Mobilize your workforce with secure identity services

Secure Identity Services
for Cloud and Mobile apps
© 2004-2012. Centrify Corporation. All Rights Reserved.

Authentication Nirvana
• One password for Enterprise Users
• Protection by AD inside Firewall
• Mobile app gets SSO
• App Dev only needs to ask the
platform for authentication and
security token for backend

• IT controls app authentication and
authorization

Mobile App
Mobile Auth

Step 4
Token based
Authentication

SDK

MDM

Hosted
Application

Mobile OS
Step 2
One time user
authentication
& device registration

Step 3
Token Generation

Step 1
Web Application
Registration

IDP as a Service

Firewall

Cloud
Proxy Server

ID

• …….All with 3 simple API calls

| Identify. Unify. Centrify.

2

Challenges for IT admins & App
Developers

3

Evolution of Enterprise
15 Years Ago

Current Environment

Enterprise IT Systems

Just core processes

All the business processes

Application Users

A few transaction experts

Most employees

Access Device

Desktop PC

Desktop, Laptop, Tablet or
Smartphone

Access Location

Your desk

Anywhere

Application usage modality

Specific data entry and access

On demand, ongoing, mostly for
access to information

Security risk

Limited – access by specific
individuals, from known locations
for predictable purposes

Much Larger – potentially from any
device, located anywhere


4

Bring Your Own (BYO)


5

Bring Your Own Apps (BYOA)


6

Bring Your Own: Laptop, Smartphone, Tablet
• Organizations are increasingly
allowing employees to bring
their own devices

EDA: 3/4 of All Organizations
Condone BYOD
85%

78%

75%

100-500

All

67%

66%

• Enterprise Device Alliance
(EDA) polled 277 organizations
representing ~1.5M users
10000+

2-10,000

500-2,000

Responding Organizations by Number of
Employees

7

Bring Your Own: Conquering Enterprise


8

Bring Your Own Presents New Challenges
• Consumer oriented features present security challenges for the Enterprise

• “Day 1” effect for new products

• End User is the “admin”


9

Multiple identities + Password Sprawl
Create risk
• Multiple logins for users
• Multiple identity infrastructures for IT to manage
ID

ID
ID
ID

Smartphones and Tablets

ID
ID

ID
ID
Inhouse

ID

and
100’s

Apps

ID

more….

Laptops

10

Regulatory compliance overhead
• Security Policies are designed to protect:
Federal Information Security
Management Act

NIST Special
Publication 800-53

• The Rules are well defined for IT:

Payment Card
Industry Data
Security Standard

Health Insurance
Portability and
Accountability Act


Basel II. FFIEC
Information Security
Booklet

Sarbanes-Oxley Act
Section 404

11

What IT cares about
1. Enable employee productivity
• They can access data they need for work, anywhere at anytime
• IT and security don’t get in the way

2. Ensure compliance requirements are addressed
• IT can enforce requires security policies on business data
• IT is able to maintain access controls over business applications

3. Efficient management
• Security officers can easily describe the security policies to be enforced
• Helpdesk can easily take on the responsibilities of managing

12

Solution: Federated Identity

13

Federated Identity
Where users have one login ID and password
And IT has one Federated Identity Infrastructure to manage

Smartphones and Tablets

End Users

ID

Laptops


14

Strengthen Security with Federated Identity
• Federated Identity ensures that users only
need to use their AD userid/password

ID

• Only one password to remember
Federation
Trust

• Password is protected by the Enterprise in
AD

• AD-based federation provides several
advantages for IT

IDP as a Service

• Leverages existing account and password
policies – simplifying management Firewall
• Ensures that IT controls access
eliminating risk of orphaned accounts


Cloud
Proxy Server

ID

15

Extend Identity Services to Mobile Platforms
Mobilize app and service access
• Enable mobile access to Enterprise services and applications
• Design mobile interfaces to seamlessly integrate with the Enterprise services

Containerization to separate work from personal
• Protect work applications and data from data leakage
• Provide the laptop experience on mobile, unlock and access all business apps

Centralize mobile and application administration
• Enabling IT to manage security policies for Mobile, Workstations and Servers
• Unifying app management into one interface for Mobile, Web and SaaS Apps
• Leveraging automated lifecycle management through AD

16

Federated Auth for Mobile is too hard


17

Federated Auth for Mobile is too hard
1)

App launches

2)

Displays a login screen and additional link for ”Are you a Single Sign-On user?"

