Your SlideShare is downloading. ×
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps

110
views

Published on

David McNeely, Director of Product Management, Centrify …

David McNeely, Director of Product Management, Centrify
When it comes to identity, thinking outside of the box benefits both end users and IT organizations alike. IDaaS allows enterprises to make identity a transparent and ubiquitous part of their cloud and mobile applications, securely. Whether you’re developing application services, in-house mobile apps or taking advantage of existing SaaS apps, gain insight into integrating and managing mobile user access with your existing Identity Services, all while ensuring consistency in authentication, authorization, security policy and compliance. Attend this session and learn how to establish one single login for users and one unified identity infrastructure for IT.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
110
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.     Beyond  the  Building:   Secure  Identity  Services  for  Mobile  and  Cloud  Apps  
  • 2. 2   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  The  Shift  to  a  People  Oriented  IT  is  driving  BYO   •  Users  are  bringing  their  own  Devices,  Laptops,  Mobile  and  SaaS  Apps   •  This  creates  risk  as  users  end  up  with  too  many  accounts  and  passwords   •  IT  must  control  and  secure  the  applications  and  data   •  Centralizing  control  over  these  new  mobile  and  SaaS  Applications   •  Embracing  Federated  Authentication  for  SaaS  and  Mobile  Apps   •  Extending  the  Enterprise  login  to  SaaS  applications   •  Federated  Authentication  for  Mobile  Apps  and  Containers   Secure  Identity  Services  for  Mobile  &  Cloud  Apps  
  • 3. 3   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. IT  is  evolving  from  an  IT  asset-­‐centric  perspective  to  a  user-­‐centric  perspective   The  New  Challenges  of  a  People  Oriented  IT   15 Years Ago Current Environment Enterprise IT Systems Just core processes All the business processes Application Users A few transaction experts Most employees Access Device Desktop PC Desktop, Laptop, Tablet or Smartphone Access Location Your desk Anywhere Application usage modality Specific data entry and access On demand, ongoing, mostly for access to information Security risk Limited – access by specific individuals, from known locations for predictable purposes Much Larger – potentially from any device, located anywhere
  • 4. 4   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Organizations  are  increasingly   allowing  employees  to  bring   their  own  devices   •  Enterprise  Device  Alliance   (EDA)  polled  277  organizations   representing  ~1.5M  users   Bring  Your  Own:  Laptop,  Smartphone,  Tablet   66% 85% 67% 78% 75% 10000+ 2-10,000 500-2,000 100-500 All Responding Organizations by Number of Employees EDA: 3/4 of All Organizations Condone BYOD
  • 5. 5   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Organizations  are  increasingly   allowing  employees  to  bring  their   own  devices   •  Laptops  are  no  different:   •  Given  a  choice,  many  users  will   choose  an  Apple  MacBook   •  Forrester  predicts  that  Mac   systems  will  grow  by  52%  in  the   Enterprise   Bring  Your  Own:  Laptop,  Smartphone,  Tablet   0% 10% 20% 30% 40% 50% 60% 70% 10000+ 2000-10,000 500-2,000 100-500 35% 31% 22% 36% 60% 50% 48% 45% Mac Laptops Windows Laptops Macs make up over 1/3 of all Laptops in the Enterprise
  • 6. 6   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Consumer  oriented  features  present  security  challenges  for  the  Enterprise   •  OS  X  Internet/File/Screen  Sharing   •  iCloud  Document  and  Data  Sharing   •  “Day  1”  effect  for  new  products   •  Consumers  want  to  use  new     products  and  updates  the  day     that  they  are  launched   •  Users  tend  to  update  devices   every  2  years   •  End  User  is  the  “admin”   •  IT  has  much  less  control  over     configuration   •  Enforcing  security  is  challenging   Bring  Your  Own  Presents  New  Challenges  
  • 7. 7   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. BYOD  Drives  Mobile  App  and  SaaS  Adoption   Which  creates  risk   •  Multiple  logins  for  users   •  Multiple  identity  infrastructures  for  IT  to  manage   ID Smartphones and Tablets End Users Laptops ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID
  • 8. 8   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. IT  Must  Ensure  Compliance  with  Regulations   •  Security  Policies  are  designed  to  protect:   •  Government,  business  and  financial  data   •  Consumer  and  patient  privacy     •  The  Rules  are  well  defined  for  IT:     •  Establish  separation  of  duties   •  Enforce  system  security  policies   •  Enforce  network  access  policies   •  Encrypt  data-­‐in-­‐motion  and  at  rest   •  Enforce  “least  access”   •  Grant  privileges  to  individuals  granularly   •  Audit  user  access  and  privileged  user  activities   Payment Card Industry Data Security Standard Federal Information Security Management Act NIST Special Publication 800-53 Basel II. FFIEC Information Security Booklet Health Insurance Portability and Accountability Act Sarbanes-Oxley Act Section 404
  • 9. 9   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. 1.  Enable  employee  productivity   •  They  can  access  data  they  need  for  work,  anywhere  at  anytime   •  IT  and  security  don’t  get  in  the  way   2.  Ensure  compliance  requirements  are  addressed   •  IT  can  enforce  requires  security  policies  on  business  data   •  IT  is  able  to  maintain  access  controls  over  business  applications   3.  Efficient  management   •  Security  officers  can  easily  describe  the  security  policies  to  be  enforced   •  Helpdesk  can  easily  take  on  the  responsibilities  of  managing     Requirements  for  Enabling  People  Oriented  IT  
  • 10. 10   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. IT  Needs  a  Unified  Identity  Service   Where  users  have  one  login  ID  and  password       And  IT  has  one  Federated  Identity  Infrastructure  to  manage   Smartphones and Tablets Laptops ID End Users
  • 11. 11   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Federated  Identity  ensures  that  users  only   need  to  use  their  AD  userid/password   •  Only  one  password  to  remember   •  Password  is  protected  by  the  Enterprise  in   AD   •  AD-­‐based  federation  provides  several   advantages  for  IT   •  Leverages  existing  account  and  password   policies  –  simplifying  management   •  Ensures  that  IT  controls  access     eliminating  risk  of  orphaned  accounts           Strengthen  Security  with  Federated  Identity   Federa&on   Trust   ID Cloud Proxy Server IDP as a Service Firewall ID
  • 12. 12   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Mobilize  app  and  service  access   •  Enable  mobile  access  to  Enterprise  services  and  applications   •  Design  mobile  interfaces  to  seamlessly  integrate  with  the  Enterprise  services   Containerization  to  separate  work  from  personal   •  Protect  work  applications  and  data  from  data  leakage   •  Provide  the  laptop  experience  on  mobile,  unlock  and  access  all  business  apps   Centralize  mobile  and  application  administration   •  Enabling  IT  to  manage  security  policies  for  Mobile,  Workstations  and  Servers   •  Unifying  app  management  into  one  interface  for  Mobile,  Web  and  SaaS  Apps   •  Leveraging  automated  lifecycle  management  through  AD   Extend  Identity  Services  to  Mobile  Platforms  
  • 13. 13   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Ensure  Integrity  of  the  mobile  platform,  since  the  user  is  the  admin   •  Prevent  unauthorized  access  to  the  mobile  platform   •  Leverage  PKI  authentication  for  SSO  to  Exchange  ActiveSync  ,  Wi-­‐Fi  and  VPN   •  Design  mobile  apps  to  use  federated  SSO  where  possible   Mobilize  App  and  Service  Access   Active Directory-based Security Infrastructure ID
  • 14. 14   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Platform  Security  can  be  compromised  if  the  mobile  platform  has  been   “jailbroken”  (iOS)  or  “rooted”  (Android)   •  This  then  enables  unsigned  applications  to  run  on  the  device   •  It  also  enables  tampering  or  modification  of  the  OS   •  And  allows  malicious  applications  to  access  data  contained  in  other  applications   •  As  long  as  the  device  has  not  been  “jailbroken”  or  “rooted”  then  Enterprise  Apps  can   be  safely  run  on  the  device   •  There  is  no  need  to  worry  about  Applications  that  a  user  may  install,  IF  sandboxing  is  intact   •  We  do  need  to  look  at  what  users  can  do  with  data  in  these  apps  –  this  is  where  containers   are  needed   Actions:     •  Establish  an  acceptable  use  policy  that  prevents  usage  of  “jailbroken”  or  “rooted”  devices   •  Leverage  an  MDM  that  provides  continuous  “jailbreak”  or  “rooted”  device  detection,   enforcing  this  policy   Ensure  Integrity  of  Mobile  Platform  
  • 15. 15   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  There  are  several  scenarios  that  must  be  addressed  to  prevent  unauthorized  access  to   the  device  and  any  applications  or  data  it  may  have:   •  Misplaced  -­‐  passcode  policy  to  wipe  on  X  number     of  invalid  unlock  attempts   •  Misplaced/Lost  –  Remove  Profiles  to  ensure     no  access  to  corporate  resources   •  Lost/Stolen  –  Remote  Wipe  to  ensure     no  access  to  device  contents   Actions:     •  Establish  policy  to  auto-­‐lock  the  device   •  Establish  policy  to  wipe  on  max  invalid     passcode  attempts   •  Leverage  MDM  for  Remote  Wipe  for     lost  devices   Prevent Unauthorized Access
  • 16. 16   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  The  goal  is  to  eliminate  the  weakness  of  password  based  authentication   •  Leverage  strong  PKI  Certificate  based  authentication  where  possible   •  Eliminates  the  account  lockout  issue  when  multiple  devices  cache  a  user’s  password   •  Enterprise  Networks   •  WiFi  should  be  configured  for  PKI  authentication,  eg.  EAP-­‐TLS   •  VPN  should  be  configured  For  PKI  authentication   •  Exchange  ActiveSync   •  Only  allow  access  by  authorized  systems,  eg.  require  PKI  authentication   •  Ensure  that  only  register  devices  access  ActiveSync,  e.g.  turn  on  automatic  mobile  device   quarantine  and  grant  access  only  to  registered  devices  for  each  user.   Provide  Secure  Access  to  Enterprise  Services   16
  • 17. 17   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Mobilize  Apps  with  Federated  Zero  Sign-­‐On   Cloud Proxy Server IDP as a Service Firewall Integrate  Mobile  App  Authentication   •  Mobile  app  authenticates  and  registers   AD  as  it’s  identity  provider   •  Mobile  app  can  access  information   about  user  attributes  in  AD   •  Mobile  app  gains  SSO  to  backend   services   Hosted Application Mobile OS Mobile App Mobile Auth SDK MDM Step 2 One time user authentication & device registration Step 1 Web Application Registration Step 4 Token based Authentication Step 3 Token Generation ID
  • 18. 18   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Example  Sales  app  integrated  into  Federated  Authentication  via   Mobile  Authentication  Service  SDK   •  App  launch  calls  EnterpriseAuthentication.getUserInformation()   •  If  the  app  is  not  registered  OR  if  reauth  is  required  then   •  The  EnterpriseAuthentication  SDK  will:   •  Display  enterprise  login  screen   •  Login  to  AD   •  Check  user  authorization   •  Check  device  Jailbreak  status   •  Request  Certificate   •  Display  “Welcome  %username”   •  else   •  Display  “Welcome  %username”   •  onClick  “Profile”   •  Call  EnterpriseAuthentication.userLookup()   •  Display  User  Attributes  from  AD   •  onClick  “Sales  Records”   •  Call  EnterpriseAuthentication.getSecurityToken(target)   •  Request  data  from  target  using  SecurityToken  to  authenticate   Mobile  Authentication  Service  SDK  
  • 19. 19   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Secure  Container  built  on  a  Secure  OS  for  both  security  and  usability   •  Provides  dual  persona  usage  of  popular  mobile  applications   •  SSO  for  all  apps  in  container  -­‐  enabling  the  laptop  experience  on  a  mobile  device     Containerization  Separates  Work  From  Personal  
  • 20. 20   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  HW  level  and  OS  level  Security     •  Secure  Boot  for  preventing  “Unauthorized”  Operating  System     •  Security  Enhanced  (SE)  Android  developed  by  NSA  (National  Security  Agency)     •  TrustZone-­‐based  Integrity  Measurement     •  Android  F/W  and  Application  level  Security     •  Application  and  data  isolation  for  work  and  play  with  Container     •  On-­‐Device  Data  Encryption   •  Virtual  Private  Network  (FIPS  140-­‐2)   •  Support  for  management  via     Active  Directory  /  Group  Policy     Manager   •  Policies  to  comply  with  the     US  DoD  Mobile  OS  Security     Requirements  Guide*   •  including  CAC  /  PIV  card  support     Security  From  The  Ground  Up  
  • 21. 21   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Multi-­‐application  SSO  is  built   into  the  Knox  Container   •  One  SSO  Registration  for  the   Container   •  Whitelisted  apps  can  use  the   Enterprise  SSO  Service   •  The  container  provides   Enterprise  SSO  as  a  Service   •  Identifies  the  authenticated   user  to  the  apps   •  Provides  AD  attributes  of  the   user  such  as  group   memberships   •  Grants  security  tokens  upon   request  for  authorized  web   app/service   Containerization  with  Multi-­‐App  SSO   Cloud Proxy Server IDP as a Service Firewall Web Application Samsung SE Android Step 2 One time user authentication & Container registration Step 1 Web Application Registration Step 4 Token based Authentication ID KNOX Container Mobile App 2 Mobile Auth SDK Enterprise SSO Mobile App 1 Mobile Auth SDK Personal App Step 3 Token Generation
  • 22. 22   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Dual  persona  enables  usage  of  the  same  app  with  different  personalities   •  Personal  Mail  on  the  device,  Business  Mail  in  the  container   •  Personal  Box  account  on  the  device,  Business  Box  account  in  the  container   Containerization  for  Dual  Persona  Usage   Office 365: david.mcneely@centrify.com Box: david.mcneely@centrify.com Mail: david@mcneely.com Gmail: dfmcneely@gmail.com Box: david@mcneely.com
  • 23. 23   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Unifying  Application  management  into  one  interface  for  Mobile,  Web  and  SaaS   Applications   •  Leveraging  processes  and  knowledge  of  lifecycle  management  through  AD   Integrated  Mobile  and  App  Administration  
  • 24. 24   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Active Directory-based Security Infrastructure •  You  have  existing  Infrastructure,  Management  Tools  and  Processes   •  Look  to  leverage  these  where  possible  to  minimize  retraining   •  Examples  of  existing  IT  Management  Infrastructure  and  Tools:   •  Active  Directory  is  typically  used  to  manage  both  User  and  Computer   •  Active  Directory  groups  are  used  to  manage  user  access   •  Group  Policy  is  typically  used  to  manage  System  security  policies  based  on  group   membership   •  Microsoft  Certificate  Authority  is  used  to  manage  PKI  keys  for  all  Windows  systems,   Automatically   Leverage  Existing  Knowledge,  Tools  and  Processes   Active Directory User & Computer Windows Certificate AuthorityActive Directory Group Policy
  • 25. 25   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Federated  Identity  Service  centralizes  application  authorization  under  IT  control   •  Providing  users  with  SSO  to  authorized  services  and  applications   •  Eliminates  the  multiple  password  challenges  associated  with  hosted  applications  and  services   Mobilized  application  access  and  ZSO  enables  employee  productivity   •  Users  can  access  data  they  need  for  work,  anywhere  at  anytime  with  mobile  access  to  email,   shared  files  and  applications   •  IT  and  security  don’t  get  in  the  way  with  zero  sign-­‐on  and  container-­‐based  management   Containerization  enables  security  to  addresses  compliance  requirements   •  IT  can  enforce  requires  security  policies  on  business  data  using  Group  Policy   •  IT  is  able  to  maintain  access  controls  over  business  applications   Integrated  administration  enables  IT  to  efficiently  manage  mobility   •  Security  officers  can  easily  describe  the  security  policies  to  be  enforced   •  Helpdesk  can  easily  take  on  the  responsibilities  of  managing       Security  Beyond  the  Building  
  • 26. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.     Thank  You