![Page 1: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/1.jpg)
Security & Identity for a Mobile-First World Vijay Pawar
![Page 2: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/2.jpg)
2 MobileIron Confidential
Traditional Desktop
Login with Enterprise Identity (AuthN)
Browser or Native Apps Access & SSO
Applications based on Identity(AuthZ)
Pre-registered using IAM
![Page 3: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/3.jpg)
3 MobileIron Confidential
Authentication to Applications: Desktop
Password
Tokens
Biometrics
Smartcards
Certificates
![Page 4: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/4.jpg)
4 MobileIron Confidential
Authentication: Traditional Desktops
Password
Tokens
Biometrics
Smartcards
Certificates SECURITY
USABILITY + DEPLOYMENT
![Page 5: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/5.jpg)
5 MobileIron Confidential
Mobile
Login with pin (AuthN)
Native App Access
Applications from Enterprise App Store based on Identity(AuthZ)
Pre-registered using EMM
Applications based on Identity(AuthZ)
Browser Access & SSO
![Page 6: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/6.jpg)
6 MobileIron Confidential
Authentication to Applications: Mobile
Leverage Same Factors
Password
Tokens
Biometrics
Smartcards
Certificates
![Page 7: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/7.jpg)
7 MobileIron Confidential
Auth Factors
Passwords • Bad UX: Typing long
passwords, fat-fingering
Biometrics • Good UX (Fingerprint, facial
(early stage), voice)
Tokens • Bad UX: Carry along or on
same device (reduces security)
SmartCards • Bad UX: Adding additional
hardware
![Page 8: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/8.jpg)
8 MobileIron Confidential
EMM Certificate Support
Ease in Certificate Delivery
High Security (MITM-proof)
Multiple Usage (VPN, Wi-Fi, Apps, Browser)
Good UX
![Page 9: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/9.jpg)
9 MobileIron Confidential
Authentication: Mobile Devices
Password
Tokens
Biometrics
Smartcards
Certificates SECURITY
USABILITY + DEPLOYMENT
Tokens
Biometrics
Certificates
Smartcards
Password
![Page 10: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/10.jpg)
10 MobileIron Confidential
Identity Verified
Authorized to Access App
![Page 11: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/11.jpg)
11 MobileIron Confidential
Authorization to Applications: Desktop
Access • Based on AD Group • Context
• Network • Time
In App Access • Typically handled inside App
![Page 12: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/12.jpg)
12 MobileIron Confidential
Authorization Technology: Desktop
SaaS • Standards (Federation) • Proprietary (WAM) • Password Mgr • E-SSO
Native • E-SSO
![Page 13: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/13.jpg)
13 MobileIron Confidential
Authorization: Traditional Desktops
Password Mgr
WAM
Federation SECURITY
USABILITY + DEPLOYMENT
E-SSO
![Page 14: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/14.jpg)
14 MobileIron Confidential
Authorization to Applications: Mobile
Access • Based on AD Group • Context
• Network • Time • Device Posture • Location • App Inventory
In App Access • Typically handled inside App
![Page 15: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/15.jpg)
15 MobileIron Confidential
Authorization Technology: Mobile
SaaS • Standards (Federation) • Proprietary (WAM) • Password Mgr
Native • E-SSO • Wrap/SDK
![Page 16: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/16.jpg)
16 MobileIron Confidential
Authorization: Mobile Apps
Password Mgr
WAM
Federation SECURITY
USABILITY + DEPLOYMENT
Wrap/SDK
![Page 17: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/17.jpg)
17 MobileIron Confidential
Recommendations: Cloud Apps Authorization
Support Federation Standards
If Username/Password Access • Restrict by IP address for All Applications (ex. email &
content)
IDP or SaaS providers to use Device Context
![Page 18: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/18.jpg)
18 MobileIron Confidential
Future: Authorization: Mobile Apps
Password Mgr
WAM
Federation SECURITY
USABILITY + DEPLOYMENT
Wrap/SDK
![Page 19: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/19.jpg)
19 MobileIron Confidential
Identity Verified
Multiple Applications
Need Single Sign-On
![Page 20: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/20.jpg)
20 MobileIron Confidential
SSO to Applications: Desktop
SaaS • Standards (Federation) • Proprietary (WAM) • Kerberos • Certificates • Password Mgr • E-SSO
Native • Kerberos • Certificates • Password Mgr • E-SSO
![Page 21: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/21.jpg)
