Mobile Security for QlikView June 2011
Common misconceptions about iPad/iPhone security They’re not as secure as Blackberry Data on the device is not secure They are easily ‘jailbroken’ Data protection doesn’t exist It’s easy to hack into the data stream over WiFi or 3G There is no support for VPN They don’t support existing IT security infrastructures There’s no support for Digital Certificates, SSL, SSO There is no central management capability No remote data wipe No integration with MS Exchange ActiveSync
QlikView Mobile: Security QlikView on iPad is a highly secure environment for deploying Business Discovery solutions There are three principle aspects to understand when approaching mobile security Device & Data Security Transmission Security QlikView native Security
QlikView Mobile: Security Device and Data Security iPad supports the following device-level protection Strong Password enforcement Local and over-the-air password enforcement RSA keyfob support Password retry limit Local wipe capability on limit exceeded Device (hardware) encryption 256-bit AES encryption Data Protection API’s Over-the-air remote wipe/kill capability Uses Exchange ActiveSync Encrypted iTunes backups QlikView for iPad does not cache or store data locally on the device. It uses a browser-based AJAX interface
QlikView Mobile: Security Transmission Security iPad supports the following secure communication methods VPN iPad has built-in CISCO IPSec, L2TP and PPTP support SSL/TLS WPA/WPA2 128-bit AES encryption Digital Certificates X.509 with RSA keys
QlikView Mobile: Security QlikView native Security QlikView integrates with existing SSO and LDAP solutions Perimeter authentication via AD & other SSO solutions HTTP headers, Ticketing Multi-tiered approach to deployment security Firewalled back end/front end QlikView Server handles user authorization Integrates with existing LDAP for group resolution
Typical Laptop security vs iPad security Strong alphanumeric password enforcement Centralized management Password retry limit Hardware-level data encryption VPN support Digital Certificate support Open USB ports? Easily removable harddrive? Local file and application structure Strong alphanumeric password enforcement Centralized management Password retry limit Hardware-level data encryption VPN support Digital Certificate support Open USB ports? Easily removable harddrive? Local file and application structure
Typical Blackberry security vs iPad/iPhone security Strong alphanumeric password enforcement Centralized management Password retry limit Hardware-level data encryption VPN support Digital Certificate support BES Communications logging Regulatory compliance Auto ‘push’ of policy updates FIPS 140-2 data encryption Strong alphanumeric password enforcement Centralized management Password retry limit Hardware-level data encryption VPN support Digital Certificate support No BES equivalent for logging Auto ‘push’ of updates through ActiveSync AES 256-bit encryption FIPS 140-2 at ‘Test’ stage of certification
Does any of this impact QlikView on iPad? In short: NO Why? QlikView for iPad does not store data on the device All questions about FIPS 140-2 encryption are irrelevant FIPS 140-2 is an extremely aggressive policy, used only by Governments/Military and some Financial Services institutions Logging of all mobile activity is usually only mandated by high-security environments like Govt/Military and some Fin Svcs QlikView Server will still log all activity to QlikView files
Common misconceptions about iPad/iPhone security They’re not as secure as Blackberry At the very highest levels, no. But for almost all organizations’ needs, this is false Data on the device is not secure: False They are easily ‘jailbroken’: Irrelevant: Data Protection API’s Data protection doesn’t exist: False: 256bit encryption; Data Protection API’s It’s easy to hack into the data stream over WiFi or 3G: False There is no support for VPN: False. CISCO VPN with iOS4 They don’t support existing IT security infrastructures: False There’s no support for Digital Certificates, SSL, SSO: False There is no central management capability: False. iPhone Configuration Utility permits this No remote data wipe: False. ActiveSync allows this No integration with MS Exchange ActiveSync: False
Summary There are have no worries proposing the QlikView for iPad solution when it comes to enterprise security!!
QlikView Mobile: Security Apple and QlikTech have a range of documents covering Mobile Security iPad Security Overview.pdf iPad Enterprise Deployment Guide.pdf iPad Deployment Scenarios.pdf QlikView Security Overview White Paper QlikView Development and Deployment Tech Brief
iPad Implementation Example Security requirements: Apply user certificate on iPad to authenticate the user on the mobile device Provide second authentication against active directory Authorize the QV document to the authenticated users Technical Details: QVS 10 SR2 Windows 2003 IIS 6, Safari User certificates on iPads for the users in PKCS#12 format along with certificate chain User certificates installed on the iPad using IPCU tool from Apple HTTP/SSL with tunneling enabled
iPad User Certificate A digital certificate is composed of a public and private key pair, along with other information about the user and the certificate authority that issued the certificate Certificates for the users in PKCS#12 format along with certificate chain Certificates are installed on the iPad using IPCU tool from Apple iPad profiles are signed and encrypted iPad profiles can not be used except with the assigned iPad Users are not able to remove profile unless they have the administrative password Certificates should not exceed 1024 bit encryption and need to be in RSA algorithm Microsoft public key certification authority (CA) is used to request user certificates. A CA is a service that issues and manages electronic credentials or certificates in a public key infrastructure (PKI)
User Certificate Setup Details Configure IIS Setup one to one mapping for user certificates on the IIS server. This provides IIS server with the authorize access to intended users only. Client certificate is used to authenticate the user. IIS website should already have a SSL certificate. Here are two scenarios for this configuration: IIS Server is not in domain ISS server is either in DMZ network or in Public domain. Creating a user account on the IIS server. This user is a local user on the IIS (QVUser). All certificate mapping is done against this local user account and then Qlikview application requests for active directory user name and password to authenticate users on the application. IIS Server is part of domain Authenticating users is done against local server using one local account and certificate is mapped to the local account
How is the user authenticated with a certificate? User iPad has the certificate which is issued by the internal CA. This user certificate has one public key and one private key. To prove the identity of the user, user need private key on the client side. Web server will validate the certificate submitted by the client and then allow access to this user In case we want to remove access for application for any user, we need to remove the certificate map which we established on the IIS server Certificate map name plays an important role as the user certificate based is identified based on certificate map name and not the local account
Second Authentication Provide basic authentication against Active Directory How? Configure IIS security Necessary step to disable “Windows Integrated Security” as we want to authenticate the users not through IIS but by using QV code authenticate.aspx Enable “Anonymous Authentication” for the “QvAjaxZfc” and “QVClients” folder. Make sure that the username and password are valid. Modify authentication file Modify authenticate.aspx to get the end user prompted for username and password and to authenticate the user against the active directory. This is the second step on achieving double authentication. * Refer to “How to achieve double authentication on iPad with Safari” technical paper
How does the solution work? Because of the one to one mapping and certificates applied on the 2nd IIS web server, when the user tries to open QV application URL from a desktop or from a mobile device that does not have user certificate, they see this page:
How does the solution work? The user connects to the IIS site and IIS requests for user certificate which is already created on iPad. User is prompted for certificate and submits its public key to the IIS server. Considering user has the correct certificate and IIS recognizes this certificate, then IIS encrypts the contents using user public key and sends back to the user. As user has both of the keys, user decrypts the contents sent by IIS using own private key and starts communication with the IIS server. The next step is the second authentication. User gets prompted for the username and password to get authenticated against the active directory. The final step in the process is to give the authenticated user access to the authorized documents.
Thank You Q&A