For enterprises, the collision of the mobile revolution with the cloud revolution represents a security train wreck. Tablets and smartphones are quickly becoming the productivity tool of choice for executives, sales professionals, and remote workers.
However, BYOD — Bring Your Own Device — is making it extremely difficult for IT departments to enforce security policies on private and public cloud applications accessed from personal devices not owned by the company. Nevertheless, there are practical ways to address this problem.
One is using single sign-on (SSO) to improve user convenience while reducing data security risks.
Mobile Adoption Exploding
The impact of mobility on the enterprise is enormous. By 2014, it is estimated there will be more mobile devices than PCs. Remarkably, tablet ownership has grown by 14 times in less than three years. In fact, a 2011 Gartner study found that, on average, U.S. CIOs expect 38 percent of their workforce to use personal devices at work by the end of 2012. This growth results in millions of devices that need to be managed and could be lost or stolen.
Interestingly, employees — not the enterprise — are driving this adoption. In fact, due to the consumerization trend — IT departments are often perceived by end users as an impediment to their using the best productivity tools. As a result, many employees bypass IT which results in unauthorized app usage and sprawl.
Identities Are Proliferating
In the past, enterprises could employ a fortress approach to protect critical data and apps behind the firewall. The cloud and now BYOD have changed that forever, as apps and related data have moved outside the data center and beyond IT’s governance and management reach. Users are accessing apps and data outside the traditional workplace using public Wi-Fi networks, cellular networks, and third-party networks. Furthermore, as the number of apps multiplies, so does the number of identities and passwords.
“In the extended enterprise context, the fundamentals of identity and access management (IAM) actually grow in importance, since organizations can leverage the same internal user repositories repeatedly in cross-domain scenarios such as accessing SaaS and partner applications,” Forrester Research said in a June 2012 study.
This overwhelming complexity is driving the need for SSO, which reduces the number of passwords and credentials that employees need to manage and simplifies access to third-party services. From an enterprise perspective, SSO decreases IT costs and administrative burdens.
Personal Devices Create New Challenges
Before BYOD, IT controlled desktop hardware, networking, and access. With BYOD, employee-owned devices are a mixed blessing. They provide many advantages but also significant new management challenges.
In many cases, personal devices are beyond IT’s reach. That’s because employees resist having company apps installed on their personal devices, while mobile users make physical administration nearly impossible. This landscape makes it difficult for IT to deliver apps to users, which results in lost productivity because users can’t access the apps they need to work efficiently.
Mission-critical data is commonly accessible from the cloud and mobile devices. Consider CRM data — customer lists, pricing, pipelines — stored in Salesforce.com or Marketo. HR and payroll data in apps like Workday and ADP. This increases the risk of data loss or leakage. Further, with public WiFi use widespread (think hotels, airports, and coffee shops), the networks being used to access corporate data are much less secure than within the enterprise. The implications of data leakage include reputational damage, loss of IP and customers, reactive security breach responses, and sensitive data being dispersed across personal devices.
Compliance mandates are also driving the need for access control and audit. The compliance implications of BYOD, for instance, make things more complicated; it is not possible to seize a personal device for e-discovery.
A key consideration for security in the mobile world is keeping data off the device by using mobile Web apps. This eliminates an enterprise’s reliance on remote wipe and encryption/key management capabilities for securing endpoint devices. An ounce of prevention can be worth a pound of mobile device management (MDM).
To scale the management of BYOD and security, enterprises need to bring access management under a common system of record like Active Directory and tie SSO for mobile Web, SaaS, and enterprise Web apps together. The best way to do this is by deploying cloud SSO integrated with backend enterprise directories and identity infrastructures.
Checklist for BYOD SSO
Many enterprises report that BYOD has reduced costs and improved productivity and customer satisfaction. That’s because field reps can access the data they need from anywhere, which makes them more responsive. With all these potential advantages, here are 10 key considerations for enterprises when evaluating SSO:
- How can we improve the user experience through SSO?
- How many redundant passwords can we eliminate with SSO?
- How can we create a convenient user experience across phones, tablets, desktops, and laptops with SSO?
- How can we support the largest number of users, apps, and platforms from iOS to Android and others, as well as desktop OSs?
- Does our IT group have a documented plan, procedures and tools to respond to a lost employee mobile device the way we respond to a lost or stolen laptop?
- Has IT completed a baseline audit of what apps and data are mobile-accessible and developed a prioritized remediation plan?
- How does BYOD fit into our organization’s identity and access management (IAM) strategy?
- How can we minimize or prevent data leakage through mobile devices?
- How can we meet our compliance requirements across mobile devices?
- How can we quickly de-provision users from company apps when a personal device is being used?
Keys to Securing BYOD With Cloud SSO
Enterprises realizing success with BYOD have employed the following four key strategies.
First, research your environment and develop a mobile plan. Start by surveying three groups of users — executives, sales and field personnel to learn what apps and devices they use. Define basic policies governing acceptable use and how company data may be used.
Next, work to keep your data in the cloud not on the device. Analyze and classify your apps and data and work to keep local copies off of the mobile device in the first place. Be sure you have a way to perform a remote wipe of the device (built-in with Apple, an add-on with others)
Third, deploy mobile portals. Much like native app stores, mobile portals enable apps to be securely and dynamically delivered to users. Mobile portals have a big advantage by delivering access to company apps and data without installing native apps or storing local copies of data. Mobile portals also centrally enforce session timeouts, reducing the risk of casual access or cached local credentials.
Fourth, deploy mobile-aware cloud identity management. Moving beyond device management to identity management, you can scale quickly without compromising security.
For today’s enterprises, the question is no longer whether but how to support BYOD. Using SSO delivered from the cloud provides end-user convenience while reducing password fatigue. Cloud SSO also enables IT departments to implement access control rules and authentication methods that leverage internal systems like Active Directory and achieve a balance of convenience and security.
SSO would be great after I’ve validated the user, does simplified provide integrated 2-factor authentication for a user from an ipad prior to providing SSO to all other apps?
Looking for clarification. This need to "integrate 2-factor authentication for a user from an ipad prior to providing SSO to all other apps" seems very complex. It sounds like you have to modify the code for EVERY mobile application in order to allow this SSO/2Factor to happen. Is that right? If that’s the case, developer time can be very expensive.
Another question, this "SSO to all other apps" seems like a good idea. However, in my opinion the "identity" stored on the mobile devices needs to be hard-coded to the user/device and non-exportable, I have not seen a solution that is capable of doing so. Have you?