Facilitating Secure BYOD: Deep Dive - Simeio Solutions
By Greg Jensen on Dec 11, 2013
In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.
In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.
Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.
How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as
Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?
Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?
All that matters is to keep enterprise data secure, not to intrude user's privacy.
'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain. This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.
App Containerization Fundamentals and Strategies
- Works on the concept of 'Sand-boxing' the application execution.
- Provides a secure run-time container for each managed application and its data.
- Clearly segregates personal and corporate applications and associated data irrespective of the device.
Few of the techniques which are employed for application containerization have been listed below
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.
Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'
Applications and data may be kept within the confines of an encrypted space, or folder.
A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.
Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened. Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.
Why Containerize Your Apps?
Containerization improves user experience and productivity as well as ensures enterprise safety and compliance by,
- Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
- Restricting a user’s ability to access, copy, paste or edit data held within the application container.
- Enforcing security policies that govern access to the containerized data
- Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.
Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.
Oracle Mobile and Social Feature Set
OAMSS features can be broadly categorized into the following
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows
Under the hood, the basic Authentication process is powered by Oracle Access Manager. A typical use case encapsulates the following set of events
- The user launches the mobile application on his device which the him to the Mobile SSO Agent.
- Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
- Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
- After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.
The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.
Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components
Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.
- The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
- It orchestrates and manages device registration, risk based authentication.
- Ensures that the user credentials are never exposed to the mobile business application.
- It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.
- The OAAM Security Handler Plug-in creates two security handles
- oaam.device handle, which represents the mobile device
- oaam.session handle, which represents an OAAM login session for a client application
- The above mentioned 'handles' drive the 'device registration' process
- OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)
Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)
Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.
- If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
- OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
- OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites
These services benefit the end users as well as the developers
User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.
Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live
Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.
Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID
- A protected application is accessed by the user which in turn is intercepted the WebGate.
- The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
- The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
- The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
- The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
- Access Manager creates a user session and redirects the user to the protected resource
User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.
- Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
- Corporate or community white pages are another common application using User Profile services.
- These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
- OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc
SDKs and REST APIs
SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.
- They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
- The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
- OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services
Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.
The SDK functionalities are segregated into four distinct modules
- Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
- User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
- REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
- Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
- Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.
Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.
In the Mobile and Social solution context, OAG provides services such as
- Validating JSON Web Tokens (JWT) embedded within REST calls
- Mapping of XML to JSON for consumption by mobile devices
- Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
- Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
- Auditing and logging web API usage tracking for each mobile client.
OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process
- A mobile application request which is intercepted by OAG delegates authentication to OAM.
- OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
- After successful authentication and authorization, the user is granted access to requested resource (business application).
- Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
- OES thus provides the 'redacted' response to OAG which further propagates it back to the requester
OAG and OES working in tandem
I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications. Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.
About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.