• No results found

Mobile App Security Take Any Mobile App and Make It Secure

N/A
N/A
Protected

Academic year: 2021

Share "Mobile App Security Take Any Mobile App and Make It Secure"

Copied!
94
0
0

Loading.... (view fulltext now)

Full text

(1)

#mstrworld

Mobile App Security

Take Any Mobile App and Make It Secure

Ray Bennett

Microstrategy - Director, Mobile Service Line World, Las Vegas, 2015

(2)

#mstrworld

Agenda - State of the Art Mobile App Security

Introduction

-  Mobile Security Concerns

-  MicroStrategy’s 7 Pillars of Mobile App Security

MicroStrategy Security Model 1.  Authentication 2.  Device/Application 3.  Data 4.  Authorization 5.  Operations 6.  Platform

Mobile Device Management (MDM) Summary

(3)

#mstrworld

Introduction

(4)

#mstrworld

Mobile Security Concerns and Risks

Most Concerning - Lack of Control

Network Domain: More Control External Domain: Less Control Malware Rootkits Botnets Phishing Ransom-ware Intrusions

(5)

#mstrworld

Top Mobile Threats for 2015

According to McAfee Labs

(6)

#mstrworld

How Big a Problem is Mobile Malware?

Total mobile malware samples exceeded 5 million in Q3 2014, up by 16% in this quarter and 112% in the past year

(7)

#mstrworld

Increased exposure

The Expanding Mobile Device Ecosystem

Devices do not work in a vacuum

-  Connect to one or more cloud-based services (enterprise

Exchange server, Gmail, MobileMe, iCloud, etc.), home or work PC, or all of above

When properly deployed, both platforms allow users to

simultaneously synchronize devices with private and enterprise

cloud services without risking data exposure

-  However, there are several scenarios in which services may be

(8)

#mstrworld

Mobile Means More Exposure

Victims of our own success

Ever Expanding

Attack Surface

Cloud Internet of Things BYOD Bluetooth Users Device Types Integration Points Moving Parts

More >>

(9)

#mstrworld

What is Compromised and Needs Protecting?

Names, Telephone Numbers - Contact Information

Email Addresses

Text Messages

Notes

Browser history

Application Data (Financial Numbers, Forecasts)

Trade Secrets

(10)

#mstrworld

Microstrategy Mobile Secure Solution Preview

A Complete, Flexible, and Customizable Security Model

Firewall

Firewall

Mobile Server

Intelligence Server

Authentication - Multi-factor, via Touch ID, Passcode & Certificate

Application Security - Double encryption with app level passcode, online or offline

Authorization - Access managed dynamically based on profile and privileges

Device Security - Native hardware security including passcode, auto-lock, failed attempt limits

Data Protection - AES 256-bit encryption of data in transit and at rest

Platform Security - multi-tier architecture to ensure integrity of mobile computing / BI data

Operations – Engineered process and methodology that defines

how mobile technology is to be securely used

C ommu nica tio n - In fo rma tio n F lo w

(11)

#mstrworld

Mobile Security – Custom Models are a balancing act

A Mobile Security Model needs to be Customizable

1.

Authentication

2.

Device

3.

Application

4.

Data

5.

Authorization

6.

Operations

7.

Platform

Fully Open Unsecured Fully Lock Down Least Secure Most Secure

(12)

#mstrworld

Tolerance to Risk vs. Corporate and User Needs

A Mobile Security Model Needs to be Flexible

Security

User Experience

Functionality

(13)

#mstrworld

Authentication

(14)

#mstrworld

Microstrategy Mobile - User Authentication

Device Level and Application Authentication

Mobile Server Authentication

•  Device iOS Profile Logon

•  Network Logon (if using VPN or Tunnel)

•  Microstrategy Project Meta-Data Logon

1.  Standard

2.  Windows

3.  LDAP

4.  Database

•  Account/Logon that Mobile Server Web Pool Runs Under:

1.  Anonymous

2.  Basic

(15)

#mstrworld

An added layer of authentication protection

Microstrategy App Passcode, as of 9.4.1, Update 3

Device level application security

Issues credential challenge on each entry

(16)

#mstrworld

First Entry into App – Create and Confirm password

Microstrategy App Passcode

(17)

#mstrworld

Microstrategy App Passcode

(18)

#mstrworld

Touch ID – New in 9.4.1, Update 5

Advanced Biometric Authentication Integration

Convenient

Split second access. Don’t have to remember an additional passcode. Unique to you;

impossible to forget.

5X stronger

According to Apple, there is 1 in 50K chance of registering a false fingerprint match versus 1 in 10K chance of guessing a 4-digit passcode

No guessing

Trying out 50,000 different fingerprints is an incredible logistical challenge.

