cis13: deliver secure apps with great experiences
Post on 09-Jun-2015
318 Views
Preview:
DESCRIPTION
TRANSCRIPT
Deliver Secure Apps with Great Experiences Sean Ginevan, Director, Business Development, MobileIron
Enterprise mobile apps: Going mainstream
Retail! Finance!Manufacturing! Health Care!
Goals of the Enterprise App
• Business process focused … not comprehensive features • Fast cycles … 8 week dev, 9 month life, 3 platforms • High expectations … UX litmus test for adoption
– Security & authentication should be transparent to the user
Consumer apps for the employee ... not …
Business apps for the enterprise
What are some auth options?
4
Multi-factor auth solutions: Provide a variety of solutions to establish user identity to mobile apps.
MAM: Provides an application store and the ability to extend MDM functions into enterprise and commercially developed apps. Standalone options exist, but lack of integration with MDM and devices makes for challenging implementations.
Username & Password: Tried and true, basic authentication provides some challenges for mobile
“Single Sign-On”: Drives improvements around user authentication but means many things to many people
A bit on basic authentication
• Easily the most popular auth type for mobile apps but…
• Configuration of user identity into applications
• Fat fingering and password rotation problems
• Concerns over password hijacking (MiTM attacks)
• Password management might be in browser; not in your app by default.
• Concerns around password storage 5
The next phase: Certs!
6
• Eliminates password complexities & provides session trust but…
• How do certs get onto devices? • Who terminates the cert?
– App server in DMZ? Kerberos in DMZ? Additional KCD provider?
• vs vs – Wildly inconsistent feature sets
• Protection of certificate material (compromised devices & deletion)
• Lack of access to device cert store by apps.
Single Sign On: Many Things to Different People
Use my existing web auth solution (Siteminder)
7
Use Kerberos somehow?
Use my SAML provider
Use something new…
Using Kerberos for Mobile Apps
• Advantage: Lots of back end app servers support it
• Further advantage: Native OS technologies adopting
• Challenges: – Establishing the user identity – Who processes the Kerberos
transaction? – Protecting the Kerberos infrastructure
8
Using Web Access Management for Mobile
• Advantage: Lots of back end app servers support it
• Your browser-based apps should just work…
• Challenges: – Containerization prevents sharing of
sessions across native apps – SDKs for mobile development are still
relatively new, proprietary.
9
Using SAML for Mobile Apps
• Advantage: You’ve maybe down this road for federation to other services.
• Challenges: – SAML tokens cant be easily
transmitted into a native app via HTTP POST • Embedded web views for auth can
solve this but aren’t clean • SDKs are being developed to
facilitate token transmission. • Middleware servers that extract
tokens and convert to URL handler 10
Authorization Agent (AZA)
• Being backed by large players like VMWare, Ping, Box, MobileIron
• Provides a standard for transmission of user & session identity data between applications.
• Challenges: – Productization – App server support for OAUTH
11
Client-side options…
12
Hardware-based certificates
• Required for some applications – Defense, Homeland Security,
contractors (CAC, PIV, etc) – Swedish Healthcare System (SITHS) – Certain industries (e.g. Oil & Gas,
FiServ)
• Challenges – Readers are proprietary. Some
middleware is proprietary, others not. – Form factor options can be daunting, lag
behind device hardware intros – Obtuse development environments – Expensive 13
Adaptive authentication
• Leverages multi-factor authentication on a risk-driven basis
• New implementations are being developed by RSA, Oracle and others. Expect more here soon.
14
Biometrics & other factors
• New innovations using embedded cameras for eye recognition, facial recognition
• Fingerprint readers in device hardware?
• NFC, Bluetooth and other near-field token-based technologies.
15
16
top related