Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia F5 EMEA Webinar Listopad 2014 Andrzej Kroczek Field Systems Engineer
Today s Network and App Access: So Many Variables! LOCATIONS USERS DEVICES APPS & LOCATIONS Headquarters Branch Mobile Employee Contractor Desktop Laptop Physical Hosted App Cloud Hosted Apps Mobile Storefront Remote Employee Partner Smartphone Tablet Hybrid Cloud Hosted Apps Web-based Apps Home Other Location(s) Office Employee Customer Wearable Camera Mobile Apps Other Apps Other Device(s) Guest Other User(s) Internet F5 Networks, Inc. 2
Mobility is Exploding THE NUMBER OF MOBILE WORKERS IN WESTERN EUROPE IS EXPECTED TO REACH 512 MILLION BY 2015 * * Source: IDC F5 Networks, Inc. 3
Access Management Trends IAM, security, and risk management are overlapping, related disciplines Expansion of risk-based authentication Greater focus on request context Intersection of social, mobile, cloud, and data Standalone SSL VPN market is static Integrated security device market increases including remote/mobile access Remote access plays a vital role in mobile VPN access F5 Networks, Inc. 4
Business Challenge: Managing Access Today Rapidly expanding, changing mobile workforce Explosion in number of users, use cases, in-use devices Increased virtualization Fast rising number of security threats and attacks Need to manage access based on identity and context F5 Networks, Inc. 5
What is Needed to Control and Manage Access Employees Partner Customer Administrator Control access based on granular context-based attributes Differentiate authentication based on context or emerging methods Unify, consolidate, and simplify secure access to all applications Provide fast authentication, SSO, and identity federation across applications Provide simple user experience for authentication, authorization and access F5 Networks, Inc. 6
Control Through Context User/Device Information Network/ + + Connection Application Health & Risk F5 Networks, Inc. 7
User Context in Security OS Device type and integrity Operating system Browser Location Intelligence and visibility F5 Networks, Inc. 8
Network/Connection Context in Security Authentication Access method Network integrity Network quality and availability Connection integrity F5 Networks, Inc. 9
Application Context in Security v3.1???!!! App location App health App type/ version App vulnerability App importance and risk F5 Networks, Inc. 10
Challenge of Enabling Secure Mobile/Remote Access from Any Device, Anywhere Provide full or differentiated network access for employees Provide per app access from BYOD or mobile devices Provide restricted access for partners and guests www.company.com F5 Networks, Inc. 11
Secure, Accelerated Mobile and Remote Access www.f5.com Fast and secure connections maximise productivity for global users Seamless integration minimises cost and simplifies end user experience F5 Networks, Inc. 12
Multifactor Authentication User = HR www.f5.com HR AAA Server F5 Networks, Inc. 13
Endpoint Integrity Inspection Outdated Protection Other Threats DEVICES Malware Hackers Advanced Persistent Threats Hacktivism Bots State Sponsored Attacks Ensure integrity and compliance with organizational and regulatory policies regardless of the type of endpoint and OS being used F5 Networks, Inc. 14
Difficulty in Sharing Identification Across Any Application, Anywhere Silos of identity Identity still on-premise but apps and data moving to the cloud Salesforce Office 365 Concur Google docs Too many different passwords needed for multiple different applications Internet Data Center Devices Identity and Access Management Physical Virtual Applications Applications F5 Networks, Inc. 15
Single Sign-On (SSO) Challenges Mobile Device? Supported Platform? BYOD? Users Decision? Step-Up? Change AuthZ? MIDDLEWARE Agent side Decision Decision? Fake AuthN? Delegate? AGENTS? Public Cloud SSO Server Servers Web Applications Adaptive Authentication? External Resource? Not all tokens work across all domains Some SSO tools must check in with an authorizing decision point Difficult to visualise SSO topology and deployment F5 Networks, Inc. 16
SSO and Identity Federation Require Greater Flexibility Not all applications and identity directories are created equal Reworking identifiers sometimes necessary to compensate for legacy applications Step-up authentication can t be used without having a flexible way to assess what credentials are needed and when F5 Networks, Inc. 17
Adaptive Authentication and Access Users Adaptive Auth Federation (SAML) SSO Selection Endpoint Validation SAML Pass-through Simple Assertion Apps Token Kerberos Delegation Password Step-Up Auth Dynamic Forms Certificates Fraud Protection Certificates Private/Public Cloud Transform one type of authentication into another so an application may understand and use it without installing additional agents Allow flexible selection of SSO technique appropriate to the application Allow for centralized session control of all applications, even SaaS F5 Networks, Inc. 18