3)

User clicks on it and is presented form for entering email address

4)

App then connects to backend, redirects to Enterprise IDP and opens browser
to present the IDP login screen

5)

IDP displays the login screen asking for userid and password

6)

IDP authenticates and generate token, provides the token back

7)

App will receive the token and closes the browser window, then provide access
to the service.


18

Centrify Simplifies Mobile Federated Auth
Mobile App
Mobile Auth

MDM

Step 4
Token based
Authentication

Hosted
Application

SDK

Mobile OS

•

Step 2
One time user authentication
& device registration

Step 3
Token Generation

•

Step 1
Web
Application
Registration

IDP as a Service

•
Firewall

Cloud
Proxy Server


ID

19

Centrify SDK: Auth, Authorization & SSO
• Example Sales app integrated into Federated Auth via Mobile Auth Service SDK
• App launch calls EnterpriseAuthentication.getUserInformation()

• onClick “Profile” calls EnterpriseAuthentication.userLookup()

• onClick “Sales Records” calls EnterpriseAuthentication.getSecurityToken(target)


20

What to avoid!
“False assumption of security is worse than no security”
• Caching of username & password inside mobile app
• Take on burden of managing User identities
• Proprietary authentication implementations

• PIN code across group of Apps and assume SSO


21

Solution: Container

22

Containers for a Secured Enterprise Environment
• Containers enable IT to create and control an Enterprise Environment, vs. managing
the entire device, eg. Passcode auto-lock on the container not the device
• Enterprise IT controls all apps and data within the container ensuring no data leak

• Data can be shared between mobile apps within the container without leaving the
Enterprise Environment
• SSO is provided for all apps in

container - enabling the laptop
experience on a mobile device


23

Using Containerization for Dual Persona
• Dual persona enables usage of the same app with different personalities

Mail: david@mcneely.com
Gmail: dfmcneely@gmail.com
Dropbox: david@mcneely.com


Office 365: david.mcneely@centrify.com
Box: david.mcneely@centrify.com

24

Samsung KNOX: Security From The Ground Up
• HW level and OS level Security

• Android F/W and Application level Security


25

Enterprise SSO Service for Samsung KNOX
• Multi-application SSO is built into

the Knox Container

Mobile App 1
Mobile
Personal

Mobile App 2
Mobile

Auth SDK

Auth SDK

App

KNOX Container Enterprise SSO
Samsung SE Android

• The container provides Enterprise

Step 2
One time user authentication
& Container registration

SSO as a Service

Step 4
Token based
Authentication
Web
Application
Step 3
Token
Generation
Step 1
Web
Application
Registration

IDP as a Service

Firewall

Cloud
Proxy Server


ID

26

App SSO Transaction Flow
Centrify Cloud Service
Application

Identity
Provider

SAML script

Step 3
Authenticate and
Authorize user

Step 4
IDP generates and returns
encrypted SAML response token

Step 2
Authentication
API Query
Step 5
SSO passes the
SAML token to
Mobile App


Step 7
SP verifies SAML
token and allows
access

Mobile Device

Centrify Mobile API

SSO Service


Step 6
SAML token
sent to ACS
URL

Service
Provider
(Box, DropBox
)

Mobile Application

Step 1
User launches
the application

27

Secure Identity Services for a Mobilized Workforce
Federated Identity Service centralizes application authorization under IT control

Mobilized application access and ZSO enables employee productivity

Containerization enables security to addresses compliance requirements

Integrated administration enables IT to efficiently manage mobility


28

Today 

Nirvana 

Now


29

Sumana Annam
sumana.annam@centrify.com
http://www.centrify.com/mas

Thank You

Mobilize your workforce with secure identity services

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Mobilize your workforce with secure identity services

Ähnlich wie Mobilize your workforce with secure identity services (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Mobilize your workforce with secure identity services