•  SSO for all apps in container -‐ enabling the laptop experience on a mobile device

Containerization Separates Work From Personal



•  HW level and OS level Security

•  Secure Boot for preventing “Unauthorized” Operating System

•  Security Enhanced (SE) Android developed by NSA (National Security Agency)

•  TrustZone-‐based Integrity Measurement

•  Android F/W and Application level Security

•  Application and data isolation for work and play with Container

•  On-‐Device Data Encryption

•  Virtual Private Network (FIPS 140-‐2)

•  Support for management via Active Directory / Group Policy Manager

•  Policies to comply with the US DoD Mobile OS Security Requirements Guide*

•  including CAC / PIV card support

Security From The Ground Up



•  Multi-‐application SSO is built into the Knox Container

•  One SSO Registration for the Container

•  Whitelisted apps can use the Enterprise SSO Service

•  The container provides Enterprise SSO as a Service

•  Identifies the authenticated user to the apps

•  Provides AD attributes of the user such as group memberships

•  Grants security tokens upon request for authorized web app/service

Containerization with Multi-‐App SSO

Cloud Proxy Server

IDP as a Service

Firewall

Web Application

Samsung SE Android

Step 2 One time user authentication

& Container registration

Step 1 Web Application Registration

Step 4 Token based Authentication

ID

KNOX Container

Mobile App 2

Mobile Auth SDK

Enterprise SSO

Mobile App 1

Mobile Auth SDK

Personal App Step 3

Token Generation



•  Dual persona enables usage of the same app with different personalities

•  Personal Mail on the device, Business Mail in the container

•  Personal Box account on the device, Business Box account in the container

Containerization for Dual Persona Usage

Office 365: [email protected] Box: [email protected]

Mail: [email protected] Gmail: [email protected]

Box: [email protected]



•  Unifying Application management into one interface for Mobile, Web and SaaS Applications

•  Leveraging processes and knowledge of lifecycle management through AD

Integrated Mobile and App Administration



Active Directory-based Security Infrastructure

•  You have existing Infrastructure, Management Tools and Processes

•  Look to leverage these where possible to minimize retraining

•  Examples of existing IT Management Infrastructure and Tools:

•  Active Directory is typically used to manage both User and Computer

•  Active Directory groups are used to manage user access

•  Group Policy is typically used to manage System security policies based on group membership

•  Microsoft Certificate Authority is used to manage PKI keys for all Windows systems, Automatically

Leverage Existing Knowledge, Tools and Processes

Active Directory User & Computer Windows Certificate Authority Active Directory Group Policy



Federated Identity Service centralizes application authorization under IT control •  Providing users with SSO to authorized services and applications •  Eliminates the multiple password challenges associated with hosted applications and services

Mobilized application access and ZSO enables employee productivity •  Users can access data they need for work, anywhere at anytime with mobile access to email,

shared files and applications •  IT and security don’t get in the way with zero sign-‐on and container-‐based management

Containerization enables security to addresses compliance requirements •  IT can enforce requires security policies on business data using Group Policy

•  IT is able to maintain access controls over business applications

Integrated administration enables IT to efficiently manage mobility •  Security officers can easily describe the security policies to be enforced •  Helpdesk can easily take on the responsibilities of managing

Security Beyond the Building

cis13: beyond the building: secure identity services for mobile and cloud apps

Technology