BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations
|
|
- Jodie Briggs
- 8 years ago
- Views:
Transcription
1 BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations
2 Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee (B2E) application user authentication. As more and more organizations develop mobile applications for their employees, the need to leverage existing SSO technologies by mobile applications has arisen. This paper will focus on the architectures currently used for native mobile applications to leverage existing SSO infrastructures. These architectures cover three distinct use cases: a single identity provider, single shared identity provider session, and single sign-on with a manager. Each use case has unique characteristics and security concerns. For the purposes of this paper, SSO means an end-user authenticates once and that authentication is used by more than one application. For example, an enduser provides a valid username and password to one application and later when that end-user wants to use a second application, the second application does not force the end-user to re-enter his/her username and password. Using this strict definition, the first use case, Single Identity, is not SSO. It lets an end-user use the username and password for two applications, but not the authentication. At first glance, this approach seems undesirable as our applications are not realizing single sign-on; however, merely sharing identity may be the most desirable approach from a security and usability prospective. 2 Use Case One: Single Identity One of the predominant methods for mobile SSO integration is to authenticate end-users in each application using their enterprise username and password. As this technique has frequently been referred to as mobile SSO and is used in many application environments, it is included in this discussion. However, because the end-user must authenticate separately in each application, this architecture is properly called single identity provider, rather than single signon. The distinction is each application authenticates with the identity provider separately rather than sharing a single authentication decision. This approach provides several benefits to both security and even the end-user s experience. For an end-user, this approach gives up the convenience of a not having to reenter their username and password, but replaces it with consistent behavior across applications. End-users will know they are granting access to their data when they start an application and know the access is terminated when the application terminates. From a security perspective, true SSO use cases cannot securely share the authentication token on the mobile device. Analyzing Mobile Single Sign-On Implementations 2
3 2.1 Examining the Control Flow in a Threat Model Figure 1: Single Identity Threat Model T : SSO Token : User Credentials : Protected Resource T T : SSO Token : User Credentials : Protected Resource : Process Separation : File System Sandbox : Certificate Pinning C04 : SSL : SSO Token App One App Two : Process Separation : File System Sandbox : Certificate Pinning C04 : Application Whitelisting : SSL : SSO Token T : Malicious App T : Malicious App with Root Access T : Unauthorized Physical User TZ - 01: Mobile Device TZ - 02: App One Sandbox C04 C04 C04 C04 TA04 TZ - 03: App One Sandbox TA05 T : Malicious App T : Malicious App with Root Access T : Unauthorized Physical User C0 TZ - 01: Mobile Dev App One Web SSO Identity App Two Web App One W Service TZ - 04: Organizational Domain TZ - 04: Organizatio First examine the parts of the threat model present in all mobile SSO threat models. There are three main assets, which are parts of the system Figure 1 that need to be protected. The first asset is the SSO token,. The SSO token represents the authentication decision. Applications use the SSO token to authenticate to individual service providers. The second asset is a user s credentials,, which are only exposed to the identity provider s web page and backend. The last identified set of assets is the protected resources the service providers require user authentication to deliver,. There are five main controls, which are protections for the identified assets. The first identified control is process separation,. Operating systems implement this control to prevent running processes from accessing the memory space of other processes. The second common control is the file system sandbox,. All mobile operating systems have a form of sandboxing, which prevents applications from directly accessing other applications files. The third control present in all of our use cases is certificate pinning,. In certificate pinning, a client application verifies the server s certificate against a hard coded value. The final control is SSL, C04, which protects the assets in transit. There are five identified threat agents with a goal to compromise the identified assets. The first threat agent is a malicious app installed on the mobile device, T. The second threat agent, a malicious app with root access, is identical to the first threat agent except this application has root access on the device, T. The third threat agent is an attacker with physical access to the device (Unauthorized Physical User), T. For the purpose of this paper, the attacker is assumed to have access to the phone past the lock screen. The fourth threat agent is an attacker on a local or adjacent network (Unauthorized Network User), TA04. The final threat agent is a compromised service provider inside of the organization domain, TA05. Analyzing Mobile Single Sign-On Implementations 3
