View
2
Download
0
Category
Preview:
Citation preview
1 Hitachi ID Mobile Access
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Secure Access to On-Premises IAM from Personal Devices.
2 The BYOD challenge
Users IT/Security
• Want to access everything from theirphones.
• This includes password resets, approvingaccess requests, checking out privilegedpasswords and more.
• Need to protect the network againstattackers.
• Prefer to block access to sensitive IAMsystems from the public Internet.
• Cannot easily justify permissive changesto firewall configuration.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Mobile app architecture (1/4)
DMZ Private corporate
network
Personal
device
IAM serverFirewallFirewall
Internet
• The user’s phone probably has no VPN client installed.• The phone – via a data plan – is connected to the public Internet.• The IAM system is attached to the corporate network, behind multiple firewalls.
4 Mobile app architecture (2/4)
Risky, controversial, likely not allowed
Simple, uncontroversial firewall configuration
DMZ Private corporate
network
Personal
device
IAM serverFirewallFirewall
Internet
• Firewalls are designed to block inbound connections.• Outbound connections are usually allowed or easily justified.• Inbound connections would require:
– Port forwarding; or– A reverse web proxy.
• We want to minimize the set of attackers who can probe the IAM system.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
5 Mobile app architecture (3/4)Risky, controversial, likely not allowed
Simple, uncontroversial firewall configuration
How can a smart phone app, without a VPN, access an API or web UI
published by an on-premise application server?
DMZ Private corporate
network
Personal
device
IAM serverFirewallFirewall
Internet
6 Mobile app architecture (4/4)
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
• The solution is to insert a proxy between the BYOD and IAM system.• The proxy is on the Internet, so reachable by both.• Connections from both ends are authenticated.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
7 BYOD security features
Problem Solution
• Only accept connectionsfrom activated devices.
• Deploy an app to the device.• Install a personal key at activation time.• Proxy rejects connections with a bad/missing key.• IAM system only receives valid traffic.
• Denial of service attacks • Proxy is efficient but somewhat vulnerable.• Attackers have no key – DDoS attacks never reach the
IAM system.
• Lost/stolen device • Keys can be revoked.• Users still need to authenticate.
• Two factor authentication • Use of a valid key is a first authentication step.• Follow up with password, security questions, etc.
8 Mobile use cases
Hitachi ID Identity Manager Hitachi ID PasswordManager
Hitachi ID Privileged AccessManager
• Approve accessrequests.
• Search for colleague,download contact info.
• Password/PIN reset.• Unlock pre-boot login
prompt on encrypteddrive.
• Request, approveaccess.
• Display plaintextpassword (for use atphysical console).
9 Activate Mobile Access app
Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
10 Add contact to phone
Animation: ../../pics/camtasia/suite11.1/add-contact-to-phone-2.mp4
11 Unlock pre-boot password
Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4
12 Mobile request approval
Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4
13 Password display
Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
14 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: sales@hitachi-id.com
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres
Recommended