How smartphones and tablets are forcing CSOs to approach ID and access management differently
Smartphones and tablets are becoming ubiquitous in the workplace, and IT and security executives are having to accept the fact that the "bring your own device" and " consumerization of IT" trends are for real. This isn't a bad thing, considering the potential benefits such as productivity gains, improved collaboration and enhanced customer service.
But a key question for organizations, in terms of security, is what impact the mobility trend will have on identity management. Many IT and security executives have worked hard in recent years developing ID management strategies and procedures for their enterprises, and how the presence of smartphones and tablets affects those efforts is no small consideration.
Industry research shows that the move to mobile devices will continue for the next several years. By 2015, the worldwide mobile worker population will reach an estimated 1.3 billion, representing 37 percent of the total workforce, according to a report released in January 2012 by International Data Corporation (IDC) in Framingham, Mass. That would represent an increase from just over one billion in 2010, the research firm says in its study, the "Worldwide Mobile Worker Population 2011-2015 Forecast."
Also see: " The ABCs of identity management"
Given that mobile devices are proving to be such integral tools for accessing corporate data and applications, companies will have to be vigilant about making sure they know who is using the devices at any given time and that those users are authorized to gain access to vital business information.
"From the first day an enterprise end-user is welcomed on board, to the day they eventually leave the organization -- and every workday in between -- their ability to access essential enterprise systems, applications and data is made possible by enterprise-issued identities and corresponding access privileges," says Derek Brink, vice president and research fellow, IT Security at research firm Aberdeen Group in Boston.
"The processes and workflow for managing enterprise identities and access privileges over their lifecycle, from initial provisioning to real-time daily operations to ongoing end-user support to eventual de-provisioning and revocation, are for most companies as fundamental as power and payroll," Brink says. "Performed well, they are highly efficient but virtually unseen. Performed poorly, they are the source of unnecessary friction and costly end-user frustration."
But smartphones and tablets themselves are not driving changes in how enterprise-issued identities and corresponding access privileges are managed, Brink says. "The identity and access lifecycle is pretty much the same, whether you are logging in from your laptop or from your new iPad3," he says. "The bigger changes being driven by these devices would have to be in how enterprises think about protecting their sensitive data, or about how they choose to deliver their critical applications."
Also see: " Three ID management challenges"
There is one key way that mobile devices are affecting enterprise identity and access management strategies, Brink notes. "As enterprises reevaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, solution providers are responding by developing innovative options for authentication that leverage what is arguably the most personal, indispensable and ubiquitous of all modern devices: smartphones and tablets," he says.
The most common mobile options for end-user authentication in the enterprise that Aberdeen sees in its IT security research are one-time passwords, digital certificates and out-of-band authentication.
ID Management StrategiesOrganizations whose employees are using tablets and smartphones in the workplace are making identity management a key part of their security efforts in this shifting environment.
Automatic Data Processing Inc. (ADP), a Roseland, N.J., provider of human resources, payroll, tax and benefits administration services, supports mobile platforms including the Apple iPhone and iPad and RIM BlackBerry.
ADP employees use the devices for a variety of purposes, including access to email and applications such as backoffice automated workflow, human resources and purchasing, says Roland Cloutier, vice president and CSO. Recently ADP began deploying business applications such as Salesforce.com customer relationship management (CRM) software on mobile devices.
The firm controls and manages smartphones and tablets, including the identity of users, via a mobile device management (MDM) application that is loaded on all the devices registered for access to the company's data and applications. Cloutier says the company doesn't actually connect mobile users directly to the network, but provides access to data through mobile gateways.
"We not only make people register their devices but we make them download the [MDM] agent and [provide written consent] that we can control some basic device protection capabilities" of the products, Cloutier says. "So for example we have e-discovery evidence-gathering capabilities of the device, and they agree to hand over the device for any legal matters." The company also has the ability to remotely wipe devices in the event they are lost or stolen and has used this capability on several occasions.
ADP users must be authenticated before they can get access to corporate information, and who gets to access specific types of data and applications depends on the individual's role in the company and the type of device being used, Cloutier says.
"We created authentication requirements based on the type of data" and who needs access to the information, Cloutier says. While the advent of mobile devices in the workplace did not result in ADP having to change its overall identity management procedures, it did force the company to take a closer look at its risk review data access processes.
Risk assessments could no longer assume non-transportation outside a corporate-protected device and control requirements, and data flow approval had to take into consideration mobility and the maximum level of control function available on any given platform, Cloutier says.
"As far as getting identity management under control, I think [the proliferation of mobile devices] has had a positive effect in making sure we remain consistent in our authentication mechanism," Cloutier says. "It has helped us to create rigor around our authentication platforms."
For example, increased mobility has enabled ADP to force applications developers at the company to consolidate their authentication platforms to centralized identity management authorities. "The bottom line, if they want their application available on mobile, they need to use IT's managed authentication platform," Cloutier says.
It does not make sense to create a second set of identities for users on mobile devices, Cloutier says. "You'll be watering down your control capabilities," he says "Access [to] data by individuals will remain fluid, including location, device, etc. Creating controls and monitoring capabilities that map users to data and data to use gets exponentially more difficult with each system added to an enterprise."
In addition, control technology requires identity management integration, and integrating multiple identity repositories to any system or control can lead to platform stability issues and higher costs, and affects a company's ability to be agile, Cloutier says. "Focus on proxied authentication or managed authentication through mobile device management-like applications," he says.
At Purdue University Calumet in Hammond, Ind., most of the administrative staff, about 300 people, are now using smartphones (iPhone, Android, Windows, BlackBerry), says Frank Cervone, vice chancellor for information services and CIO. Tablet adoption has been lower, with at about 100 employees using iPads or Windows-based tablets.
For both types of devices the primary business application is email and calendaring, Cervone says. "We have a virtual desktop capability for a limited set of applications, but have not seen much interest in using that functionality yet," he says.
Mobile devices have added a bit of complexity to identity management at Purdue because identity management is "pretty much a manual affair on Apple and Android devices," Cervone says. "We have had to develop more online help so people can make the needed adjustments to their accounts on their own rather than having to come to the help desk or call in."
The university is also looking at software tools that would help make the management of identities simpler for managers as well as end users, Cervone says. "We are also looking at various options for stricter enforcement of controls to limit data loss," he says.
"At this point it has been more of an issue with authentication rather than ID management, since the applications have been limited so far, for the most part, to email and calendaring," Cervone says. "All other applications [use] standard university authentication."
Purdue requires all university-issued devices to have either a PIN or some other type of locking mechanism to prevent unbridled access, Cervone says, as well as authentication for access to the university network.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.
This story, "The mobile game changer" was originally published by CSO.