Slide 2

Host Android in the cloud, access via remote client apps:

Hypori ACE Serverssimilar to VDI servers

Hypori ACE Client from public app store or distributed by MAM

What is Hypori?

Hypori Platform Terminology

Slide 3

Hypori ACE System At Scale

Slide 4

Typical ACE System Deployment

Slide 5

Typical ACE System Deployment

Slide 6

Slide 7

What is Hypori?

DEMO

Slide 8

Cloud hosted Android for secure enterprise mobility

Slide 9Slide 9

From DroidCloud to Hypori

Slide 10

Sandbox AppsVMs / Containers

MAM

Don’t work on iOS, require ‘jail breaking’, limited market traction, not suitable for BYOD.

Proprietary containers, typically just email, browser + MS office, few apps, no sensors.

MDM

Cannot protect enterprise apps and data on personal devices, DroidCloud VDM partner.

Miscellaneous

Thin Clients

Various security approaches, typically a components of a broader solution.

Windows 7 not suited to mobile devices, Win8 struggling

Less intrusive than MDM for BYOD, but also less secure – low level of assurance.

Hypori compliments VDI thin clients, and is partnering with companies in every other box.

Enterprise Mobile Ecosystem

Slide 11

Mobile Teleworking

Tactical CloudSenior Leader Comms

A virtual smartphone for every soldier, running in DISA’s DECC (the DoD cloud) – analogous to BYOD.

Forward deployed tactical clouds on land, sea and air platforms for special operations forces.

Partners

NGOs as part of international aid efforts, logistics providers, coalition partners.

Classified mobile communications for senior leaders and other DoD personnel.

What are the DoD use cases?

Slide 12

• BYOD or EOD• Securing MDM for sensitive data• Email, calendar and web• Transaction approvals• Salesforce / CRM• SAP / ERP• In-house Android apps• TripIt / travel management• Phone calls / VTC

• BYOD published app mode• Extending MDM to third parties• Banking communications• Doc reviews / deal rooms• Viewing transaction activity• Transaction approvals• Treasury services• Market information services• Stock trading

CustomerEmployee

What are the banking use cases?

Slide 13

Hypori leverages SEAndroid as the ACE Virtual Device remote OS, as well as existing Android apps.

Hypori leverages Linux with KVM as the backend baseline for its ACE Server.

Hypori leverages the SPICE (Red Hat) protocol as a foundation for its communications / traffic between the ACE Server and ACE clients.

Client Apps for Android, iOS, Windows 8, …

Linux & KVM for vHost, OpenStack, SEAndroid/AOSP for vDevice, plus storage, user directory, AV, app store.

What technologies do we use?

Slide 14

How do we change Android?

Slide 15

Product – RoadmapHypori product progress and roadmap:

• Version 3.0: Q3, 14 – MVP for Enterprise Deployments.Basic camera, server-side OpenGL / 3D, KitKat VD upgrade, SEAndroid, tuned X.264, status bar bypass, notifications, client certs, S/MIME, hardware crypto, high availability, geographical roaming, admin UI and APIs, LDAP/AD integration, SELinux, Splunk auditing integration.

• Version 3.1: Q1, 15 – MVP for Multi-Tenant Private Cloud.Client for Win8, remote camera / VTC, client-side OpenGL, media bypass, keyboard bypass, more PKI auth options, app data/sensor access controls, improved VD management and administration, basic instrumentation data exposed to security partners.

• Version 3.2: Q2, 15 – MVP for Multi-Tenant Public Cloud.Additional functionality TBD based on customer feedback, stability improvements, house keeping.

• Version 4.0: Q3, 15 – MVP for Multi-Tenant Public Cloud.Support for Google CTS, improved sensor support, Official Play support, improved client-side OpenGL, more advanced security instrumentation integration.

Slide 16

ACE Virtual Device• SEAndroid providing:

o Privileged daemon protection.

o Application isolation.o Middleware controls.o Instrumentation & auditing.o App install protection.o Limit app access to sensors.

• ‘Untrusted’ app sandboxing.• Read only core OS partition.• Centralized patching.• MDM / MAM controls.

ACE Client• Remote two factor auth.• Remote signing and decryption.• TLS (and VPN) encryption for

data in transit.• GPS-based access policies.• Attributes exposed for MDM

integration.• Screenshot ‘prevention’.• Integration with client-side

attestation technologies.• Eventually, integration with

mobile device MTMs.

ACE Server• Protocol aware firewall.• KVM hypervisor containment.• SELinux-based VD separation.• Server-side TPM attestation.• VPN service for apps in VDs.• Network proxy for traffic

monitoring.• System-wide app management.• Behavioral and signature-based

malware detection.• User behavioral biometrics.• VD instrumentation / auditing.

Architecting for Defense in Depth

Slide 17

Hypori ACE Admin Authentication & Connection

VPN (optional)ENTERPRISE

INTERNET

ACE Management Server

Web Server (nginx)

Enterprise Directory

(LDAP / AD)

mongoDB

OpenStackSystem

Present User Certificate (https / TLS v1.2)1

Validate User Certificate Signing Chain

2

Proxy http3

Verify Account Status +Password

Return valid user data +LDAP parameters

4

Look up User by DN for Role5

OpenStack API calls6

REST API Calls(https / TLS v1.2)

Splunk / Nagios /

Monit / etc

HTML + JSON7

3rd PartyIntegration

Slide 18

Hypori ACE Client Authentication & Connection

ENTERPRISE

INTERNETVPN (optional)

ACE Client

ACE Management Server

Web Server (nginx)

Enterprise Directory

(LDAP / AD)

mongoDB

OpenStackSystem

Present User Certificate (TLS v1.2) + LDAP Password

1

Validate User Certificate Signing Chain

2

Proxy http3

Verify Account Status +Password

Return valid user data +LDAP parameters

4

Look up User by DN for Role5

ACE Virtual DeviceInformation

6

Deliver signedToken w/ Compute

Node name + AVD TCP Port

7

Connect with signed token to ACE Virtual Device using

the ACE Protocol over TLS v1.2

8

Splunk / Nagios /

Monit / etc3rd Party

Integration