Hack proof

Apple doesn’t store the fingerprint as an image; they store it as a mathematical representation that hackers can’t reverse engineer.

(19)

#mstrworld

Microstrategy Application Level

Touch ID

(20)

#mstrworld

Microstrategy Document Level

(21)

#mstrworld

Introducing - Microstrategy 9s

The world’s most sophisticated Analytics Platform. Now

including the world’s most simple, seamless and sophisticated

identity platform.

(22)

#mstrworld

The future of identification and authentication

What is Usher?

Protect Cyber Assets

Replace Physical Badges

Secure Facilities and Entryways

Monitor and Manage Activities Usher is a self-service, cloud-based

application that simplifies user authentication and delivers unprecedented system security.

(23)

#mstrworld

Bluetooth, QR Code

(24)

#mstrworld

Log into applications without entering password credentials

(25)

#mstrworld

See it for yourself with the Secure Analytics 9s Demo

(26)

#mstrworld

Microstrategy 9s with Usher

iPhone Application Access Demo

(27)

#mstrworld

Time and Geo-Fence Restrictions

Microstrategy 9s with Usher

User Does Not Satisfy Following Condition: Geolocation Time

(28)

#mstrworld

Builds on top of existing secure architecture and provides 3 factor authentication

(29)

#mstrworld

Microstrategy 9s

(30)

#mstrworld

(31)

#mstrworld

Single SignOn (SSO)

OOB Support

Seamless SSO Support for Authentication Providers

Tivoli

Siteminder

Oblix

Okta

Seamless SSO Support for Portal Server Applications

Microsoft Sharepoint

IBM Websphere

Oracle WebLogic

SAP Enterprise Portal

Also 3rd Party Identity Management Systems that support SAML (Security Assertion Markup Language)

(32)

#mstrworld

Single SignOn (SSO)

Basic Mechanism

Device side Application Supports:

HTML Forms Consumption

✓  Allows Custom Log-on Screen Work-flow

(33)

#mstrworld

Device/Application

(34)

#mstrworld

MicroStrategy Mobile Application Security

•  Expira'on  can  be  set  to  enforce  MicroStrategy  

user  creden'als  when  opening  the  app

•  User  creden'als  are  stored  encrypted  on  device.

•  Applica'on  data  is  encrypted  on  device.

•  Caches  can  be  cleared  when  exi'ng  the  

applica'on.

•  Isola'on  protects  App  data  from  other  Apps.

•  Apps  are  signed  to  ensure  the  App  is  authen'c.

•  Run'me  checks  enforce  App  Security.

•  Password  required  aEer  'meout  or  suspended  

state  (Confiden'al  Project  Mode)

•  Single  sign-­‐on  support.

•  LDAP,  Kerberos,    NT  Integra'on.

•  Independent  Third  –Party  Security  Tes'ng  

MicroStrategy Mobile  Server   MicroStrategy Intelligence  Server   Link  Encryp'on   User  Authen'ca'on •  Standard •  LDAP •  Database •  NT  

Web  User  Authen'ca'on Support  for  SSO  

(35)

#mstrworld

Apple iOS

(36)

#mstrworld

Security Model

1.  Security at the Operating System

level through the Linux kernel

2.  Mandatory application sandbox

3.  Secure inter-process

communication

4.  Application signing

5.  Application-defined and user

granted permissions

(37)

#mstrworld

Android and iOS devices - varying degrees

Security Models

Isolation

-  Limits app’s ability to access sensitive data or systems on device

Permissions-based access control

-  Grants set of permissions to each app and then limits each app to

accessing device data/systems within the scope of permissions

Traditional access control

-  Protects devices by using techniques such as passwords and idle

time screen locking

Limited Hardware Access

-  Apps can not directly access the underlying hardware

Data Encryption

(38)

#mstrworld

Apple’s iOS vs. Google’s Android

A General Summation

iOS – A locked-down platform

-  Strict Controls on Device and Store

-  Well designed and thus far, resistant to attack

-  Rigorous certification model which vets the identity of

software authors and weeds out attackers

Android – Freedom with precaution

-  Major improvement over traditional computing programs

-  Less rigorous certification model which allows a more

open development environment

(39)

#mstrworld

Data

(40)

#mstrworld

Symmetric Cryptography/Encryption

Protects data at rest or in transit (i.e., AES (128, 192, 256))

(41)

#mstrworld

Asymmetric (Public Key) Cryptography/Encryption

Exchange symmetric keys, digital signing, x.509 certificate authentication

(42)

#mstrworld

Asymmetric Encryption – x.509 Certificates

Certificate Authority

Collects Applicant’s Money

Validates Applicant’s Identity

Issues Digital Certificate

Issues Private Key

Private Key

Version

Unique Serial Number

Certificate Signature Algorithm

CA Name

Validity Period

Subject Name

Public Key Algorithm

Subject Public Key

CA Signature

(43)

#mstrworld

Putting It All Together – Transport Layer Security (TLS). Also SSL

Asymme

tri

c

Symme

tri

c

Hello!

