Mobile Security. Policies, Standards, Frameworks, Guidelines



Similar documents
SECURING MOBILE APPLICATIONS

The increasing popularity of mobile devices is rapidly changing how and where we

SAML-Based SSO Solution

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

NCSU SSO. Case Study

A Standards-based Mobile Application IdM Architecture

Flexible Identity Federation

Google Identity Services for work

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Workday Mobile Security FAQ

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

managing SSO with shared credentials

Building Secure Applications. James Tedrick

Introduction to SAML

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

OpenLogin: PTA, SAML, and OAuth/OpenID

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Centrify Mobile Authentication Services

TrustedX - PKI Authentication. Whitepaper

SAP Single Sign-On 2.0 Overview Presentation

Agenda. How to configure

Secure Identity in Cloud Computing

FileCloud Security FAQ

Secure Your Enterprise with Usher Mobile Identity

An Overview of Samsung KNOX Active Directory and Group Policy Features

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Mobile First Government

Manual for Android 1.5

WHITE PAPER Usher Mobile Identity Platform

Lecture Notes for Advanced Web Security 2015

Identity. Provide. ...to Office 365 & Beyond

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Adding Stronger Authentication to your Portal and Cloud Apps

CBIO Security White Paper

APIs The Next Hacker Target Or a Business and Security Opportunity?

A Survey on Cloud Security Issues and Techniques

Sophos Mobile Control Technical guide

SAML-Based SSO Solution

TrustedX: eidas Platform

SAML Security Option White Paper

Salesforce1 Mobile Security Guide

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Administering Jive Mobile Apps

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Single Sign On. SSO & ID Management for Web and Mobile Applications

API-Security Gateway Dirk Krafzig

nexus Hybrid Access Gateway

Phone: Fax: Box: 230

Centrify Mobile Authentication Services for Samsung KNOX

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

Security Overview Enterprise-Class Secure Mobile File Sharing

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

The Top 5 Federated Single Sign-On Scenarios

Addressing NIST and DOD Requirements for Mobile Device Management

Flexible Identity Federation

Copyright Pivotal Software Inc, of 10

AVG Business SSO Partner Getting Started Guide

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

HOL9449 Access Management: Secure web, mobile and cloud access

JVA-122. Secure Java Web Development

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Egnyte Single Sign-On (SSO) Installation for OneLogin

Division of Information Technology Lehman College CUNY

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

Mac OS X. Staff members using NEIU issued laptops and computers on Active Directory can access NEIU resources that are available on the wired network.

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Mobile Device Management Version 8. Last updated:

Authentication Integration

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

An Overview of Samsung KNOX Active Directory-based Single Sign-On

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Leveraging SAML for Federated Single Sign-on:

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

SAML Authentication Quick Start Guide

Identity Implementation Guide

Airnet-Student is a new and improved wireless network that is being made available to all Staffordshire University students.

How To Use Salesforce Identity Features

Swivel Secure and the Cloud

How To Protect Your Mobile Device From Attack

Enhancing Web Application Security

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

IQProtector Mobile Application

Access Your Cisco Smart Storage Remotely Via WebDAV

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Copyright 2013, 3CX Ltd.

Transcription:

Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf 1

APPLE ios 6 TECHNOLOGY OVERVIEW Version 1, Release 0.1, 31 October 2012 Developed by DISA for the DoD http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html MOBILE DEVICE MANAGEMENT (MDM) SECURITY REQUIREMENTS GUIDE (SRG), Version 1, Release 0.2, Developed by DISA for the DoD, OVERVIEW, 26 October 2012 OpenID OpenID is just one type of Federated Identity system. OpenID is focused more on the consumer market, whereas FID-proper is focused on the enterprise. OpenID offers the ability for users to log into one website (Facebook, for example) using credentials from another website, such as Google (who is now an OpenID identity provider). 2

OAuth OAuth s main goal is to eliminate the need to give website A your username and password for website B, and determines what website B can get from website A once it s been allowed access. OpenID is about authentication OAuth is about authorization Security Assertion Markup Language (SAML) The SAML standard defines a framework for exchanging security information between online business partners. SAML defines a common XML framework for exchanging security assertions between Entities. 3