Identity Federation and SSO Benefits Provide seamless access to all resources, including web- and cloud-based apps Enhance and simplify the user experience, increase user productivity Instantly provision and de-provision access to cloud apps Salesforce.com Finance Corporate managed device Latest antivirus software AAA Server User = Finance Expense Report App F5 Networks, Inc. 19
Identity Federation Architecture On-Premises Infrastructure Corporate Users Users SAML Identity management Multi-factor authentication Attackers SAML Real-time access control Access policy enforcement Access Management Directory Services Corporate Applications Office 365 Google Apps Salesforce Identity federation SaaS Providers F5 Networks, Inc. 20
Controlling Enterprise Mobile Access and Managing Enterprise Mobility App Wrapping + App Management + Reporting Application Access Management No data transfer Data transfer App Tunnel + App Policy Managed Apps Unmanaged Apps EMM Mobile Users Remote Access Endpoint Inspection + App Tunnel Termination + Authentication + Access Policy Management + Identity Federation + Mobile App Security + Managed App Policy Authentication Store Salesforce.com Data Center Email Mobile Application F5 Networks, Inc. 21
Securing and Managing Mobile Access, Apps, and Devices Deliver enhanced capabilities over existing mobile access gateways: Integrate with existing market-leading MDM/EMM offerings, seamlessly provisioning mobile devices: Per app VPN Secure remote (SSL VPN) access ActiveSync and other proxy services support Granular access policy management Application access management Federated identity/sso Mobile application management (MAM) Mobile device management (MDM) Mobile content management (MCM) Sandboxing Workspace applications File readers and editors File systems and portal access App wrapping Certificate and app provisioning Remote lock and wipe F5 Networks, Inc. 22
Enhanced Web Access Management Create policy Website Administrator 8 3 2 8 4 9 Corporate domain HR Latest AV software Current O/S User = HR AAA server Proxy web applications to provide authentication, authorisation, device inspection F5 Networks, Inc. 23
Simplifying VDI Simplify virtual deployment, with no additional clients needed Improve scale and reliability Provide better user experience + SSO Enable vendor agnostic XenDesktop VDI VDI VDI VDI Hypervisor Virtual desktops VDI VDI VDI VDI Hypervisor VDI VDI VDI RDP Virtual desktops AAA server Horizon View VDI VDI VDI VDI Hypervisor Virtual desktops F5 Networks, Inc. 24
Recent News About Remote/Mobile Access Juniper has sold its Junos Pulse mobile security portfolio for $250 million to Siris Capital, noting that this is consistent with its strategy to focus on "where its customers and the market is heading with High-IQ networks and building the next-generation of clouds. Taking advantage of a Cisco ASA Clientless SSL VPN Information Disclosure and DoS vulnerability could result in disclosure of internal information or, in certain circumstances, a reload of the affected system. Recently published research has found that a quarter of employees breach the company's security guidelines to remote working, putting the confidential business data at risk. Siris Capital announced that it has completed its acquisition of the Junos Pulse business from Juniper Networks, the industry leader in network innovation, and incorporated that business under the name Pulse Secure. F5 Networks, Inc. 25
Migration Strategy Simplify the migration of a legacy access control product to a new access control and management environment Consider and complete the following tasks: Migration planning Architectural and technology review Initial platform setup and configuration Configuration migration and testing Migration Planning Platform Setup and Configuration Policy Creation and Management Configuration Migration and Testing Knowledge Transfer F5 Networks, Inc. 26
Deep Technical Migration Expertise is Needed Leverage best practices to mitigate migration risks Accelerate deployment with skilled resources that know both technologies Optimize availability, performance, and reliability Extend your staff s reach and skills Capitalize quickly on enhanced functionality provided by the ADC F5 Networks, Inc. 27
Transitioning from Legacy Access Products to Emerging Access Solutions Seek vendor programs that will compensate you for trading up from your outdated, legacy access control products Upgrade your existing access control products with a solution that also supports identity federation/sso, integrated secure cloudbased access, web access management, secure mobile access Choose a solution that is flexible, extensible, and highly scalable Select vendors and partners that will deliver and implement a comprehensive migration strategy, including technical expertise F5 Networks, Inc. 28
Identity and Access Management (IAM) Solution Adaptive authentication, authorization, and access to all applications Secure Web Access Internet Web-based Apps Internet Apps Web Access Management Remote/Mobile Access and Application Access Enterprise Apps Mobile Apps Enterprise Mobility Access and Management Identity Federation/Identity Bridge Cloud, SaaS, and Partner Apps F5 Networks, Inc. 29
Solutions for an Application World.