Security & Identity for a
Mobile-First World
Vijay Pawar
2 MobileIron Confidential
Traditional Desktop
Login with Enterprise Identity (AuthN)
Browser or Native Apps Access & SSO
A...
3 MobileIron Confidential
Authentication to Applications: Desktop
Password
Tokens
Biometrics
Smartcards
Certificates
4 MobileIron Confidential
Authentication: Traditional Desktops
Password
Tokens
Biometrics
Smartcards
CertificatesSECURITY
...
5 MobileIron Confidential
Mobile
Login with pin (AuthN)
Native App Access
Applications from Enterprise App Store
based on ...
6 MobileIron Confidential
Authentication to Applications: Mobile
Leverage Same Factors
Password
Tokens
Biometrics
Smartcar...
7 MobileIron Confidential
Auth Factors
Passwords
•  Bad UX: Typing long
passwords, fat-fingering
Biometrics
•  Good UX (Fi...
8 MobileIron Confidential
EMM Certificate Support
Ease in Certificate Delivery
High Security (MITM-proof)
Multiple Usage (...
9 MobileIron Confidential
Authentication: Mobile Devices
Password
Tokens
Biometrics
Smartcards
CertificatesSECURITY
USABIL...
10 MobileIron Confidential
Identity Verified
Authorized to Access App
11 MobileIron Confidential
Authorization to Applications: Desktop
Access
•  Based on AD Group
•  Context
•  Network
•  Tim...
12 MobileIron Confidential
Authorization Technology: Desktop
SaaS
•  Standards (Federation)
•  Proprietary (WAM)
•  Passwo...
13 MobileIron Confidential
Authorization: Traditional Desktops
Password
Mgr
WAM
FederationSECURITY
USABILITY +
DEPLOYMENT
...
14 MobileIron Confidential
Authorization to Applications: Mobile
Access
•  Based on AD Group
•  Context
•  Network
•  Time...
15 MobileIron Confidential
Authorization Technology: Mobile
SaaS
•  Standards (Federation)
•  Proprietary (WAM)
•  Passwor...
16 MobileIron Confidential
Authorization: Mobile Apps
Password
Mgr
WAM
FederationSECURITY
USABILITY +
DEPLOYMENT
Wrap/SDK
17 MobileIron Confidential
Recommendations: Cloud Apps
Authorization
Support Federation Standards
If Username/Password Acc...
18 MobileIron Confidential
Future: Authorization: Mobile Apps
Password
Mgr
WAM
FederationSECURITY
USABILITY +
DEPLOYMENT
W...
19 MobileIron Confidential
Identity Verified
Multiple Applications
Need Single Sign-On
20 MobileIron Confidential
SSO to Applications: Desktop
SaaS
•  Standards (Federation)
•  Proprietary (WAM)
•  Kerberos
• ...
21 MobileIron Confidential
Single Sign-On: Traditional Desktops
Password
Mgr
WAM
Kerberos
Federation
Certificates
Apps/OS
...
22 MobileIron Confidential
SSO to Applications: Mobile
SaaS
•  Standards (Federation)
•  Proprietary (WAM)
•  Kerberos*
• ...
23 MobileIron Confidential
Challenges: Native App SSO
Apps Containerized. No Sharing
Some OS Vendors Support
Shared Token ...
24 MobileIron Confidential
Single Sign-On: Mobile Native
Password
Mgr
WAM
Kerberos
Federation
Certificates
Native Apps/
OS...
25 MobileIron Confidential
Approaches: Single Sign-On
Need Shared Token support by Mobile OS
vendors
•  Today: iOS 7 kerbe...
26 MobileIron Confidential
Future: Single Sign-On: Mobile Native
Federation
Native Apps/
OS supported
USABILITY
Certificat...
27 MobileIron Confidential
Mobile Identity Takeaways
Authentication SSOAuthorization
• Good UX Key
• Certificates
and Biom...
The technical realities…
30 MobileIron Confidential
There is no “one answer” to mobile SSO
•  Generally “I want SSO” means “I want transparent
auth...
31 MobileIron Confidential
The rough architecture of EMM systems
•  A client:
–  Serves to enroll users in the EMM policy ...
32 MobileIron Confidential
The rough architecture of EMM systems
•  A Gateway:
–  Allows for transport of traffic to on-pr...
33 MobileIron Confidential
•  Mobile Device Management
•  Mobile Application
Management
•  Identity And Certs
•  User Self...
