Más contenido relacionado La actualidad más candente (20) Similar a CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps (20) Más de CloudIDSummit (20) CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps1. ©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
Beyond
the
Building:
Secure
Identity
Services
for
Mobile
and
Cloud
Apps
2. 2
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• The
Shift
to
a
People
Oriented
IT
is
driving
BYO
• Users
are
bringing
their
own
Devices,
Laptops,
Mobile
and
SaaS
Apps
• This
creates
risk
as
users
end
up
with
too
many
accounts
and
passwords
• IT
must
control
and
secure
the
applications
and
data
• Centralizing
control
over
these
new
mobile
and
SaaS
Applications
• Embracing
Federated
Authentication
for
SaaS
and
Mobile
Apps
• Extending
the
Enterprise
login
to
SaaS
applications
• Federated
Authentication
for
Mobile
Apps
and
Containers
Secure
Identity
Services
for
Mobile
&
Cloud
Apps
3. 3
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
IT
is
evolving
from
an
IT
asset-‐centric
perspective
to
a
user-‐centric
perspective
The
New
Challenges
of
a
People
Oriented
IT
15 Years Ago Current Environment
Enterprise IT Systems Just core processes All the business processes
Application Users A few transaction experts Most employees
Access Device Desktop PC Desktop, Laptop, Tablet or
Smartphone
Access Location Your desk Anywhere
Application usage
modality
Specific data entry and
access
On demand, ongoing,
mostly for access to
information
Security risk Limited – access by specific
individuals, from known
locations for predictable
purposes
Much Larger – potentially
from any device, located
anywhere
4. 4
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Organizations
are
increasingly
allowing
employees
to
bring
their
own
devices
• Enterprise
Device
Alliance
(EDA)
polled
277
organizations
representing
~1.5M
users
Bring
Your
Own:
Laptop,
Smartphone,
Tablet
66%
85%
67%
78%
75%
10000+ 2-10,000 500-2,000 100-500 All
Responding Organizations by Number of
Employees
EDA: 3/4 of All Organizations
Condone BYOD
5. 5
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Organizations
are
increasingly
allowing
employees
to
bring
their
own
devices
• Laptops
are
no
different:
• Given
a
choice,
many
users
will
choose
an
Apple
MacBook
• Forrester
predicts
that
Mac
systems
will
grow
by
52%
in
the
Enterprise
Bring
Your
Own:
Laptop,
Smartphone,
Tablet
0%
10%
20%
30%
40%
50%
60%
70%
10000+ 2000-10,000 500-2,000 100-500
35%
31%
22%
36%
60%
50%
48%
45%
Mac Laptops Windows Laptops
Macs make up over 1/3 of all Laptops
in the Enterprise
6. 6
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Consumer
oriented
features
present
security
challenges
for
the
Enterprise
• OS
X
Internet/File/Screen
Sharing
• iCloud
Document
and
Data
Sharing
• “Day
1”
effect
for
new
products
• Consumers
want
to
use
new
products
and
updates
the
day
that
they
are
launched
• Users
tend
to
update
devices
every
2
years
• End
User
is
the
“admin”
• IT
has
much
less
control
over
configuration
• Enforcing
security
is
challenging
Bring
Your
Own
Presents
New
Challenges
7. 7
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
BYOD
Drives
Mobile
App
and
SaaS
Adoption
Which
creates
risk
• Multiple
logins
for
users
• Multiple
identity
infrastructures
for
IT
to
manage
ID
Smartphones and Tablets
End Users
Laptops
ID
ID
ID
ID
ID
ID
ID ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
ID
8. 8
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
IT
Must
Ensure
Compliance
with
Regulations
• Security
Policies
are
designed
to
protect:
• Government,
business
and
financial
data
• Consumer
and
patient
privacy
• The
Rules
are
well
defined
for
IT:
• Establish
separation
of
duties
• Enforce
system
security
policies
• Enforce
network
access
policies
• Encrypt
data-‐in-‐motion
and
at
rest
• Enforce
“least
access”
• Grant
privileges
to
individuals
granularly
• Audit
user
access
and
privileged
user
activities
Payment Card
Industry Data
Security Standard
Federal Information Security
Management Act
NIST Special
Publication 800-53
Basel II. FFIEC
Information Security
Booklet
Health Insurance
Portability and
Accountability Act
Sarbanes-Oxley Act
Section 404
9. 9
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
1. Enable
employee
productivity
• They
can
access
data
they
need
for
work,
anywhere
at
anytime
• IT
and
security
don’t
get
in
the
way
2. Ensure
compliance
requirements
are
addressed
• IT
can
enforce
requires
security
policies
on
business
data
• IT
is
able
to
maintain
access
controls
over
business
applications
3. Efficient
management
• Security
officers
can
easily
describe
the
security
policies
to
be
enforced
• Helpdesk
can
easily
take
on
the
responsibilities
of
managing
Requirements
for
Enabling
People
Oriented
IT
10. 10
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
IT
Needs
a
Unified
Identity
Service
Where
users
have
one
login
ID
and
password
And
IT
has
one
Federated
Identity
Infrastructure
to
manage
Smartphones and Tablets
Laptops
ID
End Users
11. 11
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Federated
Identity
ensures
that
users
only
need
to
use
their
AD
userid/password
• Only
one
password
to
remember
• Password
is
protected
by
the
Enterprise
in
AD
• AD-‐based
federation
provides
several
advantages
for
IT
• Leverages
existing
account
and
password
policies
–
simplifying
management
• Ensures
that
IT
controls
access
eliminating
risk
of
orphaned
accounts
Strengthen
Security
with
Federated
Identity
Federa&on
Trust
ID
Cloud
Proxy Server
IDP as a Service
Firewall
ID
12. 12
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
Mobilize
app
and
service
access
• Enable
mobile
access
to
Enterprise
services
and
applications
• Design
mobile
interfaces
to
seamlessly
integrate
with
the
Enterprise
services
Containerization
to
separate
work
from
personal
• Protect
work
applications
and
data
from
data
leakage
• Provide
the
laptop
experience
on
mobile,
unlock
and
access
all
business
apps
Centralize
mobile
and
application
administration
• Enabling
IT
to
manage
security
policies
for
Mobile,
Workstations
and
Servers
• Unifying
app
management
into
one
interface
for
Mobile,
Web
and
SaaS
Apps
• Leveraging
automated
lifecycle
management
through
AD
Extend
Identity
Services
to
Mobile
Platforms
13. 13
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Ensure
Integrity
of
the
mobile
platform,
since
the
user
is
the
admin
• Prevent
unauthorized
access
to
the
mobile
platform
• Leverage
PKI
authentication
for
SSO
to
Exchange
ActiveSync
,
Wi-‐Fi
and
VPN
• Design
mobile
apps
to
use
federated
SSO
where
possible
Mobilize
App
and
Service
Access
Active Directory-based Security Infrastructure
ID
14. 14
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Platform
Security
can
be
compromised
if
the
mobile
platform
has
been
“jailbroken”
(iOS)
or
“rooted”
(Android)
• This
then
enables
unsigned
applications
to
run
on
the
device
• It
also
enables
tampering
or
modification
of
the
OS
• And
allows
malicious
applications
to
access
data
contained
in
other
applications
• As
long
as
the
device
has
not
been
“jailbroken”
or
“rooted”
then
Enterprise
Apps
can
be
safely
run
on
the
device
• There
is
no
need
to
worry
about
Applications
that
a
user
may
install,
IF
sandboxing
is
intact
• We
do
need
to
look
at
what
users
can
do
with
data
in
these
apps
–
this
is
where
containers
are
needed
Actions:
• Establish
