Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
A Multi-Layered Approach to Mobile IAM Eugene Liderman
© 2015 Good Technology. All Rights Reserved. 2
Desktop Security Snapshot
– Conventional IAM DLP/DRM solutions are Desktop/Laptop OS centric – Desktop IAM & DLP/DRM has evolved to support:
• Numerous forms of strong authentication (2-factor) • Single Sign On (SSO) • Full Disk Encryption • Robust A/V solutions
Con
trol
led
by IT
…
Desktop OS
Middleware
Desktop VPN
Ent
erpr
ise
In
trane
t
Ent
erpr
ise
App
Ent
erpr
ise
App
… H
igh
© 2015 Good Technology. All Rights Reserved. 3
Smartphone Security
§ Information Assurance personnel are struggling with their Mobile IAM strategy § Mobile devices don’t support smart card
readers at the OS level § Some mobile VPN vendors do support
smart card authentication but the user experience isn’t optimal
§ Authorization, Authentication, and Access Control should be done at the application level!
Con
trol
led
by IT
Mobile VPN
Mobile Device OS
Middleware
Enterprise App
Consumer App
Consumer App
Consumer App
Consumer App
Enterprise App
Enterprise App
Consumer App
Consumer App
4 © 2015 Good Technology. All Rights Reserved.
Problem: Monolithic Approach to Mobile Middleware
Challenge § Today mobile Smartcard Readers are tightly coupled with proprietary
middleware which is typically embedded in the mobile application that utilizes it
§ This monolithic approach does not scale because: § Mobile app developers must build multiple versions of their apps to support the various
middleware/reader vendors § Every time the hardware/middleware vendor has a firmware update or software update it
breaks interoperability and forces the app developer to release out of band service releases
5 © 2015 Good Technology. All Rights Reserved.
Is There A Solution?
“IF YOU BUILD IT, THEY WILL COME”
6 © 2015 Good Technology. All Rights Reserved.
Solution: “If You Build It, They Will Come”
Solution § Stop embedding middleware in to each mobile app § Instead create an abstraction layer to enable supporting multiple middleware vendors
Benefits § This will allow multiple Smartcard Reader hardware/middleware vendors to support
an existing application ecosystem with more of a plug-n-play approach and removes the need for each mobile app that’s developed to embed complex middleware and constantly having to update it when middleware updates get released
§ This enables choice for Government agencies because they won’t be locked in to a single middleware/hardware solution
§ This enables end user choice around what type of reader fits their needs (i.e. Sleeve, Dongle, Bluetooth)
7 © 2015 Good Technology. All Rights Reserved.
What about “Derived Credentials”
§ Question: What does the term “Derived Credentials” mean to you? § Answer: Go read the OSD Memo and NIST SP 800-157 § The Reality: It means different things to different people
8 © 2015 Good Technology. All Rights Reserved.
Conclusion: There’s An App For That!
ISV Auth App
YOUR Auth App
App
Authenticate via any Trusted Method
I need to authenticate or
sign/decrypt data. Smart Cards
Biometrics
Secure Element
ISV Auth App
I can authenticate or sign/decrypt data via Smart Cards!
I can authenticate via Biometrics!
I can authenticate or sign/decrypt data via SE/TEE!