MobileIron Confidential
EMM vendors build SSO
…because a lot of customers said “We want to use our Windows
architecture.” ...
35 MobileIron Confidential
Kerberos Email
Apps
Content
Active
Directory
Certs
Kerberos
App SSO using Kerberos: PC era
36 MobileIron Confidential
Email
Apps
Content
Active
Directory
Certs
Native
Kerberos
?
App SSO : PC era
37 MobileIron Confidential
Kerberos Constrained
Delegation
(KCD)
App single sign on (SSO) using KCD
Email
Apps
Content
Act...
38 MobileIron Confidential
Requires app developer engagement (SDK / wrapper)
Requires trust relationship between
gateway a...
MobileIron Confidential
Apple takes on SSO
iOS 7 introduces support for Kerberos
40 MobileIron Confidential
iOS 7: Native OS Kerberos SSO
Native iOS. Supports direct Kerberos requests
from OS and native ...
41 MobileIron Confidential
Email
Apps
Content
Active
Directory
Certs
Native
Kerberos!
?
iOS 7 SSO Challenge
42 MobileIron Confidential
Sharepoint, OWA,
Other Kerberos-
enabled apps
Kerberos Domain
Controller (KDC)
Kerberos
First s...
43 MobileIron Confidential
Certificates weren’t supported until iOS 8 (watch this space)
Only supported on Apple devices
C...
MobileIron Confidential
Standards begin to develop
Introduction of AZA, now NAPPS
45 MobileIron Confidential
OAUTH enabled app
Identity Provider
(IDP)
AZA / NAPPS approachRequest
token
Token
Exchange
Deli...
46 MobileIron Confidential
Without OS integration, it remains a MAM-only driven model
Today requires app wrapping or SDK
C...
MobileIron Confidential
Another alternative…
Use of certificates for “transparent authentication”
48 MobileIron Confidential
OAUTH enabled app
Identity Provider
(IDP)
Certificate auth to SSO IDP
Auth with token
Receiveus...
49 MobileIron Confidential
Constraints with cert-based auth to IDP
Provides transparent authentication, but not “SSO”. App...
50 MobileIron Confidential
The takeaway
•  It is possible to meet end-user and IT needs for authentication today
•  IT sho...
CIS14: Providing Security and Identity for a Mobile-First World
Upcoming SlideShare
Loading in...5
×

CIS14: Providing Security and Identity for a Mobile-First World

666

Published on

Vijay Pawar, MobileIron, Inc.
Ways to secure data in motion, protect data at rest, and
provide authentication and single sign-on for mobile application sessions in a secure manner.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
666
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
40
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS14: Providing Security and Identity for a Mobile-First World

  1. 1. Security & Identity for a Mobile-First World Vijay Pawar
  2. 2. 2 MobileIron Confidential Traditional Desktop Login with Enterprise Identity (AuthN) Browser or Native Apps Access & SSO Applications based on Identity(AuthZ) Pre-registered using IAM
  3. 3. 3 MobileIron Confidential Authentication to Applications: Desktop Password Tokens Biometrics Smartcards Certificates
  4. 4. 4 MobileIron Confidential Authentication: Traditional Desktops Password Tokens Biometrics Smartcards CertificatesSECURITY USABILITY + DEPLOYMENT
  5. 5. 5 MobileIron Confidential Mobile Login with pin (AuthN) Native App Access Applications from Enterprise App Store based on Identity(AuthZ) Pre-registered using EMM Applications based on Identity(AuthZ) Browser Access & SSO
  6. 6. 6 MobileIron Confidential Authentication to Applications: Mobile Leverage Same Factors Password Tokens Biometrics Smartcards Certificates
  7. 7. 7 MobileIron Confidential Auth Factors Passwords •  Bad UX: Typing long passwords, fat-fingering Biometrics •  Good UX (Fingerprint, facial (early stage), voice) Tokens •  Bad UX: Carry along or on same device (reduces security) SmartCards •  Bad UX: Adding additional hardware
  8. 8. 8 MobileIron Confidential EMM Certificate Support Ease in Certificate Delivery High Security (MITM-proof) Multiple Usage (VPN, Wi-Fi, Apps, Browser) Good UX
  9. 9. 9 MobileIron Confidential Authentication: Mobile Devices Password Tokens Biometrics Smartcards CertificatesSECURITY USABILITY + DEPLOYMENT Tokens Biometrics Certificates Smartcards Password
  10. 10. 10 MobileIron Confidential Identity Verified Authorized to Access App