Security Assertion Markup Language (SAML) Identity Provider (IdP) The system, or administrative domain, that asserts information about a subject. For instance, the Identity Provider asserts that this user has been authenticated and has given associated attributes. Service Provider (SP) The system, or administrative domain, that relies on information supplied to it by the Identity Provider. It is up to the Service Provider as to whether it trusts the assertions provided to it. SAML defines a number of mechanisms that enable the Service Provider to trust the assertions provided to it. Security Assertion Markup Language (SAML) 1. How does the relying party trust what is being asserted to it? 2. What prevents a man-in-the-middle attack that grabs assertions to be illicitly replayed at a later date? The primary mechanism to mitigate or detect such attacks is for the relying party and asserting party to have a pre-existing trust relationship, typically involving a Public Key Infrastructure (PKI). 4

Mobile Device Security Standards Required to cover each type of device: Laptop Windows Mobile Blackberry Client iphone; ipad (ios5/6) Required to cover each type of technology Wireless LAN Bluetooth 1 Mobile Security Standard ISO 17799:2005 Example Section 11.7 covers Mobile Computing and Teleworking 11.7.1 A formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities 11.7.2 A policy, operational plans and procedures should be developed and implemented for teleworking activities. 1 5

ISO/IEC 29176:2011 Information technology -- Mobile item identification and management -- Consumer privacy-protection protocol for Mobile RFID services ISO/IEC 18028-5:2006 Information technology -- Security techniques -- IT network security -- Part 5: Securing communications across networks using virtual private networks ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management ISO/IEC 27001 & 27002 Security Policy Organizational Security Infrastructure Asset Classification and Control Human Resource Security Physical and Environmental Security Communications and Operations Management Access Control Incident Management Systems Development and Maintenance Business Continuity Management Compliance 6

OWASP Mobile Security Project www.owasp.org/index.php/owasp_mobile_security_project#tab=top_ten_mobile_risks This list was initially released on September 23, 2011 A call for volunteers was released in the July 2012 for an annual refresh of the Top 10 Mobile Risks. OWASP Top 10 Mobile Controls 1. Identify and protect sensitive data on the mobile device 2. Handle password credentials securely on the device 3. Ensure sensitive data is protected in transit 4. Implement user authentication/authorization and session management correctly 5. Keep the backend APIs (services) and the platform (server) secure. 1 7

OWASP Top 10 Mobile Controls 6. Perform data integration with third party services/applications securely 7. Pay specific attention to the collection and storage of consent for the collection and use of the user s data 8. Implement controls to prevent unauthorised access to paid-for resources (wallet, SMS, phone calls etc...) 9. Ensure secure distribution/provisioning of mobile applications 10. Carefully check any runtime interpretation of code for errors OWASP Mobile Controls I. Establish coding practices for mobile coding II. Enforce higher security posture on the device for sensitive apps used in an enterprise context III. Protect your application from other malicious applications on the device IV. Provide or use an existing reporting channel for phishing from apps. 8

The user's authentication and authorization experience should be consistent across both web and native mobile applications. Users will become confused when they're expected to use different credentials and/or a different login ceremony for mobile application models, especially if accessing the same application. Phishing is becoming a major problem for cloud services and is not diminished when using mobile applications. The user should be given the chance to recognize and trust the authentication service. This means a mobile browser should be used to authenticate the user, the address bar should be visible, and user passwords should not be collected within the native application itself. 9

What happens when an employee loses their phone? If passwords are left cached on the phone, an organization's data is put at risk. The use of OAuth in combination with SSO allows for seamless access without the risk of caching passwords. Additional Resources 1. For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at www.commoncriteriaportal.org/ and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) (www.niap-ccevs.org/cc-scheme/). 2. The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, which you can find at www.ietf.org/rfc/rfc2617.txt. 3. For information on the SSL protocol for secure networking, see http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00. For the TLS protocol, see www.ietf.org/html.charters/tls-charter.html and RFC 5246 at http://tools.ietf.org/html/rfc5246. 4. Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website at http://csrc.nist.gov/cryptotoolkit/aes/rijndael/. 5. For information on Kerberos authentication, see http://web.mit.edu/kerberos/. For information on MIT s Kerberos for Macintosh, see http://web.mit.edu/macdev/development/mitkerberos/mitkerberoslib/commo n/documentation/kerberosframework.html. 6. See OS X Server Open Directory Administration available at www.apple.com/server/documentation/ for details on the services that support Kerberos and on how to implement a Kerberos KDC on your OS X server. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information