MobileSecurity

The increasing popularity of mobile devices is rapidly changing how and where we

consume business related content. Mobile workforce expectations are forcing

organizations to empower their employees through Bring Your Own Device (BYOD) programs

that aim to facilitate personal devices for work purposes. Employees prefer to not carry

around multiple mobile devices. Companies are also happy, as this practice reduces costs

and increases productivity of the workforce. However, this growing trend also introduces

less secure mobile devices with access to sensitive corporate information and IT. As

organizations adapt to such changes, their information security departments are starting to

enforce strict Acceptable Use and Security policies. In an effort to protect against potential

device data theft, it’s important for organizations to manage what content personal mobile

devices have access to.

1

BACKGROUND

CORNERSTONE STATEMENT OF SECURITY

Cornerstone only employs the highest industry practices ensuring both security and

performance are at the forefront of our products. Top tier security is applied to all

customer proprietary information and content secured in our cloud-based servers, on

employee devices, and among mobile devices. Network security and performance are vital

areas of our business and are part of our primary objectives toward achieving best-in-class

security, availability, scalability, and manageability for our mobile offering.

Cornerstone implements a breadth of security techniques to provide multiple layers of

protection against possible intrusion. Industry standard security controls including data

encryption and Secure Sockets Layer (SSL) technology are used throughout the application.

Our technology infrastructure is maintained through regular updates and rigorous testing to

improve the protection of our customers’ information and data at every corner.

2

CORNERSTONE MOBILE ARCHITECTURE

The Cornerstone mobile application is

a cross-platform native HTML5 hybrid

application supported on both iOS and Android

smartphone and tablet devices. In addition, the

application is accessible via mobile browser on

all platforms.

3

HTTPS Hypertext Transfer Protocol Secure sockets provide

encrypted communication between the MLP servers

and apps that run on all activated mobile devices.

SAAS Software as a Service is a model for the delivery

of a software platform where a software provider

hosts and maintains a product and all data

associated with it. Typically the provider is the

software vendor themselves.

SSOSingle sign-on is a property of access control of

multiple related but independent software systems.

With this property a user logs in once and gains

access to all systems without being prompted to

log in again at each of them.

SAML

Security Assertion Markup Language is an XML-based

open standard for exchanging authentication and

authorization data between security domains – that is,

between an identity provider (a producer of assertions)

and a service provider (a consumer of assertions).

SSL SSL (Secure Sockets Layer) is the standard security

technology for establishing an encrypted link between

a web server and a browser. This link ensures that all

data passed between the web server and browsers

remain private and integral.

XML Extensible Markup Language (XML) is a markup

language that defines a set of rules for encoding

documents in a format that is both human-readable

and machine-readable.

4

DEFINITIONS

5

MOBILE AUTHENTICATION

The Mobile application has three methods of login:

username/password, device registration, and Single

Sign On (SSO).

1. The username/password method submits the

user’s credentials over HTTPS to Cornerstone’s

standard login procedure. It is secured using the

same SSL security with 128 bit HTTPS encryption

as the main Cornerstone login.

2. Device registration uses the oAuth protocol to

authenticate requests. Authentication signs every

request using a combination of user’s token

(stored on the device), a secret token (stored on

the device), PIN, timestamp, and nonce. Each

request is validated by our STS authenticator

and is encrypted using the same SSL certificates

used by our standard username/password login

process with 128 bit encryption. At any point the

user can remove their registered device.

3. SSO authentication uses SAML 2.0 SP-Initiated

authentication, an XML-based standard for

exchanging authentication and authorization data

between security domains – that is, between an

identity provider (IDP), producer of assertions

on the client side, and a service provider (SP),

a consumer of assertions on the Cornerstone

side. Clients that implement SSO using the SAML

solution typically have a SAML/IDP server in

place and have used it to integrate SSO with

other applications.

