Más contenido relacionado La actualidad más candente (20) Similar a Mobilize your workforce with secure identity services (20) Mobilize your workforce with secure identity services2. Authentication Nirvana
• One password for Enterprise Users
• Protection by AD inside Firewall
• Mobile app gets SSO
• App Dev only needs to ask the
platform for authentication and
security token for backend
• IT controls app authentication and
authorization
Mobile App
Mobile Auth
Step 4
Token based
Authentication
SDK
MDM
Hosted
Application
Mobile OS
Step 2
One time user
authentication
& device registration
Step 3
Token Generation
Step 1
Web Application
Registration
IDP as a Service
Firewall
Cloud
Proxy Server
ID
• …….All with 3 simple API calls
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
2
3. Challenges for IT admins & App
Developers
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
3
4. Evolution of Enterprise
15 Years Ago
Current Environment
Enterprise IT Systems
Just core processes
All the business processes
Application Users
A few transaction experts
Most employees
Access Device
Desktop PC
Desktop, Laptop, Tablet or
Smartphone
Access Location
Your desk
Anywhere
Application usage modality
Specific data entry and access
On demand, ongoing, mostly for
access to information
Security risk
Limited – access by specific
individuals, from known locations
for predictable purposes
Much Larger – potentially from any
device, located anywhere
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
4
5. Bring Your Own (BYO)
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
5
6. Bring Your Own Apps (BYOA)
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
6
7. Bring Your Own: Laptop, Smartphone, Tablet
• Organizations are increasingly
allowing employees to bring
their own devices
EDA: 3/4 of All Organizations
Condone BYOD
85%
78%
75%
100-500
All
67%
66%
• Enterprise Device Alliance
(EDA) polled 277 organizations
representing ~1.5M users
10000+
2-10,000
500-2,000
Responding Organizations by Number of
Employees
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
7
8. Bring Your Own: Conquering Enterprise
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
8
9. Bring Your Own Presents New Challenges
• Consumer oriented features present security challenges for the Enterprise
• “Day 1” effect for new products
• End User is the “admin”
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
9
10. Multiple identities + Password Sprawl
Create risk
• Multiple logins for users
• Multiple identity infrastructures for IT to manage
ID
ID
ID
ID
Smartphones and Tablets
ID
ID
ID
ID
Inhouse
ID
and
100’s
Apps
ID
more….
Laptops
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
10
11. Regulatory compliance overhead
• Security Policies are designed to protect:
Federal Information Security
Management Act
NIST Special
Publication 800-53
• The Rules are well defined for IT:
Payment Card
Industry Data
Security Standard
Health Insurance
Portability and
Accountability Act
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
Basel II. FFIEC
Information Security
Booklet
Sarbanes-Oxley Act
Section 404
11
12. What IT cares about
1. Enable employee productivity
• They can access data they need for work, anywhere at anytime
• IT and security don’t get in the way
2. Ensure compliance requirements are addressed
• IT can enforce requires security policies on business data
• IT is able to maintain access controls over business applications
3. Efficient management
• Security officers can easily describe the security policies to be enforced
• Helpdesk can easily take on the responsibilities of managing
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
12
14. Federated Identity
Where users have one login ID and password
And IT has one Federated Identity Infrastructure to manage
Smartphones and Tablets
End Users
ID
Laptops
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
14
15. Strengthen Security with Federated Identity
• Federated Identity ensures that users only
need to use their AD userid/password
ID
• Only one password to remember
Federation
Trust
• Password is protected by the Enterprise in
AD
• AD-based federation provides several
advantages for IT
IDP as a Service
• Leverages existing account and password
policies – simplifying management Firewall
• Ensures that IT controls access
eliminating risk of orphaned accounts
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
Cloud
Proxy Server
ID
15
16. Extend Identity Services to Mobile Platforms
Mobilize app and service access
• Enable mobile access to Enterprise services and applications
• Design mobile interfaces to seamlessly integrate with the Enterprise services
Containerization to separate work from personal
• Protect work applications and data from data leakage
• Provide the laptop experience on mobile, unlock and access all business apps
Centralize mobile and application administration
• Enabling IT to manage security policies for Mobile, Workstations and Servers
• Unifying app management into one interface for Mobile, Web and SaaS Apps
• Leveraging automated lifecycle management through AD
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
16
17. Federated Auth for Mobile is too hard
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
17
18. Federated Auth for Mobile is too hard
1)
App launches
2)
Displays a login screen and additional link for ”Are you a Single Sign-On user?"