4 2.2 Concerns in a Single Identity System With the assets, threats, and controls enumerated in the previous section, one can use the threat model to generate possible attack scenarios. One attack malicious apps will attempt is to gain access to the user s SSO token and user credentials. If the client applications store this information to disk, the operating system will attempt to protect them via sandboxing. Malicious apps with root access will still be able to view these files, bypassing the file system sandbox control. Additionally with root access, a malicious app can still access the memory space of these applications, obtaining any information that has not been cleared from memory and bypassing the process separation control. A particularly dangerous attack scenario is an attacker with physical access to the device compromising the security of the application. With access to the device, an attacker would be able to view any file stored on the device. While there is no perfect solution to securing sensitive information on mobile devices where applications and users have root access, some basic steps should be taken: a. Never store user credentials to disk. b. Once an end-user has authenticated to the application, clear the user credentials from memory. c. Do not store SSO tokens to disk. Maintain SSO tokens inside of memory. The last two threat agents to address are unauthorized network users and compromised service providers. Both of these actors sit outside of the mobile device and only communicate with the device via the network interface. In most situations, these threat agents will not generate requests to the device, instead they rely on the device placing certain calls, listening, and reacting. The biggest concern from a network attacker is man in the middle attacks. To combat a majority of these attacks, systems should use web application best practices such as enforcing strict SSL. The final threat agent is a compromised service provider. If an attacker is able to compromise a service provider, users may unknowingly give this service provider their SSO token. In order to prevent network attackers and compromised service providers from impersonating application services, mobile applications should enforce certificate pinning. 3 Use Case Two: Single Shared Identity Session Another scenario to consider is broadcast native SSO, in which applications share an identity provider session bypassing the SSO token amongst themselves. In order to obtain the authentication decision, each application asks all other applications using the same identity provider if they have an SSO token from the identity provider. If no applications have established an SSO token, then the requesting application will connect to the identity provider and ask the identity provider to authenticate the user s username and password. When a second application needs an SSO token, the application will call out to the same set of applications requesting an SSO token. Since the first application has a token, the first application will send the SSO token. Unlike the previous use case, this is true SSO because the end-user does not need to enter their credentials a second time. Analyzing Mobile Single Sign-On Implementations 4
5 3.1 Examining the Control Flow in a Threat Model Figure 2: Broadcast Native SSO Threat Model T T : SSO Token : User Credentials : Protected Resource T T T : SSO Token : User Credentials : Protected Resource : Process Separation : File System Sandbox : Certificate Pinning C04 : Application Whitelisting : SSL : SSO Token App One IPC C04 App Two : Process Isolation : File System Sandbox : Certificate Pinning C04 : Application Whitelisting : SSL : SSO Token App Clie T : Malicious App T : Malicious App with Root Access T : Unauthorized Physical User TZ - 01: Mobile Device TZ - 02: App One Sandbox TA04 TZ - 03: App One Sandbox TA05 T : Malicious App T : Malicious App with Root Access T : Unauthorized Physical User TZ - 02: App On TZ - 01: Mobile Device HT App One Web SSO Identity App Two Web App Serv Prov TZ - 04: Organizational Domain TZ - 05: Organizational Dom The change between the current and previous threat model is the inclusion of inter-process communication (IPC) between the two mobile Figure applications. 2 An additional control is application whitelisting, C04. Application whitelisting is the generic term for the ability of applications to specify which applications they are willing to communicate with via IPC. 3.2 Concerns in a Broadcast Native SSO System All of the concerns and mitigations outlined in the previous use case also apply to the broadcast native SSO environment. The addition of IPC between the components increases the attack surface of the application, resulting in the need to secure the session identifier in-transit on the device. This change opens the possibility of a malicious application that sniffs and/or injects malicious IPC requests. By sniffing IPC traffic between the various components, a malicious app may provide requesting applications with an illegitimate token, preventing them from accessing the protected resource. In addition to sniffing IPC, a malicious application may also impersonate a legitimate application by directly requesting an SSO token from previously authenticated applications. Both of these cases boil down to an issue in authentication within app-to-app communication on the device. Currently, the best platform level protection against impersonation is to use IPC whitelisting. Both Android and ios (added in ios version 5.0) implement protections allowing applications to specify which application they are communicating with. Whitelisting can work for environments with a small and stable set of applications; however, maintaining whitelists becomes very difficult when the list of applications is dynamic. Unfortunately, whitelisting is not a perfect solution and can still be bypassed on both major platforms. Analyzing Mobile Single Sign-On Implementations 5