21 MobileIron Confidential
Single Sign-On: Traditional Desktops
Password Mgr
WAM
Kerberos
Federation Certificates
Apps/OS supported
USABILITY
E-SSO
![Page 22: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/22.jpg)
22 MobileIron Confidential
SSO to Applications: Mobile
SaaS • Standards (Federation) • Proprietary (WAM) • Kerberos* • Certificates* • Password Mgr*
Native • Kerberos* • Certificates* • E-SSO • Wrap/SDK*
* Mileage varies
![Page 23: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/23.jpg)
23 MobileIron Confidential
Challenges: Native App SSO
Apps Containerized. No Sharing
Some OS Vendors Support Shared Token (iOS 7 kerberos)
Password Managers do NOT Support Native (iOS) • Also, security bypass
![Page 24: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/24.jpg)
24 MobileIron Confidential
Single Sign-On: Mobile Native
Password Mgr
WAM
Kerberos
Federation Certificates
Native Apps/OS supported
USABILITY
E-SSO
Certificates WAM Kerberos
![Page 25: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/25.jpg)
25 MobileIron Confidential
Approaches: Single Sign-On
Need Shared Token support by Mobile OS vendors • Today: iOS 7 kerberos token • Future: Oauth token?
Federation with Certificate Auth • Native Apps using Certificates • IDP supporting Certificate Auth
EMM Vendors using Shared Token in Wrapper/SDK
![Page 26: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/26.jpg)
26 MobileIron Confidential
Future: Single Sign-On: Mobile Native
Federation
Native Apps/OS supported
USABILITY
Certificates WAM Kerberos
![Page 27: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/27.jpg)
27 MobileIron Confidential
Mobile Identity Takeaways
Authentication SSO Authorization
• Good UX Key
• Certificates and Biometrics Viable Options
• Federation Standards Prevent Bypass
• Username/PW Apps to Provide IP Restrictions
• IDP to Use Device Context
• Mobile Vendors Enabling Shared Token Support
• Certificates
• IDP Support for Certificate Auth
![Page 28: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/28.jpg)
![Page 29: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/29.jpg)
The technical realities…
![Page 30: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/30.jpg)
30 MobileIron Confidential
There is no “one answer” to mobile SSO
• Generally “I want SSO” means “I want transparent authentication”.
• Shared tokens, while useful, don’t work extremely well for mobile today
• Goals should be to make authentication & authorization easy while reducing UX complexity
But there are lots of implementation options
![Page 31: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/31.jpg)
31 MobileIron Confidential
The rough architecture of EMM systems • A client:
– Serves to enroll users in the EMM policy server. – Can serve as a central mechanism for driving policies & configs for apps
(MAM or app wrapping)
• A server: – A central system where administrators define policies and configurations
for devices, apps and data. Often houses App Storefront functions. – Often ties to LDAP to direct policies against user or group objects – Can tie to external systems for access control & identity including
certificate authorities, NAC, etc.
![Page 32: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/32.jpg)
32 MobileIron Confidential
The rough architecture of EMM systems
• A Gateway: – Allows for transport of traffic to on-premise resources. Can be VPN
or purpose built – Should tie to concepts around device and network trust – Ensure
that device is managed, that sessions aren’t hijacked, etc.
![Page 33: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/33.jpg)
33 MobileIron Confidential
• Mobile Device Management • Mobile Application
Management • Identity And Certs • User Self-Service • Rules & Reporting
MobileIron Client Enforces Configuration and Security policies on the device, apps and content at rest and in real time
Sentry (Gateway) Provides Access Control by Enforcing Security Policies on Apps and Content in-flight
The MobileIron Platform
Core (VSP) & Cloud: Mobile Policy Configuration Engine
![Page 34: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/34.jpg)
MobileIron Confidential
EMM vendors build SSO …because a lot of customers said “We want to use our Windows architecture.” Result: Kerberos Constrained Delegation and Mobile
![Page 35: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/35.jpg)
35 MobileIron Confidential
Kerberos
Apps
Content
Active Directory
Certs
Kerberos
App SSO using Kerberos: PC era
![Page 36: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/36.jpg)
36 MobileIron Confidential
Apps
Content
Active Directory
Certs
Native Kerberos
?
