340 likes | 444 Views
Consumer/Enterprise Identity Realities in a Cloud/Mobile World. Andy Zmolek @ zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com. It’s a cloud/mobile world now. Identity is re-defined in each computing wave.
E N D
Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com
Identity is re-defined in each computing wave • Consumers drive disruptive innovation; enterprise follows later (CoIT) • Identity moves from self-contained to server-defined and is now cloud-defined • Most enterprise IT is still stuck in a computing 2.0 mindset Central/Terminal Computing Server/Device Computing Cloud/Mobile Computing 1.0 2.0 3.0
Do you see a pattern? Central/Terminal Computing Server/Device Computing Cloud/Mobile Computing • Equipment owned byenterprise or consumer • Vendor selection by enterprise or consumer • Some shared use of enterprise device • Some control of enterprise data • Moderate salesand deployment cycles • Duty cycle: 5-10 years • Software: packaged • LAN/WAN-oriented • IT Department • Equipment more oftenconsumer-owned (trend) • Consumertypically drives vendor selection • Consumer ANDenterprise useof same device • Deep fear of losing control of enterprise data • Short sales anddeployment cycles • Duty cycle: 2 years (or less) • Software: cloud/app store/web • Cloud-oriented • ? (to be named) • Enterprise owns and controls equipment • Vendor selection byenterprise only • No consumer use • Complete control ofenterprise data • Long sales anddeployment cycles • Duty cycle: 15-20 years • Software: build-to-suit • Locally-oriented • MIS Department
SERVER/DEVICE MINDSET • Employees use only enterprise assets to connect to enterprise services; personally-owned devices are the exception • Most IT services are limited to specific approved devices and physical locations • IT control (or wipe) for the whole device • IT focus on device lifecycle support which is strongly bound to IT services • Corporate data never allowed on employee-owned devices unless device is under IT control • User experience rarely a critical factor for the success of new service launches – other factors of equal or greater weight CLOUD/MOBILE MINDSET • Employees use their own devices as often or more than enterprise devices; a personally owned devices now the norm • New IT services must extend to any device, anywhere • IT control (or wipe) just enterprise content • IT focus on service lifecycle support which is only loosely bound to devices • Corporate data allowed on devices not owned by the enterprise, as long as data itself remains under enterprise control • Overall user experience critical to successful new IT service launch vs. 7
Corporate Identity Dual Identity MOBILE APPLICATIONS MANAGEMENT (MAM) MOBILE DEVICE MANAGEMENT (MDM) SECURE CONTAINER & VIRTUALIZATION SECURE MESSAGING v1.0 v1.5 v2.0 6
Enterprise Identity Evolution • Traditionally based on Windows Active Directory • Next, single sign-on (SSO) extends to new corporate applications through proprietary Identity and Access Management (IAM) solutions • Most recent trends in enterprise identity: 1. SaaS apps using WebSSO(SAML, oAuth) 2. Google Apps syncs with or replaces AD • Smaller companies and startup can now skip AD yet get a better user experience, plus SSO
How did IT lose control of identity? • Consumerization • SaaS / Google Apps • Mobile BYOD
5 Stages for IT • My employees are happy with apps and devices we give them • We don’t need a BYOD program • We’re in control of employee identity and access management DENIAL • Who does that department think they are buying a SaaS service without me? • What makes every exec think they have the right to choose their own device? • If you add another app or service, you need to follow my IAM rules or else! ANGER • We’re never going to get all our corporate apps under a single SSO • BYOD will never work here; we could never support it • We’ve completely lost control because of SaaS apps and mobile DEPRESSION • As long as you tie identity back to AD, you can add new SaaS offerings • Everyone can BYOD, but only from this list of approved devices • You need to give me control of your personal device BARGAINING • We only need to manage corporate apps & data on employee-owned devices • Identity belongs in the cloud and open standards make integration easy • We’re eliminating most of our server based infrastructure and movingto Google Apps / Amazon Web Services / etc. ACCEPTANCE 5
