SharePlus Enterprise: Security White Paper

Similar documents
When enterprise mobility strategies are discussed, security is usually one of the first topics

Ensuring the security of your mobile business intelligence

User Guide. User Guide 2.1

Enterprise Security with mobilecho

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

The increasing popularity of mobile devices is rapidly changing how and where we

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

iphone in Business How-To Setup Guide for Users

ipad in Business Security

Secure File Sync & Share with Acronis Access Advanced Date: July 2015 Author: Kerry Dolan, Lab Analyst

iphone in Business Security Overview

Ensuring the security of your mobile business intelligence

Deploying iphone and ipad Security Overview

Advanced Configuration Steps

iphone in Business How-To Setup Guide for Users

Resco Mobile CRM Security

WHITE PAPER Secure mobile computing and business intelligence on Apple and Android mobile devices

WHITE PAPER Secure mobile computing and business intelligence on Apple and Android mobile devices

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

User Guide. Version 1.0

BIG-IP Access Policy Manager Tech Note for BIG-IP Edge Client App for ios

Deploying RSA ClearTrust with the FirePass controller

Deploying iphone and ipad Virtual Private Networks

Mobile Device Management Solution Hexnode MDM

How To Configure SSL VPN in Cyberoam

Sophos Mobile Control Technical guide

SAS Mobile BI Security and the Mobile Device

Salesforce1 Mobile Security Guide

STRONGER AUTHENTICATION for CA SiteMinder

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Cisco Jabber IM for iphone

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Mobile Device Management Version 8. Last updated:

Egnyte App for Android Quick Start Guide

FileCloud Security FAQ

ADDING STRONGER AUTHENTICATION for VPN Access Control

Security Overview Enterprise-Class Secure Mobile File Sharing

Generating an Apple Push Notification Service Certificate

Cloud Services MDM. ios User Guide

Mobile Iron User Guide

Sophos Mobile Control User guide for Apple ios. Product version: 4

Mobile Mobile Security COPYRIGHT 2014 INTUITION ALL RIGHTS RESERVED. Copyright 2014 Intuition

AVG Business SSO Partner Getting Started Guide

company policies are adhered to and all parties (traders,

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

The Top Five Security Challenges Presented by Mobile SharePoint Access

mobilecho: 5-Step Deployment Plan for Mobile File Management

Securely. Mobilize Any Business Application. Rapidly. The Challenge KEY BENEFITS

Microsoft Outlook Web Access 2003 using Microsoft Internet Information Server v6.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Manual for Android 1.5

Introduction to the EIS Guide

End User Devices Security Guidance: Apple OS X 10.10

Novell Filr. Mobile Client

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

Workday Mobile Security FAQ

PULSE APPCONNECT. A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway.

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Securing Office 365 with MobileIron

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Web Plus Security Features and Recommendations

RSA SecurID Ready Implementation Guide

Novell Filr 1.0.x Mobile App Quick Start

Technical Whitepaper. Secure Docs

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Sophos Mobile Control Startup guide. Product version: 3.5

Introduction to the Mobile Access Gateway

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Workspot, Inc. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: September 16, Product Information Partner Name

Quick Start and Trial Guide (Mail) Version 3 For ios Devices

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Guidance End User Devices Security Guidance: Apple OS X 10.9

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Sophos Mobile Control User guide for Apple ios

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Sophos Mobile Control SaaS startup guide. Product version: 6

Mobile Secure Cloud Edition Document Version: Mobile Application Management

Administration Guide

QuickStart Guide for Mobile Device Management

The Security Behind Sticky Password

Mobile Device Management Version 8. Last updated:

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

REDCENTRIC N3 SECURE REMOTE ACCESS SERVICE DEFINITION. SD045 V4.1 Issue Date Page 1 Public

Hosted Microsoft Exchange Client Setup & Guide Book

Copyright 2013, 3CX Ltd.

Sophos Mobile Control Startup guide. Product version: 3

Introduction to the AirWatch Inbox Guide

Copyright 2013, 3CX Ltd.

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Security for mobile apps

Preparing for GO!Enterprise MDM On-Demand Service

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Mobility Manager 9.5. Users Guide

Oracle Mobile Security

BlackShield ID Agent for Remote Web Workplace

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Transcription:

INFRAGISTICS, INC. SharePlus Enterprise: Security White Paper Security Overview Anand Raja, Gustavo Degeronimi 6/29/2012 SharePlus ensures Enterprise data security by implementing and interoperating with standard security measures. Copyright Infragistics 2012 1

Contents Introduction... 3 Data Storage Security... 4 ios Data Protection... 5 Secure Data Wipe... 5 Secure Data Wipe Triggered by Failed Passcode Entry... 5 Secure Data Wipe Triggered by Authentication Time Bomb... 5 Channel (Communication Security)... 5 Virtual Private Network (VPN)... 6 Secure Sockets Layer (SSL)... 6 Authentication... 6 Windows Integrated Authentication... 6 Form-Based Authentication... 6 Office 365 Authentication... 6 Web Login authentication... 7 Claims-Based Authentication (CBA)... 7 Multi-Factor Authentication... 7 Application-Level Authentication... 7 Passcode Lock... 7 Authorization... 8 Enforcing Business Security Rules by Restricting Specific Functionality... 9 Feature Trimming... 9 Editor White Listing... 10 Trim Copy/Paste... 11 Block Screenshot Capture (ios feature)... 11 Hide lists via Mobile Navigation Settings... 11 Mobile Device Management (MDM) Integration... 12 Good Technology MDM... 13 Copyright Infragistics 2012 2

