The growing reliance on cloud-based business applications and mobile devices creates significant challenges for IT professionals who must establish policies for identity and access management (IAM). An estimated 50 to 80 percent of cloud-based applications used within the average enterprise are provisioned by end users—outside the organization’s requirements for control, documentation, security, and reliability. Within IT circles, this is often referred to as “shadow IT.”
To address security, compliance, and governance challenges associated with cloud and mobile adoption in the enterprise, new security models must take user identity into consideration. Whether you plan to pursue a hybrid model (a mix of on-premises and cloud), or a cloud-only IAM architecture, it is imperative that you secure user access to enterprise SaaS and cloud apps from mobile devices. There are four key elements to consider: business requirements, identity and trust requirements, architecture requirements, and roadmap requirements.
1. Forecast Business Applications Requirements
Mobile devices are often outside the enterprise’s physical and logical control, yet the applications accessed comprise more and more business critical data. The first step is to take inventory of your mobile business applications, and evaluate these against your existing identity, authentication, and access management capabilities.
Review your organization’s current and future use of cloud applications to determine whether these apps have been incorporated into your IT service catalog of approved applications. Placing them within the broader IT portfolio of services, including those supporting mobile devices, will ensure that business leaders can uphold centralized access policies and audit functions.
As you understand your application requirements, take inventory of your users’ mobile device platforms (Android, iOS, Windows Phone). Be prepared to implement changes to company policies, as well as the IT infrastructure and mobile authentication technologies required to support the proliferation of these devices.
2. Define Trust Requirements for Mobile Users
An identity management solution must establish trust between the mobile user and the cloud application, and must maintain the credentialing services required. Trust between a user and the services provisioned by an enterprise is influenced by factors such as the user’s authorized privileges, the context in which that user is accessing these services (such as time and location), and the capabilities of the mobile platform.
It is essential that you secure mobile user access to your organization’s cloud apps. Ideally, you should use a standards-based single sign-on (SSO) solution that offers secure web-based authentication to all major enterprise cloud applications via a single portal. Require application developers and cloud vendors to support open standards, such as:
- OASIS Security Assertion Markup Language (SAML) standard for authentication
- OAuth standard for a delegating authorization
- OpenID Foundation’s Native Applications (NAPPS) Working Group efforts to enable SSO for native applications installed on mobile devices
- FIDO (Fast IDentity Online) Alliance work on 2-factor authentication standards
- IETF’s SCIM (System for Cross Domain Identity Management) standard for provisioning and managing identities across domains
Evaluate SSO vendors that provide a broad catalog of cloud applications with out-of-the-box connectors. The solution should also support all leading mobile platforms including Android, iOS, and Windows Phone. In addition, verify the vendor’s data centers are certified for security, privacy, and data protection using established standards including ISO 27001, SOC 2, TRUSTe, Skyhigh Enterprise Ready, and SafeHarbor.
3. Establish Your Mobile Identity and Access Management Architecture
Bring-your-own-device (BYOD) practices introduce additional risk. Because businesses don’t own their users’ mobile devices, the traditional system management paradigm doesn’t apply. While leveraging social media logins is an inexpensive form of SSO for some websites, most social logins do not provide sufficient trust to meet enterprise requirements. Plan to federate user identities across domains, and use standards like SAML for web SSO. And leverage end-user mobile devices as a secondary authentication method via one-time passwords (OTP).
As you evaluate mobile security options, select an architecture that puts the user at the center of the security model. Security practices should be prioritized to secure user access to cloud apps and move beyond managing mobile system configurations.
4. Plan for the Next-Generation of User Authentication
Users want to be able to access enterprise apps from their mobile devices. It’s unlikely that there will be time to develop a comprehensive mobile IAM architecture before lines of business demand access. Thus, craft a lightweight architecture for now with a vision for the future which will potentially include emerging standards such as OpenID’s NAPPS. As you begin to revise the architecture of your IT service delivery model, try to plan ahead for three or more years.
The mobile security ecosystem is only as strong as its weakest link. Understand the role each partner plays in security. Require cloud service providers to support open standards, and consider implementing a cloud vendor onboarding certification (CVOC) program. A CVOC will ensure that only vendors that meet standards will be certified for deployment, e.g. SAML connectors.
Your company’s legal team, purchasing team, and internal business owners should work with your IT and security professionals to assess each cloud vendor. Pay close attention to cloud vendor policies for identity and authentication. Scrutinize their roadmaps to address security, compliance, and governance risks.
It is imperative that organizations define and implement an IAM strategy that encompasses mobile users and the applications and devices they use so information can move securely between people, applications, and devices in accordance with policy. New security models are emerging that put the user at the center of security design. IT professionals should consider this new paradigm as they define business requirements, identity and trust requirements, architecture requirements, and roadmap requirements for their mobile IAM strategy.
About the Author: Chip Epps is Senior Director of Product Marketing at OneLogin where he helps advance cloud security initiatives and guide the evolution of IAM technologies.
Edited by Maurice Nagle