Employees Can (and Do) Filibuster • Seen in the wild: new BYOD programs with staggeringly low take rates - Enterprises claim the right to block personal apps and wipe devices owned personally by employees - Employees scared off by overbroad legal agreements they must sign to participate - BYOD terms may seem far worse than those that apply to corporate devices • BYOD is a two-way street - don’t invite a deadlock - Involve employee stakeholder participants at all stages of program creation, not just HR and Legal - Seek out approaches that respect employee ownership of devices, regardless of whether a stipend is provided - Recognize the value of solutions that offer employee privacy and offer freedom of choice for devices and apps • Be aware that your biggest productivity gains may be realized in unexpected ways - Enable your employees and executives to respond more quickly to events on the device of their choosing, and they will be more likely to have it with them when it matters - Giving them an app they enjoy using will pay much greater dividends than just meeting their basic needs • Don’t be tempted by solutions that cater to the illusion of control - Many of these solutions also deliver difficult and frustrating user experiences, leading to employee disuse - Don’t try to apply complex and burdensome policies to mobile that you’d never try to force-fit on your PCs • For maximum impact, embrace the Cloud/Mobile approach - Focus more on apps and services, less on devices and servers - Consumerization of IT means your employees are already comfortable thinking this way 4
Identity Realities • BYOD means most of the identities on a mobile device are not under enterprise control • Enterprises still need to come to terms with this, but the will try to pull the web and mobile ecosystems back into Computing 2.0
New iOS 7 Identity Approaches iOS Keychain was originally set up to store credentials for asingle app or group of apps from a single developer • An enterprise that delivered their own applications coulduse the keychain to assist with SSO but could not extend keychain to apps by 3rd party developers iOS7 introduces two new concepts to the Keychain: • iCloud keychain for storing credentials across devices • Apple’s new Kerberos-based SSO solution (requires MDM-managed device with enterprise app provisioning; each app must use NSURL APIs supplied by Apple) Apple has left it up to the app developers to envision how SAML or OAuth might be used in conjunction with their new SSO scheme.
Mobile Identity and Certificates Certificates can be an excellent solution to identity assertion when enterprise IT is disciplined • Avoid temptations to take operational shortcuts in how certificates are provisioned • Never let the private key of the certificate leave the device (easier said than done) • If the certificated is to be stored in the iOS keychain, don’t allow iCloud to copy it • Android doesn’t have a true keychain – certificates don’t belong in Account Manager • Look carefully at the process for authenticating certificate signing requests and pay attention to what credentials are used to generate the certificate. Be sure that transitive trust makes sense when password-based credentials are part of the process. Certificates stored inside individual apps can’t be directly shared with other apps, so if the intended scope of the certificate is for multiple apps on the device, storing the certificatein the work “container” of a dual-persona solution can protect it from exposure. Unique device identifiers (like UDID, MAC address, IMEI, MEID, etc) are often used similarly to “authenticate” but the application and back-end SaaS service must trust that the OS has not been compromised. And SaaSservices should not trust identifier data from 3rd-party apps.
