The Seven Habits of State-of-the-Art Mobile App Security

Transcription

1 #mstrworld The Seven Habits of State-of-the-Art Mobile App Security Mobile Security 8 July 2014 Anand Dwivedi, Product Manager, MicroStrategy strworld

2 Agenda - Seven Habits of State of the Art Mobile App Security Mobile Security in General Risks 7 Pillars to be Considered Modern Protocols and Methods Secure Architecture Models VPN HTTPS Enhanced MicroStrategy Model MicroStrategy Configuration Options Device Application Mobile Server

3 Mobile Security Risks? Yet another exposure point Devices may be lost or stolen BYOD (Bring your own device) Jailbreak/rooting easy to achieve Not so Much! Control Technical community is actively searching for weaknesses in smart-phone security Malware threat is growing Hackers may compromise confidential data from the device and recover passwords

4 Mobile Security Risks? - Cont d Servers exposed to the Internet are subject to web-based attacks Unauthorized users may gain access to your system Impostors may engage in deception under a false identity Denial of service may bring down the server WiFi connections can be compromised WEP (Wired Equivalent Privacy) Most common protocol Currently considered not secure WPA (WiFi Protected Access) Used in commercial WiFi systems Extremely difficult to compromise

5 What kind of data can be compromised? Names, Telephone Numbers - Contact Information Addresses Text Messages Notes Browser history Application Data (Financial Numbers, Forecasts) Trade Secrets...And On

6 How can Mobile Security Risks be Mitigated? Seven Pillars of a Mobile Security Model: ISP Router 1. Communications Security 2. Authentication 3. Device Security 4. Data Security 5. Network Security 6. Application Security 7. Operations Security Processes LDAP Server DMZ MicroStrategy Mobile Server Firewall Firewall MicroStrategy Intelligence Server Communication - Information Flow MD DWH

7 Mobile Security - Custom Models, A Balancing Act Seven Pillars of a Mobile Security Model: Fully Open - Unsecured 1. Communications Security 2. Authentication 3. Device Security 4. Data Security 5. Network Security 6. Application Security 7. Operations Security Full Lock Down Least Secure Most Secure Tolerance to Risk vs. Corporate and User Needs Security Functionality Ease of Use

8 Tools Used to Mitigate Security Risks Tool Usage Example(s) Symmetric Encryption Protect data at rest or in transit AES, RC4,RC2,Blowfish Asymmetric Encryption Secure Hash Function Bricks and Pipes Single sign on (SSO) Exchange Symm. Keys Digital Signature Authentication (x509 certificates) Validate Passwords for user authorization Restrict/protect data traffic flow Authorizes users into enterprise network RSA Algorithm Diffie-Hellman SHA-1, MD5 Firewalls, Routers, proxy servers Siteminder Tivoli, RSA

9 Symmetric vs. Asymmetric Cryptography (The Key Difference is the Key) Hello! 6&%3!aO! Hello! Hello! 6&%3!aO! Hello! Symmetric Encryption Asymmetric Encryption

10 Symmetric Encryption Things to Note Not all symmetric algorithms provide the same degree of protection - DES (Data Encryption Standard) generally considered as vulnerable - RC4 weaknesses have been identified (may be ok for short transmissions) - AES (Advaned Encryption Standard) generally considered to be strong Protection of the key is vital to security - Key exchange must be as secure as possible Performance of crypto-algorithms on mobile devices can be an issue - For Apple devices, encrypting and decrypting information is implemented at the hardware level so there is as little impact as possible to the performance of applications when using symmetric encryption.

11 Asymmetric Encryption - Things to Note Also known as Public Key Cryptography Key Points - Relies on two keys one for encryption, one for decryption - Computationally difficult to derive encryption key knowing only decryption key and algorithm Common Uses - Creates and distributes electronic session key for Symmetric Encryption - Provides Digital Signature to prove data comes from a trusted source

12 Public Key Cryptography - Operation Encrypt Data p(m) Encrypt Data q(m) Server - Sender 1. Generate Private/Public Key Pair p, q 2. Give Public Key to Receiver (q) 3. Protect Private Key (p) 4. Encrypt /Decrypt message using private key Device - Receiver 5. Store Public Key of Server (q) 6. Encrypt/Decrypt message using public key

13 Asymmetric Encryption X.509 Certificates Certificate Authority Collects Applicant s Money Validates Applicant s Identity Issues Digital Certificate Issues Private Key X.509 Certificate Private Key Version Unique Serial Number Certificate Signature Algorithm CA Name Validity Period Subject Name Public Key Algorithm Subject Public Key CA Signature 13

14 Secure Hash Function - Checks integrity of files and encrypts passwords Characteristics - Converts an arbitrary string of text into a fixed-size string ( hash ) - Easy to compute - Given the hash value it is computationally infeasible to produce the original text - Impossible (or nearly so) to find two different strings that produce the same hash Applications - Password verification (store hash instead of password) - Message integrity Example: SHA-1 (160 fixed bit value)

15 Secure Hash Function - Application User provides credentials, password is hashed ray/pswd1! Secure Hash ray 19OPLL7XXYR@ User password is checked against the hashed version not the actual value Compromised hash value is not a security threat ray/pswd1! ray Hash(pswd1!)= 19OPLL7XXYR@