  11. 11. 11 MobileIron Confidential Authorization to Applications: Desktop Access •  Based on AD Group •  Context •  Network •  Time In App Access •  Typically handled inside App
  12. 12. 12 MobileIron Confidential Authorization Technology: Desktop SaaS •  Standards (Federation) •  Proprietary (WAM) •  Password Mgr •  E-SSO Native •  E-SSO
  13. 13. 13 MobileIron Confidential Authorization: Traditional Desktops Password Mgr WAM FederationSECURITY USABILITY + DEPLOYMENT E-SSO
  14. 14. 14 MobileIron Confidential Authorization to Applications: Mobile Access •  Based on AD Group •  Context •  Network •  Time •  Device Posture •  Location •  App Inventory In App Access •  Typically handled inside App
  15. 15. 15 MobileIron Confidential Authorization Technology: Mobile SaaS •  Standards (Federation) •  Proprietary (WAM) •  Password Mgr Native •  E-SSO •  Wrap/SDK
  16. 16. 16 MobileIron Confidential Authorization: Mobile Apps Password Mgr WAM FederationSECURITY USABILITY + DEPLOYMENT Wrap/SDK
  17. 17. 17 MobileIron Confidential Recommendations: Cloud Apps Authorization Support Federation Standards If Username/Password Access • Restrict by IP address for All Applications (ex. email & content) IDP or SaaS providers to use Device Context
  18. 18. 18 MobileIron Confidential Future: Authorization: Mobile Apps Password Mgr WAM FederationSECURITY USABILITY + DEPLOYMENT Wrap/SDK
  19. 19. 19 MobileIron Confidential Identity Verified Multiple Applications Need Single Sign-On
  20. 20. 20 MobileIron Confidential SSO to Applications: Desktop SaaS •  Standards (Federation) •  Proprietary (WAM) •  Kerberos •  Certificates •  Password Mgr •  E-SSO Native •  Kerberos •  Certificates •  Password Mgr •  E-SSO
  21. 21. 21 MobileIron Confidential Single Sign-On: Traditional Desktops Password Mgr WAM Kerberos Federation Certificates Apps/OS supported USABILITY E-SSO
  22. 22. 22 MobileIron Confidential SSO to Applications: Mobile SaaS •  Standards (Federation) •  Proprietary (WAM) •  Kerberos* •  Certificates* •  Password Mgr* Native •  Kerberos* •  Certificates* •  E-SSO •  Wrap/SDK* * Mileage varies
  23. 23. 23 MobileIron Confidential Challenges: Native App SSO Apps Containerized. No Sharing Some OS Vendors Support Shared Token (iOS 7 kerberos) Password Managers do NOT Support Native (iOS) •  Also, security bypass
  24. 24. 24 MobileIron Confidential Single Sign-On: Mobile Native Password Mgr WAM Kerberos Federation Certificates Native Apps/ OS supported USABILITY E-SSO Certificates WAMKerberos
  25. 25. 25 MobileIron Confidential Approaches: Single Sign-On Need Shared Token support by Mobile OS vendors •  Today: iOS 7 kerberos token •  Future: Oauth token? Federation with Certificate Auth •  Native Apps using Certificates •  IDP supporting Certificate Auth EMM Vendors using Shared Token in Wrapper/ SDK
  26. 26. 26 MobileIron Confidential Future: Single Sign-On: Mobile Native Federation Native Apps/ OS supported USABILITY Certificates WAMKerberos
  27. 27. 27 MobileIron Confidential Mobile Identity Takeaways Authentication SSOAuthorization • Good UX Key • Certificates and Biometrics Viable Options • Federation Standards Prevent Bypass • Username/PW Apps to Provide IP Restrictions • IDP to Use Device Context • Mobile Vendors Enabling Shared Token Support • Certificates • IDP Support for Certificate Auth
  28. 28. The technical realities…
  29. 29. 30 MobileIron Confidential There is no “one answer” to mobile SSO •  Generally “I want SSO” means “I want transparent authentication”. •  Shared tokens, while useful, don’t work extremely well for mobile today •  Goals should be to make authentication & authorization easy while reducing UX complexity But there are lots of implementation options
  30. 30. 31 MobileIron Confidential The rough architecture of EMM systems •  A client: –  Serves to enroll users in the EMM policy server. –  Can serve as a central mechanism for driving policies & configs for apps (MAM or app wrapping) •  A server: –  A central system where administrators define policies and configurations for devices, apps and data. Often houses App Storefront functions. –  Often ties to LDAP to direct policies against user or group objects –  Can tie to external systems for access control & identity including certificate authorities, NAC, etc.
