mobilize your workforce with secure identity services

© 2004-2012. Centrify Corporation. All Rights Reserved.

Secure Identity Servicesfor Cloud and Mobile apps

2© 2004-2012. Centrify Corporation. All Rights Reserved.

| Identify. Unify. Centrify.

Authentication Nirvana

Cloud Proxy Server

IDP as a Service

Firewall

Mobile OS

Mobile App

Mobile Auth

SDKMDM

Step 2One time user

authentication & device registration

Step 1Web Application Registration

Step 4Token basedAuthentication

Step 3Token Generation

ID

• One password for Enterprise Users

• Protection by AD inside Firewall

• Mobile app gets SSO

• App Dev only needs to ask the platform for authentication and security token for backend

• IT controls app authentication and authorization

• …….All with 3 simple API calls

Hosted Application



Challenges for IT admins & App Developers



Evolution of Enterprise15 Years Ago Current Environment

Enterprise IT Systems Just core processes All the business processes

Application Users A few transaction experts Most employees

Access Device Desktop PC Desktop, Laptop, Tablet or Smartphone

Access Location Your desk Anywhere

Application usage modality Specific data entry and access On demand, ongoing, mostly for access to information

Security risk Limited – access by specific individuals, from known locations for predictable purposes

Much Larger – potentially from any device, located anywhere



Bring Your Own (BYO)



Bring Your Own Apps (BYOA)



• Organizations are increasingly allowing employees to bring their own devices

• Enterprise Device Alliance (EDA) polled 277 organizations representing ~1.5M users

Bring Your Own: Laptop, Smartphone, Tablet

10000+ 2-10,000 500-2,000 100-500 All

66%

85%

67%78% 75%

EDA: 3/4 of All Organizations Condone BYOD

Responding Organizations by Number of Employees



Bring Your Own: Conquering Enterprise



• Consumer oriented features present security challenges for the Enterprise• OS X Internet/File/Screen Sharing

• iCloud Document and Data Sharing

• “Day 1” effect for new products• Consumers want to use new

products and updates the day that they are launched

• Users tend to update devicesevery 2 years

• End User is the “admin”• IT has much less control over

configuration

• Enforcing security is challenging

Bring Your Own Presents New Challenges



Multiple identities + Password SprawlCreate risk• Multiple logins for users• Multiple identity infrastructures for IT to manage

In-

house

Apps

and

100’s

more….

ID

Laptops

ID

Smartphones and Tablets

ID

ID

ID

ID

ID

ID

ID

ID



• Security Policies are designed to protect:

• Government, business and financial data

• Consumer and patient privacy

• The Rules are well defined for IT:

• Establish separation of duties

• Enforce system security policies

• Enforce network access policies

• Encrypt data-in-motion and at rest

• Enforce “least access”

• Grant privileges to individuals granularly

• Audit user access and privileged user activities

Regulatory compliance overhead

Payment CardIndustry Data

Security Standard

Federal Information Security Management Act

NIST Special Publication 800-53

Basel II. FFIEC Information Security

Booklet

Health Insurance Portability and

Accountability Act

Sarbanes-Oxley ActSection 404



1. Enable employee productivity• They can access data they need for work, anywhere at anytime• IT and security don’t get in the way

2. Ensure compliance requirements are addressed• IT can enforce requires security policies on business data• IT is able to maintain access controls over business applications

3. Efficient management• Security officers can easily describe the security policies to be

enforced• Helpdesk can easily take on the responsibilities of managing

What IT cares about



Solution: Federated Identity



Federated IdentityWhere users have one login ID and password And IT has one Federated Identity Infrastructure to manage

ID

End Users

Laptops

Smartphones and Tablets



• Federated Identity ensures that users only need to use their AD userid/password

• Only one password to remember

• Password is protected by the Enterprise in AD

• AD-based federation provides several advantages for IT

• Leverages existing account and password policies – simplifying management

• Ensures that IT controls access eliminating risk of orphaned accounts

Strengthen Security with Federated Identity

FederationTrust

ID

Cloud Proxy Server

IDP as a Service

Firewall

ID



Mobilize app and service access• Enable mobile access to Enterprise services and applications

• Design mobile interfaces to seamlessly integrate with the Enterprise services

Containerization to separate work from personal• Protect work applications and data from data leakage

• Provide the laptop experience on mobile, unlock and access all business apps

Centralize mobile and application administration• Enabling IT to manage security policies for Mobile, Workstations and Servers

• Unifying app management into one interface for Mobile, Web and SaaS Apps

• Leveraging automated lifecycle management through AD

Extend Identity Services to Mobile Platforms



Federated Auth for Mobile is too hard



1) App launches

2) Displays a login screen and additional link for ”Are you a Single Sign-On user?"

3) User clicks on it and is presented form for entering email address

4) App then connects to backend, redirects to Enterprise IDP and opens browser to present the IDP login screen

5) IDP displays the login screen asking for userid and password

6) IDP authenticates and generate token, provides the token back

7) App will receive the token and closes the browser window, then provide access to the service.

Federated Auth for Mobile is too hard



Integrate Mobile App Authentication provides true enterprise Zero Sign-On

• Mobile app authenticates and registers AD as it’s identity provider

• Mobile app can access information about user attributes in AD

• Mobile app gains SSO to backend services Cloud

Proxy Server

IDP as a Service

Firewall

Mobile OS

Mobile AppMobile Auth

SDKMDM

Step 2One time user authentication

& device registration



Step 3Token Generation

ID

Centrify Simplifies Mobile Federated Auth Hosted

Application



• Example Sales app integrated into Federated Auth via Mobile Auth Service SDK

• App launch calls EnterpriseAuthentication.getUserInformation()

• If the app is not registered OR if reauth is required then

• The EnterpriseAuthentication SDK will:• Display enterprise login screen

• Login to AD

• Check user authorization

• Check device Jailbreak status

• Request Certificate

• Display “Welcome %username”

• else

• Display “Welcome %username”

• onClick “Profile” calls EnterpriseAuthentication.userLookup()

• Display User Attributes from AD

• onClick “Sales Records” calls EnterpriseAuthentication.getSecurityToken(target)

• Request data from target using SecurityToken to authenticate

Centrify SDK: Auth, Authorization & SSO



What to avoid!

• Caching of username & password inside mobile app

• Take on burden of managing User identities

• Proprietary authentication implementations

• PIN code across group of Apps and assume SSO

“False assumption of security is worse than no security”



Solution: Container



• Containers enable IT to create and control an Enterprise Environment, vs. managing the entire device, eg. Passcode auto-lock on the container not the device

• Enterprise IT controls all apps and data within the container ensuring no data leak

• Data can be shared between mobile apps within the container without leaving the Enterprise Environment

• SSO is provided for all apps in container - enabling the laptop experience on a mobile device

Containers for a Secured Enterprise Environment



• Dual persona enables usage of the same app with different personalities• Personal Mail on the device, Business Mail in the container

• Personal Box account on the device, Business Box account in the container

Using Containerization for Dual Persona

Office 365: [email protected]: [email protected]

Mail: [email protected]: [email protected]

Dropbox: [email protected]

mailto:[email protected]

mailto:[email protected]



• HW level and OS level Security • Secure Boot for preventing “Unauthorized” Operating System

• Security Enhanced (SE) Android developed by NSA (National Security Agency)

• TrustZone-based Integrity Measurement

• Android F/W and Application level Security • Application and data isolation for work and play with Container

• On-Device Data Encryption

• Virtual Private Network (FIPS 140-2)

• Support for management via Active Directory / Group Policy Manager

• Policies to comply with the US DoD Mobile OS Security Requirements Guide*

• including CAC / PIV card support

Samsung KNOX: Security From The Ground Up



• Multi-application SSO is built into the Knox Container• One SSO Registration for the

Container

• Whitelisted apps can use the Enterprise SSO Service

• The container provides Enterprise SSO as a Service• Identifies the authenticated user

to the apps

• Provides AD attributes of the user such as group memberships

• Grants security tokens upon request for authorized web app/service

Enterprise SSO Service for Samsung KNOX

Cloud Proxy Server

IDP as a Service

Firewall

Samsung SE Android

Step 2One time user authentication

& Container registration



ID

KNOX Container

Mobile App 2Mobile

Auth SDK

Enterprise SSO

Mobile App 1Mobile

Auth SDKPersonal

App Step 3Token Generation

Web Application



App SSO Transaction Flow

Centrify Cloud Service

Application

SAML script

SSO Service

Mobile Application

Centrify Mobile API

Mobile Device

Service Provider(Box, DropBox)

Identity Provider

Step 1User launches the application

Step 2Authentication API Query

Step 3Authenticate and Authorize user

Step 4IDP generates and returns encrypted SAML response token

Step 5SSO passes the SAML token to Mobile App

Step 6SAML token sent to ACS URL

Step 7SP verifies SAML token and allows access



Federated Identity Service centralizes application authorization under IT control• Providing users with SSO to authorized services and applications

• Eliminates the multiple password challenges associated with hosted applications and services

Mobilized application access and ZSO enables employee productivity• Users can access data they need for work, anywhere at anytime with mobile access to email,

shared files and applications

• IT and security don’t get in the way with zero sign-on and container-based management

Containerization enables security to addresses compliance requirements• IT can enforce requires security policies on business data using Group Policy

• IT is able to maintain access controls over business applications

Integrated administration enables IT to efficiently manage mobility• Security officers can easily describe the security policies to be enforced

• Helpdesk can easily take on the responsibilities of managing

Secure Identity Services for a Mobilized Workforce



Now

Nirvana Today

mobilize your workforce with secure identity services

Technology