16 Network Layer: Firewalls, Routers, and Proxy Servers (Bricks and Pipes) Firewall Filters traffic at the network layer (prevent certain data from reaching the internet) Can be used in combination to isolate sensitive traffic internally and prevent external access to internal resources Latest firewalls can work at application level Can thwart denial of service attacks Router Basic plumbing for data traffic on internal network Moves data between computers Moves data between internal networks Proxy Server Can hide internal addresses from external internet Can filter based on incoming IP address Provide SSL connectivity

17 Single SignOn - The Basic Mechanism Device side Application Supports: HTML Forms Consumption Allows Custom Logon Screen Work-flow

18 Single SignOn - Microstrategy SDK (Extending OOB Capabilities) Application Device Side X-Code allows edits of uncompiled Objective C code Source code is protected but several customizations are possible: - Rebranding - Springboard icon - Splash image page - Opening logo animation - Method Swizzling Mobile Server Side Java Task Framework - Mobile Logon Task...Can edit to run against virtually any 3rd party or custom authentication authority Supported OOB Tivoli Siteminder Most Custom 3rd Party Options XML Configuration Files

19 Putting it all together - Transport Layer Security (TLS), also SSL Hello! Hello Back!, Server sends Certificate Asymmetric Client Cert, Key Exchange, Verify Creates Session Key Trust Established Encrypted Communication Symmetric Uses Session Key to Encrypt

20 Authentication Layer - Virtual Private Network (VPN)

21 Authentication Layer - Virtual Private Network (VPN)

22 Authentication Layer - Virtual Private Network (VPN)

23 HTTPS

24 HTTPS - A Sample Client Architecture

25 MicroStrategy Enhanced Mobile Security Architecture Firewall MicroStrategy Cer?ficate Server Firewall LDAP Server X.509 Cer?ficate Request CRL Cer?ficate Revoca?on List MD HTTPS (AES) MicroStrategy Mobile Server MicroStrategy Intelligence Server DWH

26 Comparison of Mobile System Security Solutions

27 Mobile Device Level Security - Leverage native protection features Passcode Protec?on Require Alpha Character Minimum Length Minimum Number of Complex Characters Expira?on (1-730 days) Auto- Lock (1-5 minutes, or none) Grace Period for Device Lock Passcode History Maximum number of Failed A[empts iphone/ipad devices provide the necessary tools to protect informa?on in an efficient way Hardware Encryp?on/Decryp?on (iphone 3GS and later) (All ipads)

28 Data Security - MicroStrategy /Database Security - Implementation Objects Privileges Relates to a user s ability to perform certain functions/tasks Mobile Exporting Drilling Object Permissions via ACL (Access Control List) Provides user, group, role access/restriction on project metadata objects Security Filters (Could use System User Prompt) Introduces column in database tables for user or group or role End user only sees that row if they have explicit access

29 Data Security - MicroStrategy /Database Security - Users, Groups, Roles Users Are iden?fied by a Unique Login and User Name Users are Defined in the Metadata Repository User Exist Across Mul?ple Projects User Groups Are a Set of Users Privileges and ACLs can be Assigned to User Groups User Group Privileges Apply to All Projects Security Roles Are a Set of Privileges Security Roles can be assigned to Users and/or Specific Groups Security Roles Apply to Specified Individual Projects and ACLs can be Assigned to User Groups

30 Network/Emissions Security Data Encryption (WiFi Protected Access) - WPA - WPA2 Can use AES encryption Disable identifier broadcasting Maintain wireless emissions within corporate boundaries

31 MicroStrategy Application Security MicroStrategy Mobile Server MicroStrategy Intelligence Server Web User Authen?ca?on Support for SSO Integra?on Link Encryp?on User Authen?ca?on Standard LDAP Database NT Expira?on can be set to force entering MicroStrategy user creden?als when opening the applica?on. User creden?als are stored encrypted on device. Creden?als can op?onally be cleared when opera?ng with single sign- on solu?ons. Applica?on data is encrypted on device. Caches can be cleared when exi?ng the applica?on. ios isola?on protects App data from other Apps. Apps are signed to ensure the App is authen?c. Run?me checks enforce App Security. Password required a`er?meout or suspended state (Confiden?al Project Mode) Single sign- on support. LDAP, Kerberos, NT Integra?on. Independent Third Party Security Tes?ng

32 Mobile Server and Device Authentication Device Level and Application Authentication Device ios Profile Logon Network Logon (if using VPN or Tunnel) Microstrategy Project Meta-Data Logon Standard Windows LDAP Database Mobile Server Authentication Account/Logon that Mobile Server Web Pool Runs Under Anonymous Basic Windows (Service Account)

33 Mobile Server Configuration - Admin Settings

34 User Configuration for the Microstrategy Mobile Application

35 Operational Security Establish Security Policy - Passcode Required - Passcode Complexity Procedures for Reporting Lost/Stolen Device Device Management - Proactive Monitoring - Response to lost/stolen device report Information Management - Policies for handling of sensitive data - Sensitivity Reduction - Information Deception Situational Awareness - Keep users informed of the importance and impact of their actions Ensure proper placement and operation of WiFi Equipment

36 36 Multiple Layers of Protection = Low Vulnerability

37 MDM - Mobile Device Management An MDM Strategy would support: Benefits of an MDM Integration:

38 MicroStrategy App Passcode

39 For More Details

40 El fin! Thank You for Attending!! Anand Dwivedi Product Manager, Mobile Ray Bennett Director, Mobile Center of Excellence