Upload
centrify-corporation
View
150
Download
0
Embed Size (px)
DESCRIPTION
Secure Identity Services for a Mobilized Workforce.
Citation preview
© 2004-2012. Centrify Corporation. All Rights Reserved.
Secure Identity Servicesfor Cloud and Mobile apps
2© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Authentication Nirvana
Cloud Proxy Server
IDP as a Service
Firewall
Mobile OS
Mobile AppMobile AuthSDKMDM
Step 2One time user
authentication & device registration
Step 1Web Application Registration
Step 4Token basedAuthentication
Step 3Token Generation
ID
• One password for Enterprise Users
• Protection by AD inside Firewall• Mobile app gets SSO• App Dev only needs to ask the
platform for authentication and security token for backend
• IT controls app authentication and authorization
• …….All with 3 simple API calls
Hosted Application
3© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Challenges for IT admins & App Developers
4© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Evolution of Enterprise15 Years Ago Current Environment
Enterprise IT Systems Just core processes All the business processes
Application Users A few transaction experts Most employees
Access Device Desktop PC Desktop, Laptop, Tablet or Smartphone
Access Location Your desk Anywhere
Application usage modality Specific data entry and access On demand, ongoing, mostly for access to information
Security risk Limited – access by specific individuals, from known locations for predictable purposes
Much Larger – potentially from any device, located anywhere
5© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own (BYO)
6© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own Apps (BYOA)
7© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Organizations are increasingly allowing employees to bring their own devices
• Enterprise Device Alliance (EDA) polled 277 organizations representing ~1.5M users
Bring Your Own: Laptop, Smartphone, Tablet
10000+ 2-10,000 500-2,000 100-500 All
66%
85%
67%78% 75%
EDA: 3/4 of All Organizations Condone BYOD
Responding Organizations by Number of Employees
8© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own: Conquering Enterprise
9© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Consumer oriented features present security challenges for the Enterprise• OS X Internet/File/Screen Sharing• iCloud Document and Data Sharing
• “Day 1” effect for new products• Consumers want to use new
products and updates the day that they are launched
• Users tend to update devicesevery 2 years
• End User is the “admin”• IT has much less control over
configuration• Enforcing security is challenging
Bring Your Own Presents New Challenges
10© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Multiple identities + Password SprawlCreate risk• Multiple logins for users• Multiple identity infrastructures for IT to manage
In-house Apps
and 100’s
more….
ID
Laptops
ID
Smartphones and Tablets
ID
ID
ID
ID
ID
ID
ID
ID
11© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Security Policies are designed to protect:• Government, business and financial data• Consumer and patient privacy
• The Rules are well defined for IT: • Establish separation of duties• Enforce system security policies• Enforce network access policies• Encrypt data-in-motion and at rest• Enforce “least access”• Grant privileges to individuals granularly• Audit user access and privileged user activities
Regulatory compliance overhead
Payment CardIndustry Data
Security Standard
Federal Information Security Management Act
NIST Special Publication 800-53
Basel II. FFIEC Information Security
Booklet
Health Insurance Portability and
Accountability Act
Sarbanes-Oxley ActSection 404
12© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
1. Enable employee productivity• They can access data they need for work, anywhere at anytime• IT and security don’t get in the way
2. Ensure compliance requirements are addressed• IT can enforce requires security policies on business data• IT is able to maintain access controls over business applications
3. Efficient management• Security officers can easily describe the security policies to be
enforced• Helpdesk can easily take on the responsibilities of managing
What IT cares about
13© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Solution: Federated Identity
14© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Federated IdentityWhere users have one login ID and password And IT has one Federated Identity Infrastructure to manage
IDEnd Users
Laptops
Smartphones and Tablets
15© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Federated Identity ensures that users only need to use their AD userid/password• Only one password to remember• Password is protected by the Enterprise
in AD
• AD-based federation provides several advantages for IT• Leverages existing account and
password policies – simplifying management
• Ensures that IT controls access eliminating risk of orphaned accounts
Strengthen Security with Federated Identity
FederationTrust
IDCloud
Proxy Server
IDP as a Service
Firewall
ID
16© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Mobilize app and service access• Enable mobile access to Enterprise services and applications• Design mobile interfaces to seamlessly integrate with the Enterprise services
Containerization to separate work from personal• Protect work applications and data from data leakage• Provide the laptop experience on mobile, unlock and access all business apps
Centralize mobile and application administration• Enabling IT to manage security policies for Mobile, Workstations and Servers• Unifying app management into one interface for Mobile, Web and SaaS Apps• Leveraging automated lifecycle management through AD
Extend Identity Services to Mobile Platforms
17© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Federated Auth for Mobile is too hard
18© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
1) App launches2) Displays a login screen and additional link for ”Are you a Single Sign-
On user?"3) User clicks on it and is presented form for entering email address4) App then connects to backend, redirects to Enterprise IDP and opens
browser to present the IDP login screen5) IDP displays the login screen asking for userid and password6) IDP authenticates and generate token, provides the token back7) App will receive the token and closes the browser window, then
provide access to the service.