  31. 31. 32 MobileIron Confidential The rough architecture of EMM systems •  A Gateway: –  Allows for transport of traffic to on-premise resources. Can be VPN or purpose built –  Should tie to concepts around device and network trust – Ensure that device is managed, that sessions aren’t hijacked, etc.
  32. 32. 33 MobileIron Confidential •  Mobile Device Management •  Mobile Application Management •  Identity And Certs •  User Self-Service •  Rules & Reporting MobileIron Client Enforces Configuration and Security policies on the device, apps and content at rest and in real time Sentry (Gateway) Provides Access Control by Enforcing Security Policies on Apps and Content in-flight The MobileIron Platform Core (VSP) & Cloud: Mobile Policy Configuration Engine
  33. 33. MobileIron Confidential EMM vendors build SSO …because a lot of customers said “We want to use our Windows architecture.” Result: Kerberos Constrained Delegation and Mobile
  34. 34. 35 MobileIron Confidential Kerberos Email Apps Content Active Directory Certs Kerberos App SSO using Kerberos: PC era
  35. 35. 36 MobileIron Confidential Email Apps Content Active Directory Certs Native Kerberos ? App SSO : PC era
  36. 36. 37 MobileIron Confidential Kerberos Constrained Delegation (KCD) App single sign on (SSO) using KCD Email Apps Content Active Directory Certs Kerberos
  37. 37. 38 MobileIron Confidential Requires app developer engagement (SDK / wrapper) Requires trust relationship between gateway and AD infrastructure No client certificate to app server auth supported Constraints with KCD Requires complex setup Native app support (Safari, Chrome) and commercial app support may be limited KCD
  38. 38. MobileIron Confidential Apple takes on SSO iOS 7 introduces support for Kerberos
  39. 39. 40 MobileIron Confidential iOS 7: Native OS Kerberos SSO Native iOS. Supports direct Kerberos requests from OS and native apps Device access to Key Distribution Center (KDC) Use device VPN Expose KDC in DMZ or SSO
  40. 40. 41 MobileIron Confidential Email Apps Content Active Directory Certs Native Kerberos! ? iOS 7 SSO Challenge
  41. 41. 42 MobileIron Confidential Sharepoint, OWA, Other Kerberos- enabled apps Kerberos Domain Controller (KDC) Kerberos First sign on: Kerberos Proxy Subsequent access: Per app VPN SSO iOS 7 SSO with Kerberos Proxy
  42. 42. 43 MobileIron Confidential Certificates weren’t supported until iOS 8 (watch this space) Only supported on Apple devices Constraints with Apple SSO Native apps are supported including Safari Token reuse is supported across applications
  43. 43. MobileIron Confidential Standards begin to develop Introduction of AZA, now NAPPS
  44. 44. 45 MobileIron Confidential OAUTH enabled app Identity Provider (IDP) AZA / NAPPS approachRequest token Token Exchange Deliver Token Auth with token Auth with token
  45. 45. 46 MobileIron Confidential Without OS integration, it remains a MAM-only driven model Today requires app wrapping or SDK Constraints with AZA / NAPPS Standards work is still nascent
  46. 46. MobileIron Confidential Another alternative… Use of certificates for “transparent authentication”
  47. 47. 48 MobileIron Confidential OAUTH enabled app Identity Provider (IDP) Certificate auth to SSO IDP Auth with token Receiveuseror machinecertificate Receive user or machine certificate Present certificate to IDP, receive token Store cert in app keychain
  48. 48. 49 MobileIron Confidential Constraints with cert-based auth to IDP Provides transparent authentication, but not “SSO”. Apps end up with new tokens if IDP does not know to reissue previous token from previous cert auth Works with iOS native apps, however requires developer work to negotiate cert auth & token request. Android requires app wrapping or SDK to receive certificate material and transport IDP request behind firewall Windows supports cert provisioning and app-access to cert store but transport to IDP needs development IDP must support OAUTH or SAML requests with certificates as the user identity
  49. 49. 50 MobileIron Confidential The takeaway •  It is possible to meet end-user and IT needs for authentication today •  IT should be aware of OS capabilities when planning both app and auth design •  Certificates provide the easiest, most transparent method available. •  NAPPS represents a strong development but needs more maturity and OS buy-in
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×