Hello Back!, Server sends Cert

Client Cert, Key Exchange, Verify

C

re

at

es

Se

ssi

on

Ke

y

U

se

s

Se

ssi

on

Ke

y

to

En

cryp

t

Trust Established

Encrypted Communication

(44)

#mstrworld

Authorization

(45)

#mstrworld

Mobile Administrator Utility

(46)

#mstrworld

(47)

#mstrworld

(48)

#mstrworld

Mobile Server Configuration – Admin Settings

(49)

#mstrworld

Mobile Server Configuration – Admin Settings

(50)

#mstrworld

Mobile Server Configuration – Admin Settings

(51)

#mstrworld

(52)

#mstrworld

(53)

#mstrworld

(54)

#mstrworld

(55)

#mstrworld

(56)

#mstrworld

Authorizing User Access to Secure Objects and Data

Information ‘Not-Sharing’ Northeast Southeast Central West Total East West Exec

(57)

#mstrworld

Authorizing User Access to Secure Objects and Data

East Region Users

Northeast Southeast

Total East

(58)

#mstrworld

Authorizing User Access to Secure Objects and Data

West Region Users

West Total West

(59)

#mstrworld

Authorizing User Access to Secure Objects and Data

CXO Executive User – No Viewing Restrictions

Northeast Southeast Central West Total Exec

(60)

#mstrworld

Authorizing User Access to Secure Objects and Data

Information ‘Not-Sharing’

East

West

(61)

#mstrworld

Authorizing User Access to Secure Objects and Data

Information ‘Not-Sharing’

East

West

(62)

#mstrworld

Row Level Security Filters

(63)

#mstrworld

Authorizing User Access to Secure Objects and Data

•  Set  of  Users

•  Can  assign  Privileges  and  ACLs  

•  Privileges  Apply  to  All  Projects  

•  Set  of  Privileges

•  Can  be  assigned  to  Users  and/or  Groups

•  Apply  to  Specified  Projects  

•  ACLs  can  be  Assigned  to  User  Groups  

•  Iden'fied  by  a  Unique  Login  and  User  Name

•  Defined  in  the  Metadata  Repository  

•  Exists  Across  Mul'ple  Projects  

Users  

User  Groups  

(64)

#mstrworld

Granting Access Permissions in Microstrategy

Privileges

Relates to a user’s ability to perform certain functions/tasks

such as Mobile, Exporting Data, Drilling, etc.

Object Permissions via ACL (Access Control List)

Provides user, group, role access/restriction on project

metadata objects

Security Filters (Could use System User Prompt)

Introduces column in database tables for user or group or role

(65)

#mstrworld

Operations

(66)

#mstrworld

Operational Security

Establish Security Policy

• 

Passcode Required

• 

Passcode Complexity

Procedures for Reporting Lost/Stolen Device Device Management

• 

Proactive Monitoring

• 

Response to lost/stolen device report

Information Management

• 

Policies for handling of sensitive data

• 

Sensitivity Reduction

• 

Information Deception

Ensure proper placement and operation of WiFi Equipment

Situational Awareness - Keep users informed of the importance and

impact of their actions

(67)

#mstrworld

Platform

(68)

#mstrworld

Virtual Private Network (VPN)

(69)

#mstrworld

Virtual Private Network (VPN)

Secure Pin’s – Generates access credential based on coordinated algorithm processing

•  Provides an extra layer of protection

•  Results in extra user authentication step.

iPhone Passcode Generator Physical Tokens

(70)

#mstrworld

(71)

#mstrworld

HTTPS Encrypted Communication – (TLS, SSL)

(72)

#mstrworld

Recommended MicroStrategy Mobile Security Architecture

CRL   Cer'ficate   Revoca'on   List   MicroStrategy Cer'ficate  Server   MicroStrategy Mobile  Server  

MD  

DWH  

 

X.509 Cer'ficate Request  

HTTPS

(AES)  

MicroStrategy   Intelligence Server   LDAP  Server  

Fi

re

w

al

l  

Fi

re

w

al

l  

(73)

#mstrworld

(74)

#mstrworld

(75)

#mstrworld

Platform Network Security

•  WEP (Wired Equivalent Privacy)

-  Most common protocol

-  Currently considered not secure

•  WPA (WiFi Protected Access) or WPA2

-  Used in commercial WiFi systems

-  Extremely difficult to compromise

•  Disable identifier broadcasting

(76)

