The increasing popularity of mobile devices is rapidly changing how and where we



Similar documents
Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Flexible Identity Federation

Building Secure Applications. James Tedrick

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

A Standards-based Mobile Application IdM Architecture

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

NCSU SSO. Case Study

Agenda. How to configure

Mobile Security. Policies, Standards, Frameworks, Guidelines

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Perceptive Experience Single Sign-On Solutions

How To Use Salesforce Identity Features

SharePlus Enterprise: Security White Paper

STRONGER AUTHENTICATION for CA SiteMinder

Salesforce1 Mobile Security Guide

USING FEDERATED AUTHENTICATION WITH M-FILES

TrustedX - PKI Authentication. Whitepaper

API-Security Gateway Dirk Krafzig

HP Software as a Service. Federated SSO Guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Workday Mobile Security FAQ

The Top 5 Federated Single Sign-On Scenarios

Google Identity Services for work

Leveraging SAML for Federated Single Sign-on:

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

nexus Hybrid Access Gateway

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Introduction to SAML

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

SAML-Based SSO Solution

JVA-122. Secure Java Web Development

Configuring Salesforce

FileCloud Security FAQ

How to Implement Enterprise SAML SSO

Administering Jive Mobile Apps

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

SAML SSO Configuration

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

SAML Security Option White Paper

Improving Security and Productivity through Federation and Single Sign-on

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Authentication Methods

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Google Apps Deployment Guide

Copyright: WhosOnLocation Limited

Ensuring the security of your mobile business intelligence

PingFederate. SSO Integration Overview

HP Software as a Service

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Office 365 Using SAML Integration Guide

Centrify Cloud Management Suite

Identity Implementation Guide

CA Nimsoft Service Desk

Connected Data. Connected Data requirements for SSO

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

WHITE PAPER Usher Mobile Identity Platform

The Cloud, Mobile and BYOD Security Opportunity with SurePassID

Copyright Pivotal Software Inc, of 10

Top. Reasons Federal Government Agencies Select kiteworks by Accellion

Adding Stronger Authentication to your Portal and Cloud Apps

Mobile Access Software Blade

Security Architecture Whitepaper

CA Performance Center

Single Sign On. SSO & ID Management for Web and Mobile Applications

SAML-Based SSO Solution

Mobile Admin Security

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

SECUREAUTH IDP AND OFFICE 365

Configuring. SuccessFactors. Chapter 67

OpenLogin: PTA, SAML, and OAuth/OpenID

CBIO Security White Paper

Configuring SuccessFactors

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

SAML 2.0 SSO Deployment with Okta

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Using SAML for Single Sign-On in the SOA Software Platform

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

AVG Business SSO Partner Getting Started Guide

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

PARTNER INTEGRATION GUIDE. Edition 1.0

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

When enterprise mobility strategies are discussed, security is usually one of the first topics

Security Overview Enterprise-Class Secure Mobile File Sharing

Single Sign On for ShareFile with NetScaler. Deployment Guide

SAP NetWeaver AS Java

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Configuring. Moodle. Chapter 82

Transcription:

Mobile Security

BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to empower their employees through Bring Your Own Device (BYOD) programs that aim to facilitate personal devices for work purposes. Employees prefer to not carry around multiple mobile devices. Companies are also happy, as this practice reduces costs and increases productivity of the workforce. However, this growing trend also introduces less secure mobile devices with access to sensitive corporate information and IT. As organizations adapt to such changes, their information security departments are starting to enforce strict Acceptable Use and Security policies. In an effort to protect against potential device data theft, it s important for organizations to manage what content personal mobile devices have access to. 1

CORNERSTONE STATEMENT OF SECURITY Cornerstone only employs the highest industry practices ensuring both security and performance are at the forefront of our products. Top tier security is applied to all customer proprietary information and content secured in our cloud-based servers, on employee devices, and among mobile devices. Network security and performance are vital areas of our business and are part of our primary objectives toward achieving best-in-class security, availability, scalability, and manageability for our mobile offering. Cornerstone implements a breadth of security techniques to provide multiple layers of protection against possible intrusion. Industry standard security controls including data encryption and Secure Sockets Layer (SSL) technology are used throughout the application. Our technology infrastructure is maintained through regular updates and rigorous testing to improve the protection of our customers information and data at every corner. 2

CORNERSTONE MOBILE ARCHITECTURE The Cornerstone mobile application is a cross-platform native HTML5 hybrid application supported on both ios and Android smartphone and tablet devices. In addition, the application is accessible via mobile browser on all platforms. 3

DEFINITIONS HTTPS Hypertext Transfer Protocol Secure sockets provide encrypted communication between the MLP servers and apps that run on all activated mobile devices. SAAS Software as a Service is a model for the delivery of a software platform where a software provider hosts and maintains a product and all data associated with it. Typically the provider is the software vendor themselves. SSO Single sign-on is a property of access control of multiple related but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. SAML Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SSL SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. XML Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. 4