Introduction SharePlus Enterprise provides secure access to SharePoint sites from mobile devices. Keeping enterprise data secure is the highest priority of SharePlus. To fortify enterprise data security, core security features have been built into the product at each layer. The following is a list of security features that are included in SharePlus Enterprise for ios devices. These features will be described in detail in subsequent sections of this document. Data Storage Security ios Data Protection Data Wipe Channel (Communication) Security VPN SSL Authentication Passcode Lock Authentication Mechanisms Client-side Certificates Two-factor Authentication using one-time Passwords Authorization SharePoint Permissions Enforcing Business Security Rules by Restricting Specific Functionality Feature Trimming Editor White Listing Trim copy/paste (needs customization) Block Screenshot Capture (ios feature) Hide Lists via Mobile Navigation MDM Integration Standard MDM Solutions (Mobile Iron, etc.) Good Technologies Copyright Infragistics 2012 3

Figure 1 Typical Enterprise Deployment Data Storage Security SharePlus offers two features to ensure that data is secure on a user s device: ios Data Protection Secure Data Wipe Copyright Infragistics 2012 4

ios Data Protection SharePlus employs Apple s ios Data Protection feature to keep application data secure. This native ios feature enhances the built-in hardware AES 256-bit encryption by protecting the encryption keys with a user s passcode. This provides an additional layer of protection for application data such as cached documents and user configuration information. The ios Data Protection feature protects data at rest. This includes locking or powering down the device. Secure Data Wipe An administrator can configure a secure data wipe to activate upon failed passcode entry attempts or failed attempts to authenticate to the server. An administrator can also initiate the secure data wipe on-demand by issuing a remote wipe command from a Mobile Device Management (MDM) server. MDM integration will be discussed in a subsequent section of this document. The ios achieves the data wipe by securely discarding the block storage encryption key from ios Effaceable Storage, which renders all data unreadable. Secure Data Wipe Triggered by Failed Passcode Entry SharePlus may be configured centrally to securely wipe all application data upon reaching a configurable amount of failed passcode entry attempts. This feature may be enforced centrally by using the Remote Configuration feature provided by SharePlus. Secure Data Wipe Triggered by Authentication Time Bomb The Authentication Time Bomb feature allows administrators to set a limit on the number of days that a user can use the application without re-authenticating against the server. This feature is most relevant when users are using offline functionality. In the offline mode, it is possible to work with SharePoint data cached on the device after the user authenticates with the server. The Authentication Time Bomb allows an administrator to limit the number of days that the application may be used without re-authenticating to the server. All SharePlus application data will be securely wiped from the device if a user reaches the configurable threshold for failed authentication attempts. Channel (Communication Security) SharePlus communicates with SharePoint Server by accessing the out-of-the-box SharePoint Web Services over the network. Channel security may be enhanced by employing a Virtual Private Network (VPN) and/or by using Secure Sockets Layer (SSL). Copyright Infragistics 2012 5

Virtual Private Network (VPN) Organizations often employ Virtual Private Networks (VPN) to enable secure communication over a public network. VPNs enhance communication security by encrypting the data passing through its channel. SharePlus supports the built-in ios VPN client. This native client supports the following VPN Tunneling protocols: Layer 2 Tunneling Protocol (LT2P) Point-to-Point Tunneling Protocol (PPTP) Internet Protocol Security (IPsec) Once the VPN ios feature has been turned on and a connection is established, SharePlus will utilize the tunnel for server communication. Additionally, the VPN can be set to automatically establish a connection when a SharePlus user attempts to connect to the server. This eliminates the need for the end user to connect to the VPN prior to using the application. Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) is a cryptographic protocol used to facilitate secure communication over the Internet. SharePlus supports SSL, access to certificate enabled repositories, and Self-Signed Certificates. In the case where an Enterprise site uses legacy encryption methods, SharePlus may be configured to set a matching certificate version. Authentication SharePlus supports the following authentication mechanisms: Windows Integrated Authentication This authentication mechanism uses Active Directory (AD) credentials to authenticate against the SharePoint site. User credentials are transmitted to the server where they are authenticated against an Active Directory Server. Form-Based Authentication In this method of authentication, the user s credentials are passed to the server over HTTP as Form data. Office 365 Authentication This mechanism is used with SharePoint Servers hosted by Office 365 on the cloud. Copyright Infragistics 2012 6

