The increasing popularity of mobile devices is rapidly changing how and where we
consume business related content. Mobile workforce expectations are forcing
organizations to empower their employees through Bring Your Own Device (BYOD) programs
that aim to facilitate personal devices for work purposes. Employees prefer to not carry
around multiple mobile devices. Companies are also happy, as this practice reduces costs
and increases productivity of the workforce. However, this growing trend also introduces
less secure mobile devices with access to sensitive corporate information and IT. As
organizations adapt to such changes, their information security departments are starting to
enforce strict Acceptable Use and Security policies. In an effort to protect against potential
device data theft, it’s important for organizations to manage what content personal mobile
devices have access to.
1
BACKGROUND
CORNERSTONE STATEMENT OF SECURITY
Cornerstone only employs the highest industry practices ensuring both security and
performance are at the forefront of our products. Top tier security is applied to all
customer proprietary information and content secured in our cloud-based servers, on
employee devices, and among mobile devices. Network security and performance are vital
areas of our business and are part of our primary objectives toward achieving best-in-class
security, availability, scalability, and manageability for our mobile offering.
Cornerstone implements a breadth of security techniques to provide multiple layers of
protection against possible intrusion. Industry standard security controls including data
encryption and Secure Sockets Layer (SSL) technology are used throughout the application.
Our technology infrastructure is maintained through regular updates and rigorous testing to
improve the protection of our customers’ information and data at every corner.
2
CORNERSTONE MOBILE ARCHITECTURE
The Cornerstone mobile application is
a cross-platform native HTML5 hybrid
application supported on both iOS and Android
smartphone and tablet devices. In addition, the
application is accessible via mobile browser on
all platforms.
3
HTTPS Hypertext Transfer Protocol Secure sockets provide
encrypted communication between the MLP servers
and apps that run on all activated mobile devices.
SAAS Software as a Service is a model for the delivery
of a software platform where a software provider
hosts and maintains a product and all data
associated with it. Typically the provider is the
software vendor themselves.
SSOSingle sign-on is a property of access control of
multiple related but independent software systems.
With this property a user logs in once and gains
access to all systems without being prompted to
log in again at each of them.
SAML
Security Assertion Markup Language is an XML-based
open standard for exchanging authentication and
authorization data between security domains – that is,
between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions).
SSL SSL (Secure Sockets Layer) is the standard security
technology for establishing an encrypted link between
a web server and a browser. This link ensures that all
data passed between the web server and browsers
remain private and integral.
XML Extensible Markup Language (XML) is a markup
language that defines a set of rules for encoding
documents in a format that is both human-readable
and machine-readable.
4
DEFINITIONS
5
MOBILE AUTHENTICATION
The Mobile application has three methods of login:
username/password, device registration, and Single
Sign On (SSO).
1. The username/password method submits the
user’s credentials over HTTPS to Cornerstone’s
standard login procedure. It is secured using the
same SSL security with 128 bit HTTPS encryption
as the main Cornerstone login.
2. Device registration uses the oAuth protocol to
authenticate requests. Authentication signs every
request using a combination of user’s token
(stored on the device), a secret token (stored on
the device), PIN, timestamp, and nonce. Each
request is validated by our STS authenticator
and is encrypted using the same SSL certificates
used by our standard username/password login
process with 128 bit encryption. At any point the
user can remove their registered device.
3. SSO authentication uses SAML 2.0 SP-Initiated
authentication, an XML-based standard for
exchanging authentication and authorization data
between security domains – that is, between an
identity provider (IDP), producer of assertions
on the client side, and a service provider (SP),
a consumer of assertions on the Cornerstone
side. Clients that implement SSO using the SAML
solution typically have a SAML/IDP server in
place and have used it to integrate SSO with
other applications.
6
In the Cloud
• User Management & Authentication• Content Management & Distribution• Preferences and Security• Multi-product Integration
Over the Air
• Latency & Offline Access• Information Privacy• Real-time Synchronization
On Device
• Single Sign-On (SSO)• 128 Bit HTTPS Encryption• 256 AES Encryption for Locally Stored Data• Session Timeout
SaaS
SSL
HTTPS
MOBILE SECURITY WORKFLOW
7
AUTHENTICATION VIA SSO
On Device• SSO• Encryption• Remote Access• PIN Screen Lock• Timeout• Closed Loop
In the Cloud• Disaster Recovery & Business Continuity• User Management & Authentication (SSO)• Content Management & Distribution• LMS Integration
Over the Air• Roaming Control• Latency & O�ine Access• Virus Prevention• Information Privacy• App Maintenance
INTUITION MOBILE LEARNING PLATFORM – SECURITY FEATURES
SaaS
SSL
HTTPS
CLIENTAPPLICATION
PLATFORM SSOFRAMEWORK IDP
Client initiates SSO authentication request
Platform sends HTTP redirect through user’s
browser to IDP SSO service
Client login
IDP sends back response
Platform processes IDP
response; transforms to
format expected by client
Platform returns response to client
8
AUTHENTICATION VIA SSO
The sequence diagram on the previous page outlines the detailed interactions between the client application,
the platform SSO framework, and the IDP system. A user attempts to access a protected resource directly on an
SP site without being logged on. The user does not have an account on the SP site, but does have a federated
account managed by a third-party IDP. The SP sends an authentication request to the IDP. Both the request and the
returned SAML assertion are sent through the user’s authentication page via HTTP POST.
The detailed steps are as follows:
1. The client application initiates a Platform SSO request with user name and corp to access a protected SP resource.
2. The SSO platform sends a URL back to the client application. The client application then redirects the user through a new browser window and will result in a HTML form with the SAML request authentication sent to the IDP.
3. The IDP asks the user for their network/active directory credentials (e.g., username and password) and the user logs in.
4. The IDP’s SSO service returns the authentication assertion to the SSO Platform.
5. The SSO Platform processes the response from the IDP and transforms it into a response format expected by the client.
6. The authentication response is then sent back to the client.
Within the main Cornerstone application, clients
have the ability to update mobile preferences
by OU (organizational unit) and turn features on/
off as desired. This allows more flexibility on which
features appear in the slide out menu of the mobile
application as well as determine which screen is
the default landing page when a user signs in. In
addition, all of the security permissions defined by
system administrators throughout the web application
will be applied within the mobile application.
9
MOBILE PREFERENCES
10
LIMITATION OF ATTEMPTS
USERNAME/PASSWORD LOGIN: A user can attempt to log in 5 times before
their account is locked. On the 6th incorrect
attempt, the account is locked.
PIN: Allows for unlimited attempts.
SSO: Number of attempts is dependent on
client configuration and is not controlled
by Cornerstone OnDemand.
11
Upon successful login with either username/
password or PIN, we will write a user’s corp,
username, and a hashed password into our
encrypted database (256 bit AES encryption).
The database encryption key is unique to each
device. With Mobile offline, all data written to
the database will be protected by SQL Cipher,
which is one of the most popular secure
database solutions used by companies such as
Salesforce, RSA, UBS, JP Morgan, and others.
LOCALLY STORED DATA & OFFLINE AUTHENTICATION
12
JAIL BROKEN PHONES
A jail broken phone will share its data
via Wi-Fi, Bluetooth, or direct with
USB. A mobile database will not be
protected by Cornerstone OnDemand if
the device is jail broken. Clients accept all
risk for devices that are jail broken.
© 2014 Cornerstone OnDemand, Inc. All Rights Reserved.
Cornerstone OnDemand is a leader in cloud-based applications for talent management. Our solutions help organizations recruit, train, manage and connect their employees, empowering their people and increasing workforce productivity. To learn more, visit csod.com.
csod-wp-Mobile Security 8-2014
GENERAL
Application Removal/DeletionWhen the application is removed from the user’s mobile device, the user’s name and all secure encrypted
items are removed from the device. The user must manually remove the application from the mobile device.
Timeout ConditionsWhen using username/password logins, the system uses Session and respects the corp setting for Session
timeout. Device registration does not have a timeout condition. Timeout conditions are dependent on the
default timeout configured within the web application.
App Store CertificationWhen we deploy to Apple iOS and Google Play app stores, we follow the respective stores best practices
for deployment.