cis13: samsung’s perspective on mobile identity
DESCRIPTION
Sudhi Herle, VP of Enterprise Products, Samsung Telecommunications America Samsung will discuss how the mobile ecosystem maturity is demanding more robust enterprise capabilities – especially integration of the mobile apps with existing enterprise notions of identity, authentication and authorization. Samsung will demonstrate how it is tackling this issue in their Knox platform – by using Centrify powered technologies. Learn how this will help your Enterprise IT admin to seamlessly add mobiles into their existing MS Active Directory, extend the reach of their enterprise apps to integrate with AD and understand how Samsung Knox Dual Persona is a good strategy for Enterprise IT integration.TRANSCRIPT
MOBILE ENTERPRISE IDENTITY
7/11/13 © Samsung 2013. All rights reserved. 1
State of Identity
2
Industry Trends
§ Cloud, Mobile and Compliance requirements are the three top business and technology waves impacting enterprise IT – BYO Servers & BYO Applications – BYO Laptops & BYO Devices
§ Identity is at the center of all three waves
Samsung Confidential 3
Current State of Enterprise Identity
D A T A C E N T E R
DATA C
EN
TER
SERVERS
DATA C
EN
TER
APPS Smartphones and Tablets
End Users
Laptops
C L O U D ID
ID
ID
ID
ID ID
ID
ID ID
ID
ID
ID
ID
ID
Samsung Confidential 4
Multiple Login for Users. Multiple Identity Infrastructure for IT.
State of Identity
5
But Can You Con(n)
SAMSUNG KNOX
7/11/13 © Samsung 2013. All rights reserved. 6
Introducing Samsung KNOX
7/11/13 © Samsung 2013. All rights reserved. 7
Multi-layered approach to OS Security
7/11/13 © Samsung 2013. All rights reserved. 8
• Isolated virtual Android environment
• Activated by Enterprise Identity • Integrated with Enterprise Active
Directory
• Managed by Group Policy Manager*
Enterprise Application Container
7/11/13 © Samsung 2013. All rights reserved. 9
Enterprise Application Container
Personal Applications
*supports other consoles such as MDMs
Secure Android Platform
• Virtual Android Environment - home screen, launcher, apps,
widgets, notifications
- Additional apps from enterprise app store
• Activated on signing with enterprise identity
• Encrypted file system with AES 256-bit encryption.
• Data sharing, apps, files, network completely isolated
• Policies to allow remote IT configuration and management.
Isolated Virtual Android Environment
7/11/13 © Samsung 2013. All rights reserved. 10
Activate Knox Container with Enterprise Identity
Samsung Confidential 11
§ Enroll to create container
§ Use AD/GPM to manage container
§ Use same to sign into other cloud services
Centrify SSO (SaaS)
Container
SSO
…
KNOX Android Framework
Intranet
Centrify Cloud Proxy
1
Enroll with Enterprise IdenBty
3
Leverage same for SSO
2
Manage with AD/GPM
AD/GPM Knox Container Management
7/11/13 © Samsung 2013. All rights reserved. 12
§ Samsung KNOX allows AD/GPM-based Container Management for enterprises that do not desire a traditional MDM system
§ Multi-application SSO is built into the Knox Container
§ The container identifies the user to the apps
§ The container can get AD attributes for the apps
§ Apps can request security tokens for their web app/service
SSO built in the Knox Container
Samsung Confidential 13
§ Container policies follow the user’s account lifecycle automatically – Ex. upon termination,
employees must not be able to access company information from any device
§ AD changes automatically apply to container on user devices: – Role changes may require
updated access policies – Termination requires auto-
removal of access credentials and company data
Integrated Admin Follows User Lifecycle
User enrolls their own devices
Update device security seIngs or new group
de-‐provision device
Lock account and full device wipe
Delete or disable account and de-‐provision device
Ac*ve Directory
Samsung Confidential 14
Knox Smart Card support
7/11/13 © Samsung 2013. All rights reserved. 15
§ Samsung Knox supports Smart Cards – Requires a compatible bluetooth
CAC reader such as the baiMobile™ 3000MP Bluetooth ® Smart Card Reader.
§ Currently allows – Browser, email and VPN can
use credentials on the smart card – KNOX also support two-factor authentication for the device lock
screen using the CAC – Other applications may also utilize the CAC card via PKCS 11 APIs