When this mechanism is employed, SharePlus renders a browser-like window displaying the Office 365 logon screen. These credentials are then passed to the server for validation. Web Login authentication This mechanism has been implemented to support customized online authentication mechanisms such as Forefront UAG and ISA Server. This authentication method behaves in the same manner as Office 365 authentication. SharePlus presents the user with a browser-like window to enter credentials. The credentials are then authenticated by Office 365 services. Claims-Based Authentication (CBA) Versions of SharePoint 2010 or higher support this method of authentication. Claims-based authentication is based on concept of an identity that works with any Identity System. An Identity is represented by a security token. When a user attempts to obtain access to an application, the user s security token is passed to the application. CBA provides a trust-based system between applications and a centralized provider that issued the token. SharePlus versions 3.2 and higher support CBA. For additional information regarding CBA, please refer to the following White paper: http://technet.microsoft.com/en-us/library/hh487289.aspx Multi-Factor Authentication Multi-Factor Authentication methods such as the use of an RSA token is also supported by SharePlus. Application-Level Authentication Passcode Lock SharePlus provides an optional Passcode lock. When enabled, a user will be prompted for a four digit pin upon opening the application. This lock may also be set to activate upon a configurable amount of inactivity. The lock settings may be centrally enforced by an Administrator using global configuration. Copyright Infragistics 2012 7

Figure 2 SharePlus Passcode Lock Authorization User access to SharePoint resources such as lists and documents is granted in SharePoint Server using permissions. Since SharePlus authenticates with SharePoint Server s web services using the end user s credentials, server-defined authorization rules apply. Therefore, the level of resource access (read/write, etc.) will mirror that which has been set up on the server. For additional information regarding setting up permissions in SharePoint Server, please refer to the following article: http://office.microsoft.com/en-us/windows-sharepoint-services-help/permission-levels-andpermissions-ha010100149.aspx. Copyright Infragistics 2012 8

Enforcing Business Security Rules by Restricting Specific Functionality Enterprises commonly have a need to adjust application functionality based on security rules. These rules may mandate the restriction of application functionality such as saving a SharePoint document locally or sharing files via the WiFi Share feature. SharePlus natively supports this administrative effort through mechanisms that will be discussed in this section. Feature Trimming Feature Trimming allows Enterprise administrators to disable and adjust SharePlus features on a global level. This is facilitated by modifying the SharePlus global remote configuration file. This Enterpriseowned and hosted file is used to set application configuration at a global level. When this file is modified to disable a feature, the change will be affected for all Enterprise SharePlus users. The following list includes, but is not limited to all functional aspects of the application that may be disabled via the Feature Trimming mechanism: Site Administration Adding Sites Deleting Connections Updates to Connections Credential Storage Remembering Last User Name My Site Support My Profile support Local Files Copy to Local Files File browser Emailing Documents Swiping Documents Tabbed Previewing of Documents List Management Advanced Search Offline Mode Favorites Displaying Items Count Items Management Add Edit Copyright Infragistics 2012 9

Delete CheckOut Approve/Reject Copy URL Email URL WiFi Sharing Allow WiFi Sharing Uploading Documents Downloading Documents Open In Functionality Allow Restrict specific third-party application use Printing Allow Printing Enterprise Search Allow Enterprise Search Include Search Scopes Exclude Search Scopes Global Settings Preview Documents On Tap Remove Local Files After Upload Help URL Enable Logging Disable Auto Lock on Preview Disable Device s Auto Lock on Sync Connection Timeout Sync Idle Time User Agent SSL Level Location Services Enable Location Services Auto Start For additional information on remote configuration, please refer to: http://blogs.infragistics.com/blogs/anand_raja/archive/2012/05/01/shareplus-enterprise-configurationoverview.aspx. Editor White Listing Administrators can restrict third-party editors using Editor White Listing. This feature allows administrators to control which third-party editors can be used when editing documents from within SharePlus. Copyright Infragistics 2012 10

Trim Copy/Paste Infragistics can implement custom functionality to restrict copy and paste functionality prior to application deployment. Block Screenshot Capture (ios feature) An administrator can modify user profile settings within the device to disable the ios screen shot feature. Hide lists via Mobile Navigation Settings Administrators can hide specific lists by using the Mobile Navigation feature of SharePlus. This feature allows administrators to modify the manner in which SharePlus works with a list. These list settings can be set via the custom SharePoint list named MobileNavigation, which is depicted in the illustration below. Copyright Infragistics 2012 11

Figure 3 Mobile Device Management (MDM) Integration Mobile Device Management solutions (MDM) allow the Enterprise to secure, monitor, and manage mobile devices. For additional information regarding Mobile Device Management, please refer to the following article: http://www.apple.com/ipad/business/integration/mdm/. SharePlus integrates with all MDM solutions that implement the device management protocol known as OMA Device Management. The Open Mobile Alliance organization has specified this open standard. MDM solutions such as MobileIron and MaaS360 adhere to this protocol. Copyright Infragistics 2012 12

The following SharePlus-related tasks may be performed by an MDM solution: Deployment Configuration Broadcast Secure Data Wipe Good Technology MDM SharePlus also offers advanced integration with the Good Technology MDM solution. In addition to standard MDM integration, the following functionality is available: Transmit email using Good Mobile Messaging Receive files from Good Native Apps For additional information regarding Good Technology, please refer to: http://www1.good.com/mobility-management-solutions/mobile-device-management. Copyright Infragistics 2012 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information