MOBILE AUTHENTICATION The Mobile application has three methods of login: username/password, device registration, and Single Sign On (SSO). 1. The username/password method submits the user s credentials over HTTPS to Cornerstone s standard login procedure. It is secured using the same SSL security with 128 bit HTTPS encryption as the main Cornerstone login. 2. Device registration uses the oauth protocol to authenticate requests. Authentication signs every request using a combination of user s token (stored on the device), a secret token (stored on the device), PIN, timestamp, and nonce. Each request is validated by our STS authenticator and is encrypted using the same SSL certificates used by our standard username/password login process with 128 bit encryption. At any point the user can remove their registered device. 3. SSO authentication uses SAML 2.0 SP-Initiated authentication, an XML-based standard for exchanging authentication and authorization data between security domains that is, between an identity provider (IDP), producer of assertions on the client side, and a service provider (SP), a consumer of assertions on the Cornerstone side. Clients that implement SSO using the SAML solution typically have a SAML/IDP server in place and have used it to integrate SSO with other applications. 5

MOBILE SECURITY WORKFLOW SaaS HTTPS In the Cloud User Management & Authentication Content Management & Distribution Preferences and Security Multi-product Integration Over the Air Latency & Offline Access Information Privacy Real-time Synchronization SSL On Device Single Sign-On (SSO) 128 Bit HTTPS Encryption 256 AES Encryption for Locally Stored Data Session Timeout 6

AUTHENTICATION VIA SSO CLIENT APPLICATION PLATFORM SSO FRAMEWORK IDP Client initiates SSO authentication request Platform sends HTTP redirect through user s browser to IDP SSO service Client login Platform returns response to client IDP sends back response Platform processes IDP response; transforms to format expected by client 7

AUTHENTICATION VIA SSO The sequence diagram on the previous page outlines the detailed interactions between the client application, the platform SSO framework, and the IDP system. A user attempts to access a protected resource directly on an SP site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IDP. The SP sends an authentication request to the IDP. Both the request and the returned SAML assertion are sent through the user s authentication page via HTTP POST. The detailed steps are as follows: 1. The client application initiates a Platform SSO request with user name and corp to access a protected SP resource. 2. The SSO platform sends a URL back to the client application. The client application then redirects the user through a new browser window and will result in a HTML form with the SAML request authentication sent to the IDP. 3. The IDP asks the user for their network/active directory credentials (e.g., username and password) and the user logs in. 4. The IDP s SSO service returns the authentication assertion to the SSO Platform. 5. The SSO Platform processes the response from the IDP and transforms it into a response format expected by the client. 6. The authentication response is then sent back to the client. 8

MOBILE PREFERENCES Within the main Cornerstone application, clients have the ability to update mobile preferences by OU (organizational unit) and turn features on/ off as desired. This allows more flexibility on which features appear in the slide out menu of the mobile application as well as determine which screen is the default landing page when a user signs in. In addition, all of the security permissions defined by system administrators throughout the web application will be applied within the mobile application. 9

LIMITATION OF ATTEMPTS USERNAME/PASSWORD LOGIN: A user can attempt to log in 5 times before their account is locked. On the 6th incorrect attempt, the account is locked. PIN: Allows for unlimited attempts. SSO: Number of attempts is dependent on client configuration and is not controlled by Cornerstone OnDemand. 10

LOCALLY STORED DATA & OFFLINE AUTHENTICATION Upon successful login with either username/ password or PIN, we will write a user s corp, username, and a hashed password into our encrypted database (256 bit AES encryption). The database encryption key is unique to each device. With Mobile offline, all data written to the database will be protected by SQL Cipher, which is one of the most popular secure database solutions used by companies such as Salesforce, RSA, UBS, JP Morgan, and others. 11

JAIL BROKEN PHONES A jail broken phone will share its data via Wi-Fi, Bluetooth, or direct with USB. A mobile database will not be protected by Cornerstone OnDemand if the device is jail broken. Clients accept all risk for devices that are jail broken. 12

GENERAL Application Removal/Deletion When the application is removed from the user s mobile device, the user s name and all secure encrypted items are removed from the device. The user must manually remove the application from the mobile device. Timeout Conditions When using username/password logins, the system uses Session and respects the corp setting for Session timeout. Device registration does not have a timeout condition. Timeout conditions are dependent on the default timeout configured within the web application. App Store Certification When we deploy to Apple ios and Google Play app stores, we follow the respective stores best practices for deployment. Cornerstone OnDemand is a leader in cloud-based applications for talent management. Our solutions help organizations recruit, train, manage and connect their employees, empowering their people and increasing workforce productivity. To learn more, visit csod.com. 2014 Cornerstone OnDemand, Inc. All Rights Reserved. csod-wp-mobile Security 8-2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information