byod - it's an identity thing
Post on 29-Nov-2014
494 Views
Preview:
DESCRIPTION
TRANSCRIPT
BYOD
It's an 'identity' thing
BYOD- it's an Identity Thing
Paul Madsen (@pmadsen)
Senior Technical Architect
Ping Identity
A little bit about me
WHAT'S THE BIG DEAL?BYOD
B Y O DYOUR
RING
WN
DEVICES
BROUGHT
Context
COIT BYOD
Social
App stores Personal
Cloud
will.i.am keynoting Cloudforce
[reputable analyst firm] says [X%] of Fortune 500 will
confront BYOD by [201Y]
So whyallow it?
SHadow ITHAPPENS
Sun ThurWedTueMon Fri Sat
prod
uctiv
ity mobile
Traditional9-5
Employee productivity as a function of time
Fundamental challenge
A single device must support two 'masters'
Err no….
Choices• Mobile Device Management (MDM) applies
enterprise policy to the device as a whole– PIN, wipe, VPN etc
• Mobile Application Management (MAM) focuses on the business apps ON the device– App store, security added onto binaries
either through SDK or 'wrapping'
Granularity
BYOD Balancing Act
Security
PrivacyEnablement
Standards
Balancing Act
Productivity
Productivity vs time
time
prod
uctiv
ity
'Well I guess I can play Angry Birds until IT sets me up'
ideal reality
'Whoa, I can still login!'
hired fired
'Now what was my password again??'
GTD Requirements
1. Initial GTD - Quickly get new employees up and running with the applications their role demands
2. Ongoing GTD - Provide employees single sign on experience in day to day work
3. Stop GTD - Reduce/remove permissions when necessary
Balancing Act
Privacy
Privacythe right to be let alone—the
most comprehensiv
e of rights and the right most valued by civilized
menLouis Dembitz Brandeis
Granularity of IT control
Priv
acy
Partioning for privacy1. Divide the phone in 'half'
– one side for business applications & data, another for personal
2. IT's mandate is to manage & secure the apps & data on the business side
3. IT has no mandate (nor, hopefully, desire) to touch apps & data on the personal side
Balancing Act
Security
IT'S NOT ABOUT THE DEVICE
It's the data
Protecting the data1. Ensure that user/app can access only
appropriate data– Authorization based on role
2. Protect data in transit– SSL
3. Protect data on device– PIN, Encryption
4. Remove access to data when appropriate– Wipe stored data (or keys)– Revoke access to fresh data
IDM
MAM
MDM
MIM?
MDM – No screen captureMAM – No screen capture when in email app
MIM – No screen capture for this document
Balancing Act
Standards
Why standards?
• Framework implies interplay between – Enterprise IdM– MAM architecture
• MAM servers• MAM agent
– Applications• On-prem• SaaS
ComponentsEnterprise
Device
MAM
BrowserMAM
SaaS2
SaaS1
SaaS1
SaaS2
Standards• SCIM (System for Cross-Domain Identity
Management) to provision identities as necessary to MAM and SaaS providers
• SAML (Security Assertion Markup Language) to bridge enterprise identity to MAM and SaaS providers
• OAuth to authorize MAM agents, and SaaS native apps
Device
BrowserMAM
SaaSSaaS1
ComponentsEnterprise
MAM
SaaS1 SaaS
SCIM
SCIM
SCIM
SAML
SAMLSAML
OAUTH
OAUTH
OAUTH
Device
BrowserMAM
SaaSSaaS1
Bob 'pursuing other ventures'Enterprise
MAM
SaaS1 SaaS
SCIM (delete)
SCIM (delete)
SCIM (delete)
WIpe
wipewipe
Device
BrowserMAM
SaaSSaaS1
Bob 'loses phone in cab'Enterprise
MAM
SaaS1 SaaS
SCIM (status=0)
SCIM (status=0)
SCIM (status=0)
LOCK=Y
Enterprise
Device
Native appAuthz agent
Application Provider
Application Provider
Application Provider
Native appNative
appNative appNative
appNative app
Nativeapp
Wrapping up
Business Personal
Corp Identity
MAM
Policy
Apps
App
App
Tokens
Tokens
Tokens
REST
REST
IdentityIdentityIdentity
Data
Thank you@paulmadsen
Summary1. Divide device & leave employee personal data
alone2. Provision apps via MAM based on employee
identity & roles into employee 'side'3. Provision tokens to those apps via IdM based on
employee identity & roles4. Apps use tokens on API calls to corresponding
Cloud
top related