© 2004-‐2012. Centrify Corporation. All Rights Reserved.
Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
2 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• The Shift to a People Oriented IT is driving BYO
• Users are bringing their own Devices, Laptops, Mobile and SaaS Apps
• This creates risk as users end up with too many accounts and passwords
• IT must control and secure the applications and data
• Centralizing control over these new mobile and SaaS Applications
• Embracing Federated Authentication for SaaS and Mobile Apps
• Extending the Enterprise login to SaaS applications • Federated Authentication for Mobile Apps and Containers
Secure Identity Services for Mobile & Cloud Apps
3 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
IT is evolving from an IT asset-‐centric perspective to a user-‐centric perspective
The New Challenges of a People Oriented IT
15 Years Ago Current Environment
Enterprise IT Systems Just core processes All the business processes
Application Users A few transaction experts Most employees
Access Device Desktop PC Desktop, Laptop, Tablet or Smartphone
Access Location Your desk Anywhere
Application usage modality
Specific data entry and access
On demand, ongoing, mostly for access to information
Security risk Limited – access by specific individuals, from known locations for predictable purposes
Much Larger – potentially from any device, located anywhere
4 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Organizations are increasingly allowing employees to bring their own devices
• Enterprise Device Alliance (EDA) polled 277 organizations representing ~1.5M users
Bring Your Own: Laptop, Smartphone, Tablet
66%
85%
67%
78% 75%
10000+ 2-10,000 500-2,000 100-500 All Responding Organizations by Number of
Employees
EDA: 3/4 of All Organizations Condone BYOD
5 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Organizations are increasingly allowing employees to bring their own devices
• Laptops are no different: • Given a choice, many users will
choose an Apple MacBook
• Forrester predicts that Mac systems will grow by 52% in the Enterprise
Bring Your Own: Laptop, Smartphone, Tablet
0%
10%
20%
30%
40%
50%
60%
70%
10000+ 2000-10,000 500-2,000 100-500
35% 31%
22%
36%
60%
50% 48% 45%
Mac Laptops Windows Laptops
Macs make up over 1/3 of all Laptops in the Enterprise
6 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Consumer oriented features present security challenges for the Enterprise
• OS X Internet/File/Screen Sharing
• iCloud Document and Data Sharing
• “Day 1” effect for new products
• Consumers want to use new products and updates the day that they are launched
• Users tend to update devices every 2 years
• End User is the “admin”
• IT has much less control over configuration
• Enforcing security is challenging
Bring Your Own Presents New Challenges
7 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
BYOD Drives Mobile App and SaaS Adoption Which creates risk • Multiple logins for users • Multiple identity infrastructures for IT to manage
ID
Smartphones and Tablets
End Users
Laptops
ID
ID
ID
ID
ID
ID
ID ID
ID
ID
ID
ID ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
8 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
IT Must Ensure Compliance with Regulations
• Security Policies are designed to protect: • Government, business and financial data
• Consumer and patient privacy
• The Rules are well defined for IT:
• Establish separation of duties
• Enforce system security policies
• Enforce network access policies
• Encrypt data-‐in-‐motion and at rest
• Enforce “least access”
• Grant privileges to individuals granularly
• Audit user access and privileged user activities
Payment Card Industry Data
Security Standard
Federal Information Security Management Act
NIST Special Publication 800-53
Basel II. FFIEC Information Security
Booklet
Health Insurance Portability and
Accountability Act
Sarbanes-Oxley Act Section 404
9 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
1. Enable employee productivity • They can access data they need for work, anywhere at anytime
• IT and security don’t get in the way
2. Ensure compliance requirements are addressed • IT can enforce requires security policies on business data • IT is able to maintain access controls over business applications
3. Efficient management • Security officers can easily describe the security policies to be enforced
• Helpdesk can easily take on the responsibilities of managing
Requirements for Enabling People Oriented IT
10 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
IT Needs a Unified Identity Service Where users have one login ID and password And IT has one Federated Identity Infrastructure to manage
Smartphones and Tablets
Laptops
ID
End Users
11 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Federated Identity ensures that users only need to use their AD userid/password
• Only one password to remember
• Password is protected by the Enterprise in AD
• AD-‐based federation provides several advantages for IT
• Leverages existing account and password policies – simplifying management
• Ensures that IT controls access eliminating risk of orphaned accounts
Strengthen Security with Federated Identity
Federa&on Trust
ID
Cloud Proxy Server
IDP as a Service
Firewall
ID
12 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Mobilize app and service access
• Enable mobile access to Enterprise services and applications
• Design mobile interfaces to seamlessly integrate with the Enterprise services
Containerization to separate work from personal
• Protect work applications and data from data leakage
• Provide the laptop experience on mobile, unlock and access all business apps
Centralize mobile and application administration
• Enabling IT to manage security policies for Mobile, Workstations and Servers
• Unifying app management into one interface for Mobile, Web and SaaS Apps
• Leveraging automated lifecycle management through AD
Extend Identity Services to Mobile Platforms
13 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Ensure Integrity of the mobile platform, since the user is the admin
• Prevent unauthorized access to the mobile platform
• Leverage PKI authentication for SSO to Exchange ActiveSync , Wi-‐Fi and VPN
• Design mobile apps to use federated SSO where possible
Mobilize App and Service Access
Active Directory-based Security Infrastructure ID
14 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Platform Security can be compromised if the mobile platform has been “jailbroken” (iOS) or “rooted” (Android)
• This then enables unsigned applications to run on the device • It also enables tampering or modification of the OS
• And allows malicious applications to access data contained in other applications
• As long as the device has not been “jailbroken” or “rooted” then Enterprise Apps can be safely run on the device
• There is no need to worry about Applications that a user may install, IF sandboxing is intact
• We do need to look at what users can do with data in these apps – this is where containers are needed
Actions:
• Establish an acceptable use policy that prevents usage of “jailbroken” or “rooted” devices • Leverage an MDM that provides continuous “jailbreak” or “rooted” device detection,
enforcing this policy
Ensure Integrity of Mobile Platform
15 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• There are several scenarios that must be addressed to prevent unauthorized access to the device and any applications or data it may have:
• Misplaced -‐ passcode policy to wipe on X number of invalid unlock attempts
• Misplaced/Lost – Remove Profiles to ensure no access to corporate resources
• Lost/Stolen – Remote Wipe to ensure no access to device contents
Actions:
• Establish policy to auto-‐lock the device • Establish policy to wipe on max invalid
passcode attempts
• Leverage MDM for Remote Wipe for lost devices
Prevent Unauthorized Access
16 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• The goal is to eliminate the weakness of password based authentication
• Leverage strong PKI Certificate based authentication where possible
• Eliminates the account lockout issue when multiple devices cache a user’s password
• Enterprise Networks
• WiFi should be configured for PKI authentication, eg. EAP-‐TLS
• VPN should be configured For PKI authentication
• Exchange ActiveSync • Only allow access by authorized systems, eg. require PKI authentication
• Ensure that only register devices access ActiveSync, e.g. turn on automatic mobile device quarantine and grant access only to registered devices for each user.
Provide Secure Access to Enterprise Services
16
17 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Mobilize Apps with Federated Zero Sign-‐On
Cloud Proxy Server
IDP as a Service
Firewall
Integrate Mobile App Authentication
• Mobile app authenticates and registers AD as it’s identity provider
• Mobile app can access information about user attributes in AD
• Mobile app gains SSO to backend services
Hosted Application
Mobile OS
Mobile App
Mobile Auth SDK
MDM
Step 2 One time user authentication
& device registration
Step 1 Web Application Registration
Step 4 Token based Authentication
Step 3 Token Generation
ID
18 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Example Sales app integrated into Federated Authentication via Mobile Authentication Service SDK
• App launch calls EnterpriseAuthentication.getUserInformation()
• If the app is not registered OR if reauth is required then
• The EnterpriseAuthentication SDK will:
• Display enterprise login screen
• Login to AD
• Check user authorization
• Check device Jailbreak status
• Request Certificate
• Display “Welcome %username”
• else
• Display “Welcome %username”
• onClick “Profile”
• Call EnterpriseAuthentication.userLookup()
• Display User Attributes from AD
• onClick “Sales Records”
• Call EnterpriseAuthentication.getSecurityToken(target)
• Request data from target using SecurityToken to authenticate
Mobile Authentication Service SDK
19 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Secure Container built on a Secure OS for both security and usability
• Provides dual persona usage of popular mobile applications
• SSO for all apps in container -‐ enabling the laptop experience on a mobile device
Containerization Separates Work From Personal
20 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• HW level and OS level Security
• Secure Boot for preventing “Unauthorized” Operating System
• Security Enhanced (SE) Android developed by NSA (National Security Agency)
• TrustZone-‐based Integrity Measurement
• Android F/W and Application level Security
• Application and data isolation for work and play with Container
• On-‐Device Data Encryption
• Virtual Private Network (FIPS 140-‐2)
• Support for management via Active Directory / Group Policy Manager
• Policies to comply with the US DoD Mobile OS Security Requirements Guide*
• including CAC / PIV card support
Security From The Ground Up
21 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Multi-‐application SSO is built into the Knox Container
• One SSO Registration for the Container
• Whitelisted apps can use the Enterprise SSO Service
• The container provides Enterprise SSO as a Service
• Identifies the authenticated user to the apps
• Provides AD attributes of the user such as group memberships
• Grants security tokens upon request for authorized web app/service
Containerization with Multi-‐App SSO
Cloud Proxy Server
IDP as a Service
Firewall
Web Application
Samsung SE Android
Step 2 One time user authentication
& Container registration
Step 1 Web Application Registration
Step 4 Token based Authentication
ID
KNOX Container
Mobile App 2
Mobile Auth SDK
Enterprise SSO
Mobile App 1
Mobile Auth SDK
Personal App Step 3
Token Generation
22 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Dual persona enables usage of the same app with different personalities
• Personal Mail on the device, Business Mail in the container
• Personal Box account on the device, Business Box account in the container
Containerization for Dual Persona Usage
Office 365: [email protected] Box: [email protected]
Mail: [email protected] Gmail: [email protected]
Box: [email protected]
23 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Unifying Application management into one interface for Mobile, Web and SaaS Applications
• Leveraging processes and knowledge of lifecycle management through AD
Integrated Mobile and App Administration
24 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Active Directory-based Security Infrastructure
• You have existing Infrastructure, Management Tools and Processes
• Look to leverage these where possible to minimize retraining
• Examples of existing IT Management Infrastructure and Tools:
• Active Directory is typically used to manage both User and Computer
• Active Directory groups are used to manage user access
• Group Policy is typically used to manage System security policies based on group membership
• Microsoft Certificate Authority is used to manage PKI keys for all Windows systems, Automatically
Leverage Existing Knowledge, Tools and Processes
Active Directory User & Computer Windows Certificate Authority Active Directory Group Policy
25 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Federated Identity Service centralizes application authorization under IT control • Providing users with SSO to authorized services and applications • Eliminates the multiple password challenges associated with hosted applications and services
Mobilized application access and ZSO enables employee productivity • Users can access data they need for work, anywhere at anytime with mobile access to email,
shared files and applications • IT and security don’t get in the way with zero sign-‐on and container-‐based management
Containerization enables security to addresses compliance requirements • IT can enforce requires security policies on business data using Group Policy
• IT is able to maintain access controls over business applications
Integrated administration enables IT to efficiently manage mobility • Security officers can easily describe the security policies to be enforced • Helpdesk can easily take on the responsibilities of managing
Security Beyond the Building
© 2004-‐2012. Centrify Corporation. All Rights Reserved.
Thank You