Upload
graficguru
View
57
Download
0
Embed Size (px)
Citation preview
Slide 2
Host Android in the cloud, access via remote client apps:
Hypori ACE Serverssimilar to VDI servers
Hypori ACE Client from public app store or distributed by MAM
What is Hypori?
Hypori Platform Terminology
Slide 3
Hypori ACE System At Scale
Slide 4
Typical ACE System Deployment
Slide 5
Typical ACE System Deployment
Slide 6
Slide 7
What is Hypori?
DEMO
Slide 8
Cloud hosted Android for secure enterprise mobility
Slide 9Slide 9
From DroidCloud to Hypori
Slide 10
Sandbox AppsVMs / Containers
MAM
Don’t work on iOS, require ‘jail breaking’, limited market traction, not suitable for BYOD.
Proprietary containers, typically just email, browser + MS office, few apps, no sensors.
MDM
Cannot protect enterprise apps and data on personal devices, DroidCloud VDM partner.
Miscellaneous
Thin Clients
Various security approaches, typically a components of a broader solution.
Windows 7 not suited to mobile devices, Win8 struggling
Less intrusive than MDM for BYOD, but also less secure – low level of assurance.
Hypori compliments VDI thin clients, and is partnering with companies in every other box.
Enterprise Mobile Ecosystem
Slide 11
Mobile Teleworking
Tactical CloudSenior Leader Comms
A virtual smartphone for every soldier, running in DISA’s DECC (the DoD cloud) – analogous to BYOD.
Forward deployed tactical clouds on land, sea and air platforms for special operations forces.
Partners
NGOs as part of international aid efforts, logistics providers, coalition partners.
Classified mobile communications for senior leaders and other DoD personnel.
What are the DoD use cases?
Slide 12
• BYOD or EOD• Securing MDM for sensitive data• Email, calendar and web• Transaction approvals• Salesforce / CRM• SAP / ERP• In-house Android apps• TripIt / travel management• Phone calls / VTC
• BYOD published app mode• Extending MDM to third parties• Banking communications• Doc reviews / deal rooms• Viewing transaction activity• Transaction approvals• Treasury services• Market information services• Stock trading
CustomerEmployee
What are the banking use cases?
Slide 13
Hypori leverages SEAndroid as the ACE Virtual Device remote OS, as well as existing Android apps.
Hypori leverages Linux with KVM as the backend baseline for its ACE Server.
Hypori leverages the SPICE (Red Hat) protocol as a foundation for its communications / traffic between the ACE Server and ACE clients.
Client Apps for Android, iOS, Windows 8, …
Linux & KVM for vHost, OpenStack, SEAndroid/AOSP for vDevice, plus storage, user directory, AV, app store.
What technologies do we use?
Slide 14
How do we change Android?
Slide 15
Product – RoadmapHypori product progress and roadmap:
• Version 3.0: Q3, 14 – MVP for Enterprise Deployments.Basic camera, server-side OpenGL / 3D, KitKat VD upgrade, SEAndroid, tuned X.264, status bar bypass, notifications, client certs, S/MIME, hardware crypto, high availability, geographical roaming, admin UI and APIs, LDAP/AD integration, SELinux, Splunk auditing integration.
• Version 3.1: Q1, 15 – MVP for Multi-Tenant Private Cloud.Client for Win8, remote camera / VTC, client-side OpenGL, media bypass, keyboard bypass, more PKI auth options, app data/sensor access controls, improved VD management and administration, basic instrumentation data exposed to security partners.
• Version 3.2: Q2, 15 – MVP for Multi-Tenant Public Cloud.Additional functionality TBD based on customer feedback, stability improvements, house keeping.
• Version 4.0: Q3, 15 – MVP for Multi-Tenant Public Cloud.Support for Google CTS, improved sensor support, Official Play support, improved client-side OpenGL, more advanced security instrumentation integration.
Slide 16
ACE Virtual Device• SEAndroid providing:
o Privileged daemon protection.
o Application isolation.o Middleware controls.o Instrumentation & auditing.o App install protection.o Limit app access to sensors.
• ‘Untrusted’ app sandboxing.• Read only core OS partition.• Centralized patching.• MDM / MAM controls.
ACE Client• Remote two factor auth.• Remote signing and decryption.• TLS (and VPN) encryption for
data in transit.• GPS-based access policies.• Attributes exposed for MDM
integration.• Screenshot ‘prevention’.• Integration with client-side
attestation technologies.• Eventually, integration with
mobile device MTMs.
ACE Server• Protocol aware firewall.• KVM hypervisor containment.• SELinux-based VD separation.• Server-side TPM attestation.• VPN service for apps in VDs.• Network proxy for traffic
monitoring.• System-wide app management.• Behavioral and signature-based
malware detection.• User behavioral biometrics.• VD instrumentation / auditing.
Architecting for Defense in Depth
Slide 17
Hypori ACE Admin Authentication & Connection
VPN (optional)ENTERPRISE
INTERNET
ACE Management Server
Web Server (nginx)
Enterprise Directory
(LDAP / AD)
mongoDB
OpenStackSystem
Present User Certificate (https / TLS v1.2)1
Validate User Certificate Signing Chain
2
Proxy http3
Verify Account Status +Password
Return valid user data +LDAP parameters
4
Look up User by DN for Role5
OpenStack API calls6
REST API Calls(https / TLS v1.2)
Splunk / Nagios /
Monit / etc
HTML + JSON7
3rd PartyIntegration
Slide 18
Hypori ACE Client Authentication & Connection
ENTERPRISE
INTERNETVPN (optional)
ACE Client
ACE Management Server
Web Server (nginx)
Enterprise Directory
(LDAP / AD)
mongoDB
OpenStackSystem
Present User Certificate (TLS v1.2) + LDAP Password
1
Validate User Certificate Signing Chain
2
Proxy http3
Verify Account Status +Password
Return valid user data +LDAP parameters
4
Look up User by DN for Role5
ACE Virtual DeviceInformation
6
Deliver signedToken w/ Compute
Node name + AVD TCP Port
7
Connect with signed token to ACE Virtual Device using
the ACE Protocol over TLS v1.2
8
Splunk / Nagios /
Monit / etc3rd Party
Integration