1 Hitachi ID Mobile Access

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Secure Access to On-Premises IAM from Personal Devices.

2 The BYOD challenge

Users IT/Security

• Want to access everything from theirphones.

• This includes password resets, approvingaccess requests, checking out privilegedpasswords and more.

• Need to protect the network againstattackers.

• Prefer to block access to sensitive IAMsystems from the public Internet.

• Cannot easily justify permissive changesto firewall configuration.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Mobile app architecture (1/4)

DMZ Private corporate

network

Personal

device

IAM serverFirewallFirewall

Internet

• The user’s phone probably has no VPN client installed.• The phone – via a data plan – is connected to the public Internet.• The IAM system is attached to the corporate network, behind multiple firewalls.

4 Mobile app architecture (2/4)

Risky, controversial, likely not allowed

Simple, uncontroversial firewall configuration

DMZ Private corporate

network

Personal

device

IAM serverFirewallFirewall

Internet

• Firewalls are designed to block inbound connections.• Outbound connections are usually allowed or easily justified.• Inbound connections would require:

– Port forwarding; or– A reverse web proxy.

• We want to minimize the set of attackers who can probe the IAM system.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

5 Mobile app architecture (3/4)Risky, controversial, likely not allowed

Simple, uncontroversial firewall configuration

How can a smart phone app, without a VPN, access an API or web UI

published by an on-premise application server?

DMZ Private corporate

network

Personal

device

IAM serverFirewallFirewall

Internet

6 Mobile app architecture (4/4)

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy

• The solution is to insert a proxy between the BYOD and IAM system.• The proxy is on the Internet, so reachable by both.• Connections from both ends are authenticated.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

7 BYOD security features

Problem Solution

• Only accept connectionsfrom activated devices.

• Deploy an app to the device.• Install a personal key at activation time.• Proxy rejects connections with a bad/missing key.• IAM system only receives valid traffic.

• Denial of service attacks • Proxy is efficient but somewhat vulnerable.• Attackers have no key – DDoS attacks never reach the

IAM system.

• Lost/stolen device • Keys can be revoked.• Users still need to authenticate.

• Two factor authentication • Use of a valid key is a first authentication step.• Follow up with password, security questions, etc.

8 Mobile use cases

Hitachi ID Identity Manager Hitachi ID PasswordManager

Hitachi ID Privileged AccessManager

• Approve accessrequests.

• Search for colleague,download contact info.

• Password/PIN reset.• Unlock pre-boot login

prompt on encrypteddrive.

• Request, approveaccess.

• Display plaintextpassword (for use atphysical console).

9 Activate Mobile Access app

Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4

© 2020 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

10 Add contact to phone

Animation: ../../pics/camtasia/suite11.1/add-contact-to-phone-2.mp4

11 Unlock pre-boot password

Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4

12 Mobile request approval

Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4

13 Password display

Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4

© 2020 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

14 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: sales@hitachi-id.com

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres