Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

Similar documents
Bring Your Own Device. Peter Silva Technical Marketing Manager

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

SAP Security in a Hybrid World. Kiran Kola

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee MVISION Mobile Microsoft Intune Integration Guide

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

PKI is Alive and Well: The Symantec Managed PKI Service

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

SAP Single Sign-On 2.0 Overview Presentation

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

McAfee EMM Best Practices Document Upgrading your High Availability EMM installation

Application management in Nokia: Getting the most from Company Apps

SafeNet Authentication Service

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Make security part of your client systems refresh

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Dell One Identity Cloud Access Manager 8.0. Overview

Mobile Devices prioritize User Experience

Mobility Manager 9.5. Users Guide

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Echidna Concepts Guide

AirWatch for Android Devices for AirWatch InBox

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Use EMS to protect your mobile data and mobile app

Cloud Access Manager Overview

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Syncplicity Panorama with Isilon Storage. Technote

Introduction. The Safe-T Solution

Connect to Wireless, certificate install and setup Citrix Receiver

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Reference manual Integrated database authentication

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Oracle Cloud Using the Evernote Adapter. Release 17.3

ArcGIS for Server: Security

PROVIDING SECURE ACCESS TO VMWARE HORIZON 7 AND VMWARE IDENTITY MANAGER WITH THE VMWARE UNIFIED ACCESS GATEWAY REVISED 2 MAY 2018

Sophos Mobile Control Technical guide

Secure IT consumeration (BYOD), users will like you How to make secure access for smart mobile devices

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Building a BYOD Program Using Jamf Pro. Technical Paper Jamf Pro or Later 2 February 2018

Mobile Security using IBM Endpoint Manager Mobile Device Management

Self-Serve Password Reset

Office 365 and Azure Active Directory Identities In-depth

Unified Secure Access Beyond VPN

Single Sign-On Showdown

Managing BYOD Networks

HPE Intelligent Management Center

Intel Unite Solution. Plugin Guide for Protected Guest Access

HIPAA Regulatory Compliance

Pulse Secure Policy Secure

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Skybox Product Tour. Installation and Starting Your Product Tour Tour Login Credentials: User Name: skyboxview Password: skyboxview

NetScaler Radius Authentication. Integration Guide

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Integration Guide. SafeNet Authentication Manager. Using SafeNet Authentication Manager with Citrix XenApp 6.5

Identity Management as a Service

Partner Information. Integration Overview. Remote Access Integration Architecture

Security Solutions for Mobile Users in the Workplace

SafeNet Authentication Service

How to Integrate an External Authentication Server

KACE GO Mobile App 5.0. Getting Started Guide

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Single Sign-On for PCF. User's Guide

Oracle Cloud Using the Microsoft Adapter. Release 17.3

McAfee MVISION Mobile AirWatch Integration Guide

Modernizing Meetings: Delivering Intel Unite App Authentication with RFID

Lookout Mobile Endpoint Security. AirWatch Connector Guide

McAfee epolicy Orchestrator

Copyright

Enterprise Services for NFuse (ESN) February 12, 2002

Intel Manageability Commander User Guide

Privileged Account Security: A Balanced Approach to Securing Unix Environments

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

ProteggereiDatiAziendalion-premises e nel cloud

AT&T Global Network Client for Android

Identity Implementation Guide

Intel Unite Solution Version 4.0

Microsoft Unified Access Gateway 2010

ipass Open Mobile Overview

Oracle Cloud Using the Trello Adapter. Release 17.3

VMware AirWatch Android Platform Guide

KODO for Samsung Knox Enterprise Data Protection & Secure Collaboration Platform

Ekran System v Program Overview

Centrify Identity Services for AWS

How Next Generation Trusted Identities Can Help Transform Your Business

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

XenApp, XenDesktop and XenMobile Integration

Leveraging Azure Services for a Scalable Windows Remote Desktop Deployment

5 OAuth Essentials for API Access Control

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Challenges and. Opportunities. MSPs are Facing in Security

Cloud Link Configuration Guide. March 2014

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Getting Into Mobile Without Getting Into Trouble