an
acceptable
use
policy
that
prevents
usage
of
“jailbroken”
or
“rooted”
devices
• Leverage
an
MDM
that
provides
continuous
“jailbreak”
or
“rooted”
device
detection,
enforcing
this
policy
Ensure
Integrity
of
Mobile
Platform
15. 15
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• There
are
several
scenarios
that
must
be
addressed
to
prevent
unauthorized
access
to
the
device
and
any
applications
or
data
it
may
have:
• Misplaced
-‐
passcode
policy
to
wipe
on
X
number
of
invalid
unlock
attempts
• Misplaced/Lost
–
Remove
Profiles
to
ensure
no
access
to
corporate
resources
• Lost/Stolen
–
Remote
Wipe
to
ensure
no
access
to
device
contents
Actions:
• Establish
policy
to
auto-‐lock
the
device
• Establish
policy
to
wipe
on
max
invalid
passcode
attempts
• Leverage
MDM
for
Remote
Wipe
for
lost
devices
Prevent Unauthorized Access
16. 16
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• The
goal
is
to
eliminate
the
weakness
of
password
based
authentication
• Leverage
strong
PKI
Certificate
based
authentication
where
possible
• Eliminates
the
account
lockout
issue
when
multiple
devices
cache
a
user’s
password
• Enterprise
Networks
• WiFi
should
be
configured
for
PKI
authentication,
eg.
EAP-‐TLS
• VPN
should
be
configured
For
PKI
authentication
• Exchange
ActiveSync
• Only
allow
access
by
authorized
systems,
eg.
require
PKI
authentication
• Ensure
that
only
register
devices
access
ActiveSync,
e.g.
turn
on
automatic
mobile
device
quarantine
and
grant
access
only
to
registered
devices
for
each
user.
Provide
Secure
Access
to
Enterprise
Services
16
17. 17
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
Mobilize
Apps
with
Federated
Zero
Sign-‐On
Cloud
Proxy Server
IDP as a Service
Firewall
Integrate
Mobile
App
Authentication
• Mobile
app
authenticates
and
registers
AD
as
it’s
identity
provider
• Mobile
app
can
access
information
about
user
attributes
in
AD
• Mobile
app
gains
SSO
to
backend
services
Hosted
Application
Mobile OS
Mobile App
Mobile Auth
SDK
MDM
Step 2
One time user
authentication
& device registration
Step 1
Web
Application
Registration
Step 4
Token based
Authentication
Step 3
Token Generation
ID
18. 18
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Example
Sales
app
integrated
into
Federated
Authentication
via
Mobile
Authentication
Service
SDK
• App
launch
calls
EnterpriseAuthentication.getUserInformation()
• If
the
app
is
not
registered
OR
if
reauth
is
required
then
• The
EnterpriseAuthentication
SDK
will:
• Display
enterprise
login
screen
• Login
to
AD
• Check
user
authorization
• Check
device
Jailbreak
status
• Request
Certificate
• Display
“Welcome
%username”
• else
• Display
“Welcome
%username”
• onClick
“Profile”
• Call
EnterpriseAuthentication.userLookup()
• Display
User
Attributes
from
AD
• onClick
“Sales
Records”
• Call
EnterpriseAuthentication.getSecurityToken(target)
• Request
data
from
target
using
SecurityToken
to
authenticate
Mobile
Authentication
Service
SDK
19. 19
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Secure
Container
built
on
a
Secure
OS
for
both
security
and
usability
• Provides
dual
persona
usage
of
popular
mobile
applications
• SSO
for
all
apps
in
container
-‐
enabling
the
laptop
experience
on
a
mobile
device
Containerization
Separates
Work
From
Personal
20. 20
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• HW
level
and
OS
level
Security
• Secure
Boot
for
preventing
“Unauthorized”
Operating
System
• Security
Enhanced
(SE)
Android
developed
by
NSA
(National
Security
Agency)
• TrustZone-‐based
Integrity
Measurement
• Android
F/W
and
Application
level
Security
• Application
and
data
isolation
for
work
and
play
with
Container
• On-‐Device
Data
Encryption
• Virtual
Private
Network
(FIPS
140-‐2)
• Support
for
management
via
Active
Directory
/
Group
Policy
Manager
• Policies
to
comply
with
the
US
DoD
Mobile
OS
Security
Requirements
Guide*
• including
CAC
/
PIV
card
support
Security
From
The
Ground
Up
21. 21
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Multi-‐application
SSO
is
built
into
the
Knox
Container
• One
SSO
Registration
for
the
Container
• Whitelisted
apps
can
use
the
Enterprise
SSO
Service
• The
container
provides
Enterprise
SSO
as
a
Service
• Identifies
the
authenticated
user
to
the
apps
• Provides
AD
attributes
of
the
user
such
as
group
memberships
• Grants
security
tokens
upon
request
for
authorized
web
app/service
Containerization
with
Multi-‐App
SSO
Cloud
Proxy Server
IDP as a Service
Firewall
Web
Application
Samsung SE Android
Step 2
One time user
authentication
& Container registration
Step 1
Web
Application
Registration
Step 4
Token based
Authentication
ID
KNOX Container
Mobile App 2
Mobile
Auth SDK
Enterprise SSO
Mobile App 1
Mobile
Auth SDK
Personal
App Step 3
Token
Generation
22. 22
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Dual
persona
enables
usage
of
the
same
app
with
different
personalities
• Personal
Mail
on
the
device,
Business
Mail
in
the
container
• Personal
Box
account
on
the
device,
Business
Box
account
in
the
container
Containerization
for
Dual
Persona
Usage
Office 365: david.mcneely@centrify.com
Box: david.mcneely@centrify.com
Mail: david@mcneely.com
Gmail: dfmcneely@gmail.com
Box: david@mcneely.com
23. 23
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
• Unifying
Application
management
into
one
interface
for
Mobile,
Web
and
SaaS
Applications
• Leveraging
processes
and
knowledge
of
lifecycle
management
through
AD
Integrated
Mobile
and
App
Administration
24. 24
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
Active Directory-based Security Infrastructure
• You
have
existing
Infrastructure,
Management
Tools
and
Processes
• Look
to
leverage
these
where
possible
to
minimize
retraining
• Examples
of
existing
IT
Management
Infrastructure
and
Tools:
• Active
Directory
is
typically
used
to
manage
both
User
and
Computer
• Active
Directory
groups
are
used
to
manage
user
access
• Group
Policy
is
typically
used
to
manage
System
security
policies
based
on
group
membership
• Microsoft
Certificate
Authority
is
used
to
manage
PKI
keys
for
all
Windows
systems,
Automatically
Leverage
Existing
Knowledge,
Tools
and
Processes
Active Directory User & Computer Windows Certificate AuthorityActive Directory Group Policy
25. 25
©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
| Identify. Unify. Centrify.
Federated
Identity
Service
centralizes
application
authorization
under
IT
control
• Providing
users
with
SSO
to
authorized
services
and
applications
• Eliminates
the
multiple
password
challenges
associated
with
hosted
applications
and
services
Mobilized
application
access
and
ZSO
enables
employee
productivity
• Users
can
access
data
they
need
for
work,
anywhere
at
anytime
with
mobile
access
to
email,
shared
files
and
applications
• IT
and
security
don’t
get
in
the
way
with
zero
sign-‐on
and
container-‐based
management
Containerization
enables
security
to
addresses
compliance
requirements
• IT
can
enforce
requires
security
policies
on
business
data
using
Group
Policy
• IT
is
able
to
maintain
access
controls
over
business
applications
Integrated
administration
enables
IT
to
efficiently
manage
mobility
• Security
officers
can
easily
describe
the
security
policies
to
be
enforced
• Helpdesk
can
easily
take
on
the
responsibilities
of
managing
Security
Beyond
the
Building
26. ©
2004-‐2012.
Centrify
Corporation.
All
Rights
Reserved.
Thank
You