#mstrworld

(77)

#mstrworld

Mobile Device Management (MDM)

(78)

#mstrworld

MDM

Benefits of an MDM Integration

Supports a variety of mobile devices (Phones, Tablets, Printers)

Provides centralized control to manage, monitor, and support mobile users

Supports BYOD models

Asserts control over user experience

Enforces specific levels of security policy across all mobile devices

Protects proprietary organizational information

Provides ‘On-Demand’ VPN (or other) access

Supports monitoring

(79)

#mstrworld

MDM Integration

Internal App Store Distribution

Xcode Distribution/Save/Archive

(80)

#mstrworld

MDM API Integration – Code Level App Wrapping

(81)

#mstrworld

Code Level App Wrapping

By Microstrategy v9.4.1.4 Registered on Sep 11, 2014

(82)

#mstrworld

MDM API Integration

Current/Planned Offerings

Exists for 9.4.1 (update 1, 2, 3, 4). Previously for 9.3.0

Currently available in Beta

Planned. In contract negotiation and test

(83)

#mstrworld

Summary

(84)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall

Firewall Mobile Server

Intelligence Server

Communications

Data in transit always encrypted (Symmetric and Asymmetric)

Network administration

(85)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall

Firewall Mobile Server

Intelligence Server

Emissions

Data in motion encrypted with WPA and WPA2

Disable Identifier Broadcasting

Maintain wireless emissions within

(86)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall Firewall Mobile Server Intelligence Server Device

iOS/Android Protections

Digital X-509 certificates

iOS Remote Wipe

Device Lock

(87)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall

Firewall Mobile Server

Intelligence Server

Application

Encrypt user credentials and app data

Clear credentials

Clear caches

Leverage iOS sandboxing

Digitally sign apps

Runtime checks

(88)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall

Firewall Mobile Server

Intelligence Server

Data

User and Group Authentication

Privileges

ACL’s

Security Roles

(89)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall

Firewall Mobile Server

Intelligence Server

Authentication

App passcode (Complexity, Expiration)

Touch ID

Microstrategy 9s (Usher Mobile Identity)

Digital Signing and Certificates (e.g.,

HTTPS)

VPN Tunneling

Auth Models (e.g., Windows NT, LDAP, Basic, etc.)

(90)

#mstrworld

Microstrategy – Low Vulnerability Mobile Security Model

Firewall Firewall Mobile Server Intelligence Server Operations

MDM

Device activation, user authentication, certificate enrollment

Configuration profiles, Restrict device features

Policy and restrictions enforcement

Asset management, theft and loss

prevention

(91)

#mstrworld

MSTR SDK (Extending OOTB Capabilities)

Application Device Side

Edit un-compiled Objective-C code via X-code

Potential customizations:

-

Rebranding

-

Springboard icon

-

Opening logo animation

-

Custom help

-

Custom Visualizations

Mobile Server Side

Java Task Framework (e.g., Mobile Logon Task)

(92)

#mstrworld

(93)

#mstrworld

For More Information

Mobile Security Whitepaper – Secure Mobile Computing and Business Intelligence on

Apple and Android Mobile Devices

http://www.microstrategy.com/Strategy/media/downloads/products/Whitepaper_Mobile-Security.pdf

MicroStrategy Product Manuals

•  Administration Guide

•  Mobile Administration and Design Guide

New Microstrategy Community - Mobile Discussion Forums and Knowledge Base

http://community.microstrategy.com

Microstrategy Apple App Store Download(s)

(94)

#mstrworld

Thankyou! Questions?

References

Related documents

The term Cyber Security addresses the governance, management and assurance that go beyond standard information security.. Cybersecurity focuses on specific, highly sophisticated

 Mobile content management  Secure editor  Secure document sync Advanced Mobile Management Secure Productivity Suite Secure Gateway Access Secure Document Sharing..

The most common factors mitigating against treatment success (apart from treatment default itself) were, not surprisingly, pre-existing resistance to any second-line anti-TB drugs

MAM (Mobile Application Management) solutions, including Enterprise App Stores, provide for secure access and deployment of enterprise apps.. They enable

To access the Company WiFi service or Secure Mobile App services (“Services”), you must register the specific device to be used, select the applicable mobile device Services

The new method provides an optimal scheduling sequence with minimum total elapsed time whenever mean weighted production flow time is taken into consideration

It's a good game with some interesting mechanics but it can be a bit buggy and the end game gear is too expensive which can make it a bit grindy to get into the last few story

• Seamless integration with secure business mobile apps (i.e. Mail, Browser) • Transition away app level security to content level security for granular control. Apply app