3)
User clicks on it and is presented form for entering email address
4)
App then connects to backend, redirects to Enterprise IDP and opens browser
to present the IDP login screen
5)
IDP displays the login screen asking for userid and password
6)
IDP authenticates and generate token, provides the token back
7)
App will receive the token and closes the browser window, then provide access
to the service.
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
18
19. Centrify Simplifies Mobile Federated Auth
Mobile App
Mobile Auth
MDM
Step 4
Token based
Authentication
Hosted
Application
SDK
Mobile OS
•
Step 2
One time user authentication
& device registration
Step 3
Token Generation
•
Step 1
Web
Application
Registration
IDP as a Service
•
Firewall
Cloud
Proxy Server
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
ID
19
20. Centrify SDK: Auth, Authorization & SSO
• Example Sales app integrated into Federated Auth via Mobile Auth Service SDK
• App launch calls EnterpriseAuthentication.getUserInformation()
• onClick “Profile” calls EnterpriseAuthentication.userLookup()
• onClick “Sales Records” calls EnterpriseAuthentication.getSecurityToken(target)
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
20
21. What to avoid!
“False assumption of security is worse than no security”
• Caching of username & password inside mobile app
• Take on burden of managing User identities
• Proprietary authentication implementations
• PIN code across group of Apps and assume SSO
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
21
23. Containers for a Secured Enterprise Environment
• Containers enable IT to create and control an Enterprise Environment, vs. managing
the entire device, eg. Passcode auto-lock on the container not the device
• Enterprise IT controls all apps and data within the container ensuring no data leak
• Data can be shared between mobile apps within the container without leaving the
Enterprise Environment
• SSO is provided for all apps in
container - enabling the laptop
experience on a mobile device
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
23
24. Using Containerization for Dual Persona
• Dual persona enables usage of the same app with different personalities
Mail: david@mcneely.com
Gmail: dfmcneely@gmail.com
Dropbox: david@mcneely.com
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
Office 365: david.mcneely@centrify.com
Box: david.mcneely@centrify.com
24
25. Samsung KNOX: Security From The Ground Up
• HW level and OS level Security
• Android F/W and Application level Security
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
25
26. Enterprise SSO Service for Samsung KNOX
• Multi-application SSO is built into
the Knox Container
Mobile App 1
Mobile
Personal
Mobile App 2
Mobile
Auth SDK
Auth SDK
App
KNOX Container Enterprise SSO
Samsung SE Android
• The container provides Enterprise
Step 2
One time user authentication
& Container registration
SSO as a Service
Step 4
Token based
Authentication
Web
Application
Step 3
Token
Generation
Step 1
Web
Application
Registration
IDP as a Service
Firewall
Cloud
Proxy Server
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
ID
26
27. App SSO Transaction Flow
Centrify Cloud Service
Application
Identity
Provider
SAML script
Step 3
Authenticate and
Authorize user
Step 4
IDP generates and returns
encrypted SAML response token
Step 2
Authentication
API Query
Step 5
SSO passes the
SAML token to
Mobile App
| Identify. Unify. Centrify.
Step 7
SP verifies SAML
token and allows
access
Mobile Device
Centrify Mobile API
SSO Service
© 2004-2012. Centrify Corporation. All Rights Reserved.
Step 6
SAML token
sent to ACS
URL
Service
Provider
(Box, DropBox
)
Mobile Application
Step 1
User launches
the application
27
28. Secure Identity Services for a Mobilized Workforce
Federated Identity Service centralizes application authorization under IT control
Mobilized application access and ZSO enables employee productivity
Containerization enables security to addresses compliance requirements
Integrated administration enables IT to efficiently manage mobility
| Identify. Unify. Centrify.
© 2004-2012. Centrify Corporation. All Rights Reserved.
28