6 The second major consideration in a broadcast environment is handling a user s SSO token being invalidated and refreshed. When this occurs, all applications which received the SSO token should be told that the token is invalid and be issued the new SSO token. This means in addition to listening for requests for the current SSO token, applications must also listen for SSO token revocation. If an application does not receive an SSO token revocation message and continues to use the invalid token, the identity provider (IdP) will require the end-user to re-authenticate. This will negatively affect the user s experience because they will have to reauthenticate even though they just authenticated in a separate application. 4 Use Case Three: Single Sign-On with a Manager Organizations have begun implementing a manager application on the mobile device that acts as an intermediary between mobile apps and identity provider. A manager lets applications request an SSO token from a single location on the mobile device, simplifying the authentication logic in other applications and resolving some of the problems identified in the native broadcast SSO use case. From a security prospective, the main benefit to this solution is the addition of a central place to enforce policies. The manager solves two problems with the native broadcast use case: complex whitelists and an inconsistent user interface experience. In the native broadcast use case, each application must have a whitelist containing every other application participating in the SSO. When an application is added or removed, the whitelist of all applications must be updated. In combination with the potential security issues, there is the added usability concern where it is possible for each application to have a dramatically different user experience for authentication. The inclusion of the manager simplifies configuration and creates a consistent end-user authentication experience. End-users always enter their username and password into the manager and not each individual application. The manager handles authentication with the identity provider. When the mobile SSO manager receives an SSO token, it is passed back to the requesting mobile application. For subsequent authentication requests, the manager returns the SSO token without prompting the end-user. The manager simplifies the whitelist because the applications participating in the SSO all talk to the manager. Analyzing Mobile Single Sign-On Implementations 6
7 4.1 Examining the Control Flow in a Threat Model Figure 3: Mobile SSO with a Manager Threat Model T T : SSO Token : User Credentials : Protected Resource T T T : Process Isolation : File System Sandbox : Certificate Pinning C04 : Application Whitelisting : SSL : SSO Token App One IPC C04 Mobile SSO Manager IPC C04 App Two T : Malicious App T : Malicious App with Root Access T : Unauthorized Physical User TZ - 02: App One Sandbox TZ - 03: App One Sandbox TZ - 04: App One Sandbox TZ - 01: Mobile Device TA04 TA05 App One SSO Identity App Two TZ - 05: Organizational Domain This model for this mobile SSO system adds a mobile SSO manager. This increases the attack surface by adding a new application and exposing Figure an 3IPC interface between the mobile SSO manager and applications wishing to perform SSO. However, in this system the user s authentication credentials are only handled by the mobile SSO manager and the SSO identity provider. Individual applications leveraging the SSO infrastructure will not process user credentials, drastically reducing the exposure of the user credentials. 4.2 Concerns in a Native SSO with a Manager In addition to all the previously examined concerns and controls, native SSO will have an additional risk in the native mobile SSO manager client. If the mobile SSO manager is not developed in house, it should be analyzed and tested to ensure it is robust enough to protect against all previously mentioned attack vectors. While not a security issue, switching applications to perform authentication may negatively impact the user experience. Users may find the change to SSO rather jarring, especially on devices with poorer performance ratings. Analyzing Mobile Single Sign-On Implementations 7
8 5 Back to Single Identity Organizations considering a new mobile single sign scheme must address the following questions: How are applications verifying the authenticity of other applications before delivering the SSO token? Is the SSO token being stored and if so is it being stored securely? If the security of one application is compromised is the integrity of all applications compromised? After analyzing each of the current solutions used today for leveraging existing infrastructure, the approach of the single identity provider becomes much more appealing. End-users will know when they are authenticated and when they need to login again when launching an application. Single identity provides a consistent end-user experience as well as significant security benefits. When introducing mobile single sign-on, the SSO token has to be shared on the mobile device. In this scenario IPCs including a secure authentication scheme between