Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS13: Deliver Secure Apps with Great Experiences


Published on

Sean Ginevan, Director of Business Development, MobileIron
With a wealth of immersive consumer and "prosumer" applications for both iOS and Android, user demands for enterprise applications are high. Organizations mobilizing business processes must do so on a device of the user's choice, with an experience the user loves. However, this must be done in a way that conforms to the established security guidelines of the enterprise. With the right approaches, enterprises can strike a balance between the security of apps and great user experiences. We'll discuss the current state-of-the-art for user authentication on mobile operating systems, along with emerging methods, to provide single sign-on capabilities that not only meet security demands but also improve the user experience.

Published in: Technology
  • Be the first to comment

CIS13: Deliver Secure Apps with Great Experiences

  1. 1. Deliver Secure Apps with Great Experiences Sean Ginevan, Director, Business Development, MobileIron
  2. 2. Enterprise mobile apps: Going mainstream Retail! Finance!Manufacturing! Health Care!
  3. 3. Goals of the Enterprise App •  Business process focused … not comprehensive features •  Fast cycles … 8 week dev, 9 month life, 3 platforms •  High expectations … UX litmus test for adoption –  Security & authentication should be transparent to the user Consumer apps for the employee ... not … Business apps for the enterprise
  4. 4. What are some auth options? 4 Multi-factor auth solutions: Provide a variety of solutions to establish user identity to mobile apps. MAM: Provides an application store and the ability to extend MDM functions into enterprise and commercially developed apps. Standalone options exist, but lack of integration with MDM and devices makes for challenging implementations. Username & Password: Tried and true, basic authentication provides some challenges for mobile “Single Sign-On”: Drives improvements around user authentication but means many things to many people
  5. 5. A bit on basic authentication •  Easily the most popular auth type for mobile apps but… •  Configuration of user identity into applications •  Fat fingering and password rotation problems •  Concerns over password hijacking (MiTM attacks) •  Password management might be in browser; not in your app by default. •  Concerns around password storage5
  6. 6. The next phase: Certs! 6 •  Eliminates password complexities & provides session trust but… •  How do certs get onto devices? •  Who terminates the cert? –  App server in DMZ? Kerberos in DMZ? Additional KCD provider? •  vs vs –  Wildly inconsistent feature sets •  Protection of certificate material (compromised devices & deletion) •  Lack of access to device cert store by apps.
  7. 7. Single Sign On: Many Things to Different People Use my existing web auth solution (Siteminder) 7 Use Kerberos somehow? Use my SAML provider Use something new…
  8. 8. Using Kerberos for Mobile Apps •  Advantage: Lots of back end app servers support it •  Further advantage: Native OS technologies adopting •  Challenges: –  Establishing the user identity –  Who processes the Kerberos transaction? –  Protecting the Kerberos infrastructure 8
  9. 9. Using Web Access Management for Mobile •  Advantage: Lots of back end app servers support it •  Your browser-based apps should just work… •  Challenges: –  Containerization prevents sharing of sessions across native apps –  SDKs for mobile development are still relatively new, proprietary. 9
  10. 10. Using SAML for Mobile Apps •  Advantage: You’ve maybe down this road for federation to other services. •  Challenges: –  SAML tokens cant be easily transmitted into a native app via HTTP POST •  Embedded web views for auth can solve this but aren’t clean •  SDKs are being developed to facilitate token transmission. •  Middleware servers that extract tokens and convert to URL handler10
  11. 11. Authorization Agent (AZA) •  Being backed by large players like VMWare, Ping, Box, MobileIron •  Provides a standard for transmission of user & session identity data between applications. •  Challenges: –  Productization –  App server support for OAUTH 11
  12. 12. Client-side options… 12
  13. 13. Hardware-based certificates •  Required for some applications –  Defense, Homeland Security, contractors (CAC, PIV, etc) –  Swedish Healthcare System (SITHS) –  Certain industries (e.g. Oil & Gas, FiServ) •  Challenges –  Readers are proprietary. Some middleware is proprietary, others not. –  Form factor options can be daunting, lag behind device hardware intros –  Obtuse development environments –  Expensive13
  14. 14. Adaptive authentication •  Leverages multi-factor authentication on a risk-driven basis •  New implementations are being developed by RSA, Oracle and others. Expect more here soon. 14
  15. 15. Biometrics & other factors •  New innovations using embedded cameras for eye recognition, facial recognition •  Fingerprint readers in device hardware? •  NFC, Bluetooth and other near-field token-based technologies. 15
  16. 16. 16