App SSO : PC era
![Page 37: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/37.jpg)
37 MobileIron Confidential
Kerberos Constrained Delegation
(KCD)
App single sign on (SSO) using KCD
Apps
Content
Active Directory
Certs
Kerberos
![Page 38: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/38.jpg)
38 MobileIron Confidential
Requires app developer engagement (SDK / wrapper)
Requires trust relationship between gateway and AD infrastructure
No client certificate to app server auth supported
Constraints with KCD
Requires complex setup
Native app support (Safari, Chrome) and commercial app support may be limited
KCD
![Page 39: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/39.jpg)
MobileIron Confidential
Apple takes on SSO iOS 7 introduces support for Kerberos
![Page 40: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/40.jpg)
40 MobileIron Confidential
iOS 7: Native OS Kerberos SSO
Native iOS. Supports direct Kerberos requests from OS and native apps Device access to Key Distribution Center (KDC)
Use device VPN
Expose KDC in DMZ or
SSO
![Page 41: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/41.jpg)
41 MobileIron Confidential
Apps
Content
Active Directory
Certs
Native Kerberos!
?
iOS 7 SSO Challenge
![Page 42: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/42.jpg)
42 MobileIron Confidential
Sharepoint, OWA, Other Kerberos-
enabled apps
Kerberos Domain Controller (KDC)
Kerberos
First sign on: Kerberos Proxy
Subsequent
access: Per app VPN
SSO
iOS 7 SSO with Kerberos Proxy
![Page 43: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/43.jpg)
43 MobileIron Confidential
Certificates weren’t supported until iOS 8 (watch this space)
Only supported on Apple devices
Constraints with Apple SSO
Native apps are supported including Safari
Token reuse is supported across applications
![Page 44: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/44.jpg)
MobileIron Confidential
Standards begin to develop Introduction of AZA, now NAPPS
![Page 45: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/45.jpg)
45 MobileIron Confidential
OAUTH enabled app
Identity Provider (IDP)
AZA / NAPPS approach R
eque
st
toke
n
Token Exchange
Deliver
Token
Auth with token
Auth with token
![Page 46: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/46.jpg)
46 MobileIron Confidential
Without OS integration, it remains a MAM-only driven model
Today requires app wrapping or SDK
Constraints with AZA / NAPPS
Standards work is still nascent
![Page 47: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/47.jpg)
MobileIron Confidential
Another alternative… Use of certificates for “transparent authentication”
![Page 48: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/48.jpg)
48 MobileIron Confidential
OAUTH enabled app
Identity Provider (IDP)
Certificate auth to SSO IDP
Auth with token
Rec
eive
use
r or
mac
hine
cer
tific
ate
Receive user or machine certificate
Present certificate to IDP, receive
token
Store cert in app keychain
![Page 49: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/49.jpg)
49 MobileIron Confidential
Constraints with cert-based auth to IDP Provides transparent authentication, but not “SSO”. Apps end up with new tokens if IDP does not know to reissue previous token from previous cert auth Works with iOS native apps, however requires developer work to negotiate cert auth & token request. Android requires app wrapping or SDK to receive certificate material and transport IDP request behind firewall Windows supports cert provisioning and app-access to cert store but transport to IDP needs development IDP must support OAUTH or SAML requests with certificates as the user identity
![Page 50: CIS14: Providing Security and Identity for a Mobile-First World](https://reader035.vdocuments.net/reader035/viewer/2022062704/55595527d8b42a93708b482a/html5/thumbnails/50.jpg)
50 MobileIron Confidential
The takeaway
• It is possible to meet end-user and IT needs for authentication today
• IT should be aware of OS capabilities when planning both app and auth design
• Certificates provide the easiest, most transparent method available.
• NAPPS represents a strong development but needs more maturity and OS buy-in