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Transcription:

Publishing Enterprise Web Applications to BYOD using a Granular Trust Model Shachaf Levi IT Client Security & Connectivity May 2013 Public

Legal Notices This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. * Other names and brands may be claimed as the property of others. 2

Agenda IT Risk And Security A Balancing Act : Protect to Enable Solution: Access Web applications based on dynamic and granular security controls web applications mobile friendly UI Seamless OTP Authentication and Single-Sign-On using Kerberos 3

IT Risk And Security A Balancing Act Open Access Controls increased cost and constrains use of data and systems How Do We Balance? Keeping us legal Availability of information Protection of information Industry influence Cost effectiveness of controls Locked Down Information assets should be fully protected Our Mission is to Protect to Enable 4

DEMO

6

How does it work User launches the TAP client application TAP client application performs the trust calculation TAP client application triggers an API to the McAfee* Pledge OTP User confirms the generation of the OTP The One-Time-Password being validated on the Gateway Gateway requests Kerberos ticket on user s behalf Backend web application is being accessed. 7

Components Application Gateway TAP client application Web Applications 8 Trust Broker

Components cont. TAP client application A lightweight client application Responsible for the client trust calculation Application gateway and authentication layer. Resides in the enterprise demilitarized zone (DMZ) provides the layer of enforcement by filtering the access Trust broker Calculates and responds with the trust level decision Contains the business logic and the granular trust level 9

Scenario A: BYO Smartphone Joe has a personally owned smartphone. He is in a coffee shop. Trust Level Device Trust Level = 2 Access granted? No Access Level Level 5: Top Secret Smartphone + Coffee Shop No No Level 4: Top Secret Level 3: Restricted Secret Yes Level 2: Confidential Remote display of confidential data but no local content storage Authentication Method = user OTP plus PIN Yes Level 1: Unclassified Container based apps Level 0: Internet access only 10

Scenario B: Intel-managed BYO smartphone Bob s BYO smartphone has an approved MDM solution installed and is running most current version of OS. OS has defined features. Bob is in an airport. Trust Level Device Trust Level = 3 Access granted? No Access Level Level 5: Top Secret BYO Smartphone with MDM + Airport No Yes Level 4: Top Secret Level 3: Restricted Secret Mostly container-based apps; some native apps by exception Authentication Method = device PIN plus embedded certificate Yes Yes Level 2: Confidential Native apps Level 1: Unclassified Native apps Level 0: Internet access only 11

Trust Calculation Dynamically determine what information is accessible based on several factors: User identity Type of device Security controls Physical location (on or off site) allow access, deny access, or allow limited or mitigated access Can deny change permissions on certain content Allow view-only permissions Block a download 12

McAfee* Pledge One-Time-Password authentication Using McAfee* Pledge One-Time-Password API to generate OTP from the client application User experience no need to enter a password 13

Single Sign On using Kerberos The Gateway authenticates the user The Gateway requests a Kerberos ticket on the user s behalf The Gateway presents the Kerberos Ticket to the backend web application Benefits: No passwords being transferred, only the Kerberos ticket Removes the need for Active Directory credentials on BYOD Single Sign On login once, access multiple times 14

User Experience our Trusted Application Portal (TAP) is customizable using scripts and HTML5 to support most SFF devices. adheres to the guidelines and standards for human factors engineering. 15

Results > 25 enterprise web applications, Smart phones friendly > 15 device types, multiple Operating Systems > 10,000 installs (35% of BYOD total devices) >12,000 accesses to backend applications per week 16

Next Steps 17

Key Messages Rethink information security in light of new technologies and attack trends Capitalize on the opportunity to reduce risk while enabling new technologies No silver bullet security still requires defense in depth 18

Thank You

Additional Resources Information Security Protect to Enable Strategy video Rethinking Information Security Intel IT's Security Business Intelligence Architecture Granular Trust Model Improves Enterprise Security Learn more about Intel IT s Initiatives at Intel.com/IT 20

Sharing Intel IT Best Practices with the World Learn more about Intel IT s Initiatives at www.intel.com/it 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback