The increasing popularity of mobile devices is rapidly changing how and where we

Transcription

1 Mobile Security

2 BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to empower their employees through Bring Your Own Device (BYOD) programs that aim to facilitate personal devices for work purposes. Employees prefer to not carry around multiple mobile devices. Companies are also happy, as this practice reduces costs and increases productivity of the workforce. However, this growing trend also introduces less secure mobile devices with access to sensitive corporate information and IT. As organizations adapt to such changes, their information security departments are starting to enforce strict Acceptable Use and Security policies. In an effort to protect against potential device data theft, it s important for organizations to manage what content personal mobile devices have access to. 1

3 CORNERSTONE STATEMENT OF SECURITY Cornerstone only employs the highest industry practices ensuring both security and performance are at the forefront of our products. Top tier security is applied to all customer proprietary information and content secured in our cloud-based servers, on employee devices, and among mobile devices. Network security and performance are vital areas of our business and are part of our primary objectives toward achieving best-in-class security, availability, scalability, and manageability for our mobile offering. Cornerstone implements a breadth of security techniques to provide multiple layers of protection against possible intrusion. Industry standard security controls including data encryption and Secure Sockets Layer (SSL) technology are used throughout the application. Our technology infrastructure is maintained through regular updates and rigorous testing to improve the protection of our customers information and data at every corner. 2

4 CORNERSTONE MOBILE ARCHITECTURE The Cornerstone mobile application is a cross-platform native HTML5 hybrid application supported on both ios and Android smartphone and tablet devices. In addition, the application is accessible via mobile browser on all platforms. 3

5 DEFINITIONS HTTPS Hypertext Transfer Protocol Secure sockets provide encrypted communication between the MLP servers and apps that run on all activated mobile devices. SAAS Software as a Service is a model for the delivery of a software platform where a software provider hosts and maintains a product and all data associated with it. Typically the provider is the software vendor themselves. SSO Single sign-on is a property of access control of multiple related but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. SAML Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SSL SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. XML Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. 4

6 MOBILE AUTHENTICATION The Mobile application has three methods of login: username/password, device registration, and Single Sign On (SSO). 1. The username/password method submits the user s credentials over HTTPS to Cornerstone s standard login procedure. It is secured using the same SSL security with 128 bit HTTPS encryption as the main Cornerstone login. 2. Device registration uses the oauth protocol to authenticate requests. Authentication signs every request using a combination of user s token (stored on the device), a secret token (stored on the device), PIN, timestamp, and nonce. Each request is validated by our STS authenticator and is encrypted using the same SSL certificates used by our standard username/password login process with 128 bit encryption. At any point the user can remove their registered device. 3. SSO authentication uses SAML 2.0 SP-Initiated authentication, an XML-based standard for exchanging authentication and authorization data between security domains that is, between an identity provider (IDP), producer of assertions on the client side, and a service provider (SP), a consumer of assertions on the Cornerstone side. Clients that implement SSO using the SAML solution typically have a SAML/IDP server in place and have used it to integrate SSO with other applications. 5

7 MOBILE SECURITY WORKFLOW SaaS HTTPS In the Cloud User Management & Authentication Content Management & Distribution Preferences and Security Multi-product Integration Over the Air Latency & Offline Access Information Privacy Real-time Synchronization SSL On Device Single Sign-On (SSO) 128 Bit HTTPS Encryption 256 AES Encryption for Locally Stored Data Session Timeout 6

8 AUTHENTICATION VIA SSO CLIENT APPLICATION PLATFORM SSO FRAMEWORK IDP Client initiates SSO authentication request Platform sends HTTP redirect through user s browser to IDP SSO service Client login Platform returns response to client IDP sends back response Platform processes IDP response; transforms to format expected by client 7

9 AUTHENTICATION VIA SSO The sequence diagram on the previous page outlines the detailed interactions between the client application, the platform SSO framework, and the IDP system. A user attempts to access a protected resource directly on an SP site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IDP. The SP sends an authentication request to the IDP. Both the request and the returned SAML assertion are sent through the user s authentication page via HTTP POST. The detailed steps are as follows: 1. The client application initiates a Platform SSO request with user name and corp to access a protected SP resource. 2. The SSO platform sends a URL back to the client application. The client application then redirects the user through a new browser window and will result in a HTML form with the SAML request authentication sent to the IDP. 3. The IDP asks the user for their network/active directory credentials (e.g., username and password) and the user logs in. 4. The IDP s SSO service returns the authentication assertion to the SSO Platform. 5. The SSO Platform processes the response from the IDP and transforms it into a response format expected by the client. 6. The authentication response is then sent back to the client. 8

10 MOBILE PREFERENCES Within the main Cornerstone application, clients have the ability to update mobile preferences by OU (organizational unit) and turn features on/ off as desired. This allows more flexibility on which features appear in the slide out menu of the mobile application as well as determine which screen is the default landing page when a user signs in. In addition, all of the security permissions defined by system administrators throughout the web application will be applied within the mobile application. 9

11 LIMITATION OF ATTEMPTS USERNAME/PASSWORD LOGIN: A user can attempt to log in 5 times before their account is locked. On the 6th incorrect attempt, the account is locked. PIN: Allows for unlimited attempts. SSO: Number of attempts is dependent on client configuration and is not controlled by Cornerstone OnDemand. 10

12 LOCALLY STORED DATA & OFFLINE AUTHENTICATION Upon successful login with either username/ password or PIN, we will write a user s corp, username, and a hashed password into our encrypted database (256 bit AES encryption). The database encryption key is unique to each device. With Mobile offline, all data written to the database will be protected by SQL Cipher, which is one of the most popular secure database solutions used by companies such as Salesforce, RSA, UBS, JP Morgan, and others. 11

13 JAIL BROKEN PHONES A jail broken phone will share its data via Wi-Fi, Bluetooth, or direct with USB. A mobile database will not be protected by Cornerstone OnDemand if the device is jail broken. Clients accept all risk for devices that are jail broken. 12

14 GENERAL Application Removal/Deletion When the application is removed from the user s mobile device, the user s name and all secure encrypted items are removed from the device. The user must manually remove the application from the mobile device. Timeout Conditions When using username/password logins, the system uses Session and respects the corp setting for Session timeout. Device registration does not have a timeout condition. Timeout conditions are dependent on the default timeout configured within the web application. App Store Certification When we deploy to Apple ios and Google Play app stores, we follow the respective stores best practices for deployment. Cornerstone OnDemand is a leader in cloud-based applications for talent management. Our solutions help organizations recruit, train, manage and connect their employees, empowering their people and increasing workforce productivity. To learn more, visit csod.com Cornerstone OnDemand, Inc. All Rights Reserved. csod-wp-mobile Security