Passwords Not Dead Yet user@enterprise.com P@55w0rd! The most common enterprise mobile application remains email, and the most common protocol for obtaining it is ActiveSync – but it requires a cached password credential If you’ve got to store it (and it has to be reversibly stored to use with ActiveSync), then why not re-use the credential to authenticate to other Microsoft-based enterprise services? Some ActiveSync proxies and gateways can do this transparently for HTTP-based traffic from mobile devices when properly configured 3rd-party SDKs that enable native mobile apps to bind to Microsoft domains when used with certain MDM agents on devices or at the container level with certain container solutions
Authorization Agent Approach By introducing an AZA onto the device (or even better: to the enterprise container on that device), native enterprise applications can leverage the AZA for a fully-featured shared SSO • Rather than each application individually obtaining OAuthtokens for itself, tokens are obtained by the AZA through mobile web browser (or secure container browser) • Native applications pass tokens received from the AZA directly to back-end SaaS services just as their browser-based equivalents AZA Advantages • For user, enables an SSO experience for native applications with explicit authentication and authorization only required for the AZA itself • For enterprise, provides a centralized control point for application access, tokens issued to native apps are identical to those used with web apps • For the app developer, provides easy SSO integration; AZA-based authentication follows HTML patterns used to obtain application tokens Additional Advantages of AZA when used with secure container / dual-persona • Personal use of browser is separate from enterprise browser – no enterprise data leakage • Enterprise applications under direct control of enterprise IT • Leverage certificates and container passcode to eliminate manual password input for AZA itself without impacting personal-side user experience or adding excess risk Look for progress to come out of the OpenID Foundation Native Applications Working Group
Implications Discussion • App developers • Choice of identity provider support matters • Consumer and enterprise identity options • Identity provider • Don’t stop with AD: look at Google Apps as a valid ID source • Consumer/employee • Which consumer identity providers do I trust personally? • What permissions am I granting SaaS apps with my work identity? • Enterprise • Do I double-down on Active Directory for identity? • Or do I let go and build it via a cloud provider (Google Apps)?
Long-term Ecosystem Impacts • AD / Microsoft influence wanes • Enterprise-class federated cloud identity alternatives • Costly server-based licensing model no longer attractive • Policy federation and consolidation • Too many separate sources of enterprise policies • AD, NAC, Firewalls, Proxies, MDM – not coordinated • Need for LDAP equivalent for policy (XACML isn’t enough) • Presence and availability federation • Need to be able to share key information about methods and modes by which I’m available for communication • BUT I need to control who gets to know what about my presence and availability: requires BOTH federated identity AND federated policy • BTW, border-oriented security became moot with SaaS
Andrew Toy - Chief Executive Officer • Vice President Mobile, Viacom • Vice President Mobile, Morgan Stanley Founded January 2010 Located New York (HQ) London Hong Kong 75+ Employees Funding $25M total $12M Series B $11M Series A $1.8M Seed Alexander Trewby - Chief Operating Officer • Vice President Mobile, Morgan Stanley David Zhu, Chief Technology Officer • Director of Engineering, Smule • Lead Mobile Engineer 3
Divide for Tangoe MDM Vodaphone Profile Manager, powered by Divide Divide PIM for MobileIron AppConnect Divide for IBM Endpoint Manager Divide Connect powered by F5 Divide for Verizon EMaaS (Enterprise Mobility as a Service) Divide Files powered by Box 8
Multiplying Identities with Divide PERSONAL WORKSPACE ENTER PASSCODE 10
Divide Launcher • Secure work container for iOS & Android • Native User Experience • Extensible: VPN & UC (Divide Connect, Divide Voice) Cloud Management • IT control of the container • User self-service • MDM APIs enable management via 3rd-Party MDM console Business Applications • Common apps for all employees: email, contacts, calendar, web browser, file manager, etc. • Third-party apps provisioned via employee group policies • Secure file storage 11
USER EXPERIENCE OPEN & EXTENSIBLE SECURITY “I love this. It's what I wanted in a personally liable work phone. “Divide addresses our need to integrate with our existing IT infrastructure, especially network security (VPN) and our Identity infrastructure.” “We see Divide becoming our standard platform for not just Android and BYOD, but for all mobility.” Employee, Fortune 50 Multinational IT Director, Fortune 50 Pharmaceutical Most common user comment: “liberated my personal device” - 75% said Divide improved their ability to work on personal devices - 81% felt they could successfully accomplish business tasks with Divide - 88% were confident that Divide kept their personal data private - 85% said Divide was easy for them to install, configure, and use - 81% felt Divide had the features they needed - 86% would recommend Divide to others - 73% preferred Divide to their existing corporate BYOD offering - 96% said it was easy for them to find the functions they need within Divide IT Director, Fortune 10 Conglomerate Divide User Survey - Fortune 25 Technology Multinational 817 active users in 47 countries, survey included 500 respondents 13