Federated Auth for Mobile is too hard
19© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Integrate Mobile App Authentication provides true enterprise Zero Sign-On
• Mobile app authenticates and registers AD as it’s identity provider
• Mobile app can access information about user attributes in AD
• Mobile app gains SSO to backend services Cloud
Proxy Server
IDP as a Service
Firewall
Mobile OS
Mobile AppMobile AuthSDKMDM
Step 2One time user authentication
& device registration
Step 1Web Application Registration
Step 4Token basedAuthentication
Step 3Token Generation
ID
Centrify Simplifies Mobile Federated Auth Hosted
Application
20© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Example Sales app integrated into Federated Auth via Mobile Auth Service SDK• App launch calls EnterpriseAuthentication.getUserInformation()
• If the app is not registered OR if reauth is required then• The EnterpriseAuthentication SDK will:
• Display enterprise login screen• Login to AD• Check user authorization• Check device Jailbreak status• Request Certificate
• Display “Welcome %username”• else
• Display “Welcome %username”
• onClick “Profile” calls EnterpriseAuthentication.userLookup()• Display User Attributes from AD
• onClick “Sales Records” calls EnterpriseAuthentication.getSecurityToken(target)
• Request data from target using SecurityToken to authenticate
Centrify SDK: Auth, Authorization & SSO
21© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
What to avoid!
• Caching of username & password inside mobile app
• Take on burden of managing User identities• Proprietary authentication implementations• PIN code across group of Apps and assume
SSO
“False assumption of security is worse than no security”
22© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Solution: Container
23© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Containers enable IT to create and control an Enterprise Environment, vs. managing the entire device, eg. Passcode auto-lock on the container not the device
• Enterprise IT controls all apps and data within the container ensuring no data leak
• Data can be shared between mobile apps within the container without leaving the Enterprise Environment
• SSO is provided for all apps in container - enabling the laptop experience on a mobile device
Containers for a Secured Enterprise Environment
24© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Dual persona enables usage of the same app with different personalities• Personal Mail on the device, Business Mail in the container• Personal Box account on the device, Business Box account in the container
Using Containerization for Dual Persona
Office 365: [email protected]: [email protected]
Mail: [email protected]: [email protected]
Dropbox: [email protected]
25© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• HW level and OS level Security • Secure Boot for preventing “Unauthorized” Operating System • Security Enhanced (SE) Android developed by NSA (National Security Agency) • TrustZone-based Integrity Measurement
• Android F/W and Application level Security • Application and data isolation for work and play with Container • On-Device Data Encryption• Virtual Private Network (FIPS 140-2)• Support for management via
Active Directory / Group Policy Manager
• Policies to comply with the US DoD Mobile OS Security Requirements Guide*• including CAC / PIV card support
Samsung KNOX: Security From The Ground Up
26© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Multi-application SSO is built into the Knox Container• One SSO Registration for the
Container• Whitelisted apps can use the
Enterprise SSO Service• The container provides
Enterprise SSO as a Service• Identifies the authenticated user
to the apps• Provides AD attributes of the
user such as group memberships• Grants security tokens upon
request for authorized web app/service
Enterprise SSO Service for Samsung KNOX
Cloud Proxy Server
IDP as a Service
Firewall
Samsung SE Android
Step 2One time user authentication
& Container registration
Step 1Web Application Registration
Step 4Token basedAuthentication
ID
KNOX Container
Mobile App 2Mobile Auth SDK
Enterprise SSO
Mobile App 1Mobile Auth SDKPersonal
App Step 3Token Generation
Web Application
27© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
App SSO Transaction FlowCentrify Cloud Service
ApplicationSAML script
SSO ServiceMobile Application
Centrify Mobile API
Mobile Device
Service Provider(Box, DropBox)
Identity Provider
Step 1User launches the application
Step 2Authentication API Query
Step 3Authenticate and Authorize user
Step 4IDP generates and returns encrypted SAML response token
Step 5SSO passes the SAML token to Mobile App
Step 6SAML token sent to ACS URL
Step 7SP verifies SAML token and allows access
28© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Federated Identity Service centralizes application authorization under IT control• Providing users with SSO to authorized services and applications• Eliminates the multiple password challenges associated with hosted applications and services
Mobilized application access and ZSO enables employee productivity• Users can access data they need for work, anywhere at anytime with mobile access to email,
shared files and applications• IT and security don’t get in the way with zero sign-on and container-based management
Containerization enables security to addresses compliance requirements• IT can enforce requires security policies on business data using Group Policy• IT is able to maintain access controls over business applications
Integrated administration enables IT to efficiently manage mobility• Security officers can easily describe the security policies to be enforced• Helpdesk can easily take on the responsibilities of managing
Secure Identity Services for a Mobilized Workforce
29© 2004-2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Now
Nirvana Today
© 2004-2012. Centrify Corporation. All Rights Reserved.
Thank You
Sumana [email protected]
http://www.centrify.com/mas