Deliver Secure Apps with Great Experiences Sean Ginevan, Director, Business Development, MobileIron

Enterprise mobile apps: Going mainstream

Retail! Finance!Manufacturing! Health Care!

Goals of the Enterprise App

•  Business process focused … not comprehensive features •  Fast cycles … 8 week dev, 9 month life, 3 platforms •  High expectations … UX litmus test for adoption

–  Security & authentication should be transparent to the user

Consumer apps for the employee ... not …

Business apps for the enterprise

What are some auth options?

4

Multi-factor auth solutions: Provide a variety of solutions to establish user identity to mobile apps.

MAM: Provides an application store and the ability to extend MDM functions into enterprise and commercially developed apps. Standalone options exist, but lack of integration with MDM and devices makes for challenging implementations.

Username & Password: Tried and true, basic authentication provides some challenges for mobile

“Single Sign-On”: Drives improvements around user authentication but means many things to many people

A bit on basic authentication

•  Easily the most popular auth type for mobile apps but…

•  Configuration of user identity into applications

•  Fat fingering and password rotation problems

•  Concerns over password hijacking (MiTM attacks)

•  Password management might be in browser; not in your app by default.

•  Concerns around password storage 5

The next phase: Certs!

6

•  Eliminates password complexities & provides session trust but…

•  How do certs get onto devices? •  Who terminates the cert?

–  App server in DMZ? Kerberos in DMZ? Additional KCD provider?

•  vs vs – Wildly inconsistent feature sets

•  Protection of certificate material (compromised devices & deletion)

•  Lack of access to device cert store by apps.

Single Sign On: Many Things to Different People

Use my existing web auth solution (Siteminder)

7

Use Kerberos somehow?

Use my SAML provider

Use something new…

Using Kerberos for Mobile Apps

•  Advantage: Lots of back end app servers support it

•  Further advantage: Native OS technologies adopting

•  Challenges: –  Establishing the user identity – Who processes the Kerberos

transaction? –  Protecting the Kerberos infrastructure

8

Using Web Access Management for Mobile

•  Advantage: Lots of back end app servers support it

•  Your browser-based apps should just work…

•  Challenges: – Containerization prevents sharing of

sessions across native apps –  SDKs for mobile development are still

relatively new, proprietary.

9

Using SAML for Mobile Apps

•  Advantage: You’ve maybe down this road for federation to other services.

•  Challenges: –  SAML tokens cant be easily

transmitted into a native app via HTTP POST •  Embedded web views for auth can

solve this but aren’t clean •  SDKs are being developed to

facilitate token transmission. •  Middleware servers that extract

tokens and convert to URL handler 10

Authorization Agent (AZA)

•  Being backed by large players like VMWare, Ping, Box, MobileIron

•  Provides a standard for transmission of user & session identity data between applications.

•  Challenges: –  Productization –  App server support for OAUTH

11

Client-side options…

12

Hardware-based certificates

•  Required for some applications – Defense, Homeland Security,

contractors (CAC, PIV, etc) –  Swedish Healthcare System (SITHS) – Certain industries (e.g. Oil & Gas,

FiServ)

•  Challenges – Readers are proprietary. Some

middleware is proprietary, others not. –  Form factor options can be daunting, lag

behind device hardware intros – Obtuse development environments –  Expensive 13

Adaptive authentication

•  Leverages multi-factor authentication on a risk-driven basis

•  New implementations are being developed by RSA, Oracle and others. Expect more here soon.

14

Biometrics & other factors

•  New innovations using embedded cameras for eye recognition, facial recognition

•  Fingerprint readers in device hardware?

•  NFC, Bluetooth and other near-field token-based technologies.

15

16