Technology

June 5, 2017

AppBus Secure Platform

Supported Platforms

AppBus enables users to securely access internal enterprise resources using unsecured devices on the following operating systems:

  • iOS
  • Android
  • Windows
  • MacOS

The following archetypes are supported natively by AppBus:

  • Intranet Pages and Applications
  • Microsoft Exchange-based E-mail, Calendar, Contacts
  • Local and Remote Document Access
  • Existing Windows Applications
  • NativeiOS and Android Components
  • Secure RSS Aggregator

Encrypts All Data In-Motion and At-Rest

AppBus secures all aspects of data handling while the data is in-motion and at-rest. Access to AppBus is controlled by existing enterprise authentication and authorization systems. Multi-factor and step-up authentication are also supported. Geo-fencing technology enables fine-grained access control.

Data in-motion is protected by creating an encrypted communication channel between AppBus and internal infrastructure. The channel is encrypted by client and server-side certificates. Certificate pinning technology is employed to prevent MIM attacks.

At-rest, AppBus encrypts all enterprise data in a private secure storage. Highest-grade AES 256 bit encryption is utilized to ensure security. Unencrypted information is never stored on the user’s device. Control is available to remotely wipe all AppBus data in the case of a lost or stolen device. Optionally, data at-rest can be made available off-line. This functionality is governed by policy and can be managed remotely.

AppBus offers variable levels of data protection. The highest level of security is achieved by leveraging the streaming application viewer. In this mode, no enterprise information ever leaves the data center.

AppBus Platform Components

  1. AppBus Container: Secure, native containers designed to run on iOS, Mac OS X, Windows, Android

    • Support for all application archetypes
    • Secure data at-rest and in-motion, including step-up, multi-factor authentication
    • Off-line capability
    • Mobile Application Management (MAM) functionality
  2. AppBus DCP (Distributed Control Plane): connects edge devices, enterprise systems and workflows

    • Improves usability by sharing data/Context across systems and applications
    • Non-invasive application and system integration requires no code changes
    • Automates single-sign-on functionality across systems
  3. AppBus Insight: Rich user action metrics and logs across all users and devices

  4. AppBus Manager: Management and configuration portal with a security policy engine and user activity alerting

  5. AppBus Integrator: Allows for wrapping legacy applications with a modern REST API

Security

AppBus Secure Storage consists of:

  • Encrypted File Storage
  • Encrypted Database

Secure Storage Encryption

Is based on SQL Cypher and is created upon user login. Encryption is done using AES-256 CBC using a derived 256-bit key based on user id and password, combined with 128 bit random salt, derived with 10,000 (configurable) PBKDF-2 iterations of SHA512 HMAC.

Application Data

  • All native and web applications store respective data only within secure storage
  • Browser cache is stored in the encrypted file storage
  • All downloaded attachments and files are stored in the Encrypted File Storage

The AppBus Platform leverages Secure HTTPS tunnel between mobile device and the enterprise infrastructure for all data exchange. The secure tunnel leverages enterprise authentication and entitlement systems to establish communication channel. Client side certificate and Server side certificate pinning eliminate the risk of traffic interception and MIM attacks. All secure and unsecure requests from web-based and native applications running inside AppBus Platform are intercepted and routed through the secure HTTPS tunnel. A cryptographic authentication token (OAuth2) is attached to every request to validate request authenticity.

Enterprise rules and restrictions are enforced when accessing internal and external resources. AppBus Platform provides additional level of control through the use of resource whitelists. Application and data channel idle timeouts ensure that unattended session will be automatically terminated.