multiple applications and the app-to-app communication must be securely locked down. Another factor to consider is while a mobile device is a personal device, threats like mobile malware and device loss means the SSO token is at risk. Single sign-on s goal is to provide a convenient and secure way for end-users to authenticate. For web-based applications, existing SSO infrastructure does a great job. Native mobile applications can have convenience or security. It is one or the other because on a mobile device, the user s account can be accessed if the SSO token is intercepted or captured by malicious code on the device. For mobile applications, convenience and security can be achieved through a combination of long running application sessions with a step-up authentication scheme for sensitive or high value transactions. Analyzing Mobile Single Sign-On Implementations 8
9 About the Author Jacob Ewers is a Senior Security Consultant at Cigital, Inc. working in the mobile space as a mobile security architect and vulnerability assessor. Jacob has worked across many Fortune 500 companies in a vast number of industry verticals helping development organizations build security in their applications. Jacob is also an instructor for Cigital s Defensive Programming for Android class and is the author of numerous training courses including the Foundations of Mobile Security. About Cigital Cigital is one of the world s largest application security firms. We go beyond traditional testing services to help organizations find, fix and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services and products tailored to fit your specific needs. We don t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. Analyzing Mobile Single Sign-On Implementations 9 Cigital Ridgetop Circle Suite 400 Dulles, VA Cigital
BYPASSING THE ios GATEKEEPER
BYPASSING THE ios GATEKEEPER AVI BASHAN Technology Leader Check Point Software Technologies, Ltd. OHAD BOBROV Director, Mobile Threat Prevention Check Point Software Technologies, Ltd. EXECUTIVE SUMMARY
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described
More informationThreat Model for Mobile Applications Security & Privacy www.datatheorem.com
Overview Mobile applications (and the devices they run on) are powerful, as they can play music, check email, read documents, purchase products, get directions, play games, watch movies, scan barcodes,
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationNCSU SSO. Case Study
NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must
More informationPrevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA
Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA Malware Threat Landscape Growth and Targets % 25 Of real-world malware is caught by anti-virus Malware
More informationEnterprise Apps: Bypassing the Gatekeeper
Enterprise Apps: Bypassing the Gatekeeper By Avi Bashan and Ohad Bobrov Executive Summary The Apple App Store is a major part of the ios security paradigm, offering a central distribution process that
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationA Standards-based Mobile Application IdM Architecture
A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted
More informationIntroduction to the Mobile Access Gateway
Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationFor more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.
Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility
More informationBEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS
BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS TABLE OF CONTENTS BEST SECURITY PRACTICES Home banking platforms have been implemented as an ever more efficient 1 channel through for banking transactions.
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationTrust Digital Best Practices
> ARMING IT AGAINST SMARTPHONE THREATS Trust Digital Best Practices April 2009 The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or
More informationSamsung KNOX EMM Authentication Services. SDK Quick Start Guide
Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license
More informationKaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking
Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey
More informationGoogle Identity Services for work
INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new
More informationHow to Implement Enterprise SAML SSO
How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and
More informationTaxonomic Modeling of Security Threats in Software Defined Networking
Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationCA Single Sign-On Migration Guide
CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for
More informationSQL Injection January 23, 2013
Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationCompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001
CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required
More informationOracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009
Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationWindows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as
GOV.UK Guidance End User Devices Security Guidance: Windows Phone 8 Updated 14 October 2013 Contents 1. Usage Scenario 2. Summary of Platform Security 3. How the Platform Can Best Satisfy the Security
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationEnhancing Organizational Security Through the Use of Virtual Smart Cards
Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationMobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard
Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.
More informationWHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)
WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,
More informationSYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules
Must have skills in any penetration tester's arsenal. MASPT at a glance: 10 highly practical modules 4 hours of video material 1200+ interactive slides 20 Applications to practice with Leads to emapt certification
More informationPenetration Testing Report. Client: xxxxxx Date: 19 th April 2014
1. Executive Summary Penetration Testing Report Client: xxxxxx Date: 19 th April 2014 On the 19th of April, a security assessment was carried out on the internal networks of xxxxxx, with the permission
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationState of App Security
State of App Security Recent attacks targeting mobile apps and operating systems have put an unprecedented amount of mobile business data at risk. Many enterprises are unprepared to combat the latest mobile
More informationCentrify Mobile Authentication Services for Samsung KNOX
Centrify Mobile Authentication Services for Samsung KNOX SDK Quick Start Guide 3 October 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationSeven Ways to Create an Unbeatable Enterprise Mobility Strategy
Seven Ways to Create an Unbeatable Enterprise Mobility Strategy A practical guide to what business and IT leaders need to do NOW to manage their business s mobile future By Arun Bhattacharya, CA Technologies
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationAn Overview of Samsung KNOX Active Directory-based Single Sign-On
C E N T R I F Y W H I T E P A P E R. S E P T E M B E R 2013 An Overview of Samsung KNOX Active Directory-based Single Sign-On Abstract Samsung KNOX is a set of business-focused enhancements to the Android
More informationHayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks
EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector
More informationVidder PrecisionAccess
Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview... 3 II. Components...
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationEnterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect
Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment Paul Luetje Enterprise Solutions Architect Table of Contents Welcome... 3 Purpose of this document...
More informationMobile Mobile Security COPYRIGHT 2014 INTUITION ALL RIGHTS RESERVED. Copyright 2014 Intuition
Mobile Mobile Security COPYRIGHT 2014 INTUITION ALL RIGHTS RESERVED 1 Background Traditionally, security has not been a high priority for e-learning; as such content was hosted and only accessible at the
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationImprove your mobile application security with IBM Worklight
Improve your mobile application security with IBM Worklight Contents 1 Introduction 2 IBM Worklight overview 4 Enabling mobile security with IBM Worklight 6 Integrating IBM Worklight with enterprise security
More information10 Quick Tips to Mobile Security
10 Quick Tips to Mobile Security 10 Quick Tips to Mobile Security contents 03 Introduction 05 Mobile Threats and Consequences 06 Important Mobile Statistics 07 Top 10 Mobile Safety Tips 19 Resources 22
More informationWHITE PAPER SECURE, DEPLOYABLE BILATERAL (CLIENT/SERVER) AUTHENTICATION
WHITE PAPER SECURE, DEPLOYABLE BILATERAL (CLIENT/SERVER) AUTHENTICATION SecureAuth Secure, Deployable Bilateral (Client/Server) Authentication As enterprises move their applications to the Web and mobile
More informationSecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates
SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates As enterprises move their applications to the Web and mobile platforms, providing strong security
More informationMedia Shuttle s Defense-in- Depth Security Strategy
Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among
More informationSymantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management
Mobile Application Management and Protection Data Sheet: Mobile Security and Management Overview provides integrated mobile application and device management capabilities for enterprise IT to ensure data
More informationActive Directory Compatibility with ExtremeZ-IP
Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices White Paper Group Logic White Paper October 2010 About This Document The purpose of this technical paper is to discuss how ExtremeZ-IP
More informationMOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com
MOBILITY Transforming the mobile device from a security liability into a business asset. pingidentity.com Table of Contents Introduction 3 Three Technologies That Securely Unleash Mobile and BYOD 4 Three
More informationVIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division
VIDEO Intypedia013en LESSON 13: DNS SECURITY AUTHOR: Javier Osuna García-Malo de Molina GMV Head of Security and Process Consulting Division Welcome to Intypedia. In this lesson we will study the DNS domain
More informationClient Security Guide
Client Security Guide NEXT GENERATION CLOUD-SECURITY www.exacttarget.com NEXT GENERATION CLOUD-SECURITY Companies across the globe are facing continuously evolving threats focused on obtaining an individual
More information{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com
{ipad Security} plantemoran.com for K-12 Understanding & Mitigating Risk Plante Moran The ipad is in K-12. Since its debut in April 2010, the ipad has quickly become the most popular tablet, outselling
More informationActive Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper
Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.