6

In the Cloud

• User Management & Authentication• Content Management & Distribution• Preferences and Security• Multi-product Integration

Over the Air

• Latency & Offline Access• Information Privacy• Real-time Synchronization

On Device

• Single Sign-On (SSO)• 128 Bit HTTPS Encryption• 256 AES Encryption for Locally Stored Data• Session Timeout

SaaS

SSL

HTTPS

MOBILE SECURITY WORKFLOW

7

AUTHENTICATION VIA SSO

On Device• SSO• Encryption• Remote Access• PIN Screen Lock• Timeout• Closed Loop

In the Cloud• Disaster Recovery & Business Continuity• User Management & Authentication (SSO)• Content Management & Distribution• LMS Integration

Over the Air• Roaming Control• Latency & O�ine Access• Virus Prevention• Information Privacy• App Maintenance

INTUITION MOBILE LEARNING PLATFORM – SECURITY FEATURES

SaaS

SSL

HTTPS

CLIENTAPPLICATION

PLATFORM SSOFRAMEWORK IDP

Client initiates SSO authentication request

Platform sends HTTP redirect through user’s

browser to IDP SSO service

Client login

IDP sends back response

Platform processes IDP

response; transforms to

format expected by client

Platform returns response to client

8

AUTHENTICATION VIA SSO

The sequence diagram on the previous page outlines the detailed interactions between the client application,

the platform SSO framework, and the IDP system. A user attempts to access a protected resource directly on an

SP site without being logged on. The user does not have an account on the SP site, but does have a federated

account managed by a third-party IDP. The SP sends an authentication request to the IDP. Both the request and the

returned SAML assertion are sent through the user’s authentication page via HTTP POST.

The detailed steps are as follows:

1. The client application initiates a Platform SSO request with user name and corp to access a protected SP resource.

2. The SSO platform sends a URL back to the client application. The client application then redirects the user through a new browser window and will result in a HTML form with the SAML request authentication sent to the IDP.

3. The IDP asks the user for their network/active directory credentials (e.g., username and password) and the user logs in.

4. The IDP’s SSO service returns the authentication assertion to the SSO Platform.

5. The SSO Platform processes the response from the IDP and transforms it into a response format expected by the client.

6. The authentication response is then sent back to the client.

Within the main Cornerstone application, clients

have the ability to update mobile preferences

by OU (organizational unit) and turn features on/

off as desired. This allows more flexibility on which

features appear in the slide out menu of the mobile

application as well as determine which screen is

the default landing page when a user signs in. In

addition, all of the security permissions defined by

system administrators throughout the web application

will be applied within the mobile application.

9

MOBILE PREFERENCES

10

LIMITATION OF ATTEMPTS

USERNAME/PASSWORD LOGIN: A user can attempt to log in 5 times before

their account is locked. On the 6th incorrect

attempt, the account is locked.

PIN: Allows for unlimited attempts.

SSO: Number of attempts is dependent on

client configuration and is not controlled

by Cornerstone OnDemand.

11

Upon successful login with either username/

password or PIN, we will write a user’s corp,

username, and a hashed password into our

encrypted database (256 bit AES encryption).

The database encryption key is unique to each

device. With Mobile offline, all data written to

the database will be protected by SQL Cipher,

which is one of the most popular secure

database solutions used by companies such as

Salesforce, RSA, UBS, JP Morgan, and others.

LOCALLY STORED DATA & OFFLINE AUTHENTICATION

12

JAIL BROKEN PHONES

A jail broken phone will share its data

via Wi-Fi, Bluetooth, or direct with

USB. A mobile database will not be

protected by Cornerstone OnDemand if

the device is jail broken. Clients accept all

risk for devices that are jail broken.

© 2014 Cornerstone OnDemand, Inc. All Rights Reserved.

Cornerstone OnDemand is a leader in cloud-based applications for talent management. Our solutions help organizations recruit, train, manage and connect their employees, empowering their people and increasing workforce productivity. To learn more, visit csod.com.

csod-wp-Mobile Security 8-2014

GENERAL

Application Removal/DeletionWhen the application is removed from the user’s mobile device, the user’s name and all secure encrypted

items are removed from the device. The user must manually remove the application from the mobile device.

Timeout ConditionsWhen using username/password logins, the system uses Session and respects the corp setting for Session

timeout. Device registration does not have a timeout condition. Timeout conditions are dependent on the

default timeout configured within the web application.

App Store CertificationWhen we deploy to Apple iOS and Google Play app stores, we follow the respective stores best practices

for deployment.