More informationTenable for CyberArk
HOW-TO GUIDE Tenable for CyberArk Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with CyberArk Enterprise Password Vault. Please email any comments
More informationOctober 2014. Application Control: The PowerBroker for Windows Difference
Application Control: The PowerBroker for Windows Difference October 2014 1 Table of Contents Introduction... 4 The Default-Deny Approach to Application Control... 4 Application Control s Dependence on
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationChapter 6: Fundamental Cloud Security
Chapter 6: Fundamental Cloud Security Nora Almezeini MIS Department, CBA, KSU From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini(ISBN: 0133387526) Copyright 2013 Arcitura Education,
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
More informationOWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.
OWA vs. MDM Introduction SmartPhones and tablet devices are becoming a common fixture in the corporate environment. As feature phones are replaced with new devices such as iphone s, ipad s, and Android
More informationSecuring Office 365 with MobileIron
Securing Office 365 with MobileIron Introduction Office 365 is Microsoft s cloud-based productivity suite. It includes online versions of Microsoft s most popular solutions, like Exchange and SharePoint,
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationPCI Security Standards Council
PCI Security Standards Council Ralph Poore, Director, Emerging Standards 2013 About PCI Emerging Technologies OWASP and Mobile Guidelines About PCI About the PCI Council Open, global forum Founded 2006
More informationHow to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)
How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG) Introduction Understanding Forefront Threat Management Gateway (TMG) Network Topology Understanding Forefront Threat Management
More informationAndroid Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold
Android Security Device Management and Security by Stephan Linzner & Benjamin Reimold Introducing Stephan Linzner Benjamin Reimold Consultant, Software Engineer Mobile Developer Founder of Stuttgart GTUG
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationAssuring Application Security: Deploying Code that Keeps Data Safe
Assuring Application Security: Deploying Code that Keeps Data Safe Assuring Application Security: Deploying Code that Keeps Data Safe 2 Introduction There s an app for that has become the mantra of users,
More informationCentrify Mobile Authentication Services
Centrify Mobile Authentication Services SDK Quick Start Guide 7 November 2013 Centrify Corporation Legal notice This document and the software described in this document are furnished under and are subject
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationMobile First Government
Mobile First Government An analysis of NIST and DISA requirements for the adoption of commercially available mobility platforms by government agencies August 2013 415 East Middlefield Road Mountain View,
More informationSymantec Mobile Security
Advanced threat protection for mobile devices Data Sheet: Endpoint Management and Mobility Overview The combination of uncurated app stores, platform openness, and sizeable marketshare, make the Android
More informationRSA SecurID Ready Implementation Guide
RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 18, 2006 Product Information Partner Name Microsoft Web Site http://www.microsoft.com/isaserver Product Name Internet
More informationAn Overview of Samsung KNOX Active Directory and Group Policy Features
C E N T R I F Y W H I T E P A P E R. N O V E M B E R 2013 An Overview of Samsung KNOX Active Directory and Group Policy Features Abstract Samsung KNOX is a set of business-focused enhancements to the Android
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationS ven. Tips to Keep Financial Apps Safe & Secure
S ven Tips to Keep Financial Apps Safe & Secure Mobile applications provide users with access to critical information while on the go. In order to quickly empower users with immediate access to their financial
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More information