Consumer/Enterprise Identity Realities in a Cloud/Mobile World

Andy Zmolek @zmolekDirector of Technology Partnerships,Divide andy.zmolek@divide.com

IT’S A CLOUD/MOBILE WORLD NOW

• Consumers drive disruptive innovation; enterprise follows later (CoIT)• Identity moves from self-contained to server-defined and is now cloud-defined• Most enterprise IT is still stuck in a computing 2.0 mindset

Central/TerminalComputing

Server/DeviceComputing

Cloud/MobileComputing

1.0

2.0

3.0

Identity is re-defined in each computing wave

Do you see a pattern?Central/TerminalComputing

Server/DeviceComputing

Cloud/MobileComputing

• Equipment owned byenterprise or consumer

• Vendor selection by enterprise or consumer

• Some shared use of enterprise device

• Some control of enterprise data

• Moderate salesand deployment cycles

• Duty cycle: 5-10 years• Software: packaged• LAN/WAN-oriented• IT Department

• Equipment more oftenconsumer-owned (trend)

• Consumer typically drives vendor selection

• Consumer AND enterprise use of same device

• Deep fear of losing control of enterprise data

• Short sales anddeployment cycles

• Duty cycle: 2 years (or less)• Software: cloud/app store/web• Cloud-oriented• ? (to be named)

• Enterprise owns and controls equipment

• Vendor selection byenterprise only

• No consumer use

• Complete control ofenterprise data

• Long sales anddeployment cycles

• Duty cycle: 15-20 years• Software: build-to-suit• Locally-oriented• MIS Department

SERVER/DEVICE MINDSET

• Employees use only enterprise assets to connect to enterprise services; personally-owned devices are the exception

• Most IT services are limited to specific approved devices and physical locations

• IT control (or wipe) for the whole device

• IT focus on device lifecycle support which is strongly bound to IT services

• Corporate data never allowed on employee-owned devices unless device is under IT control

• User experience rarely a critical factor for the success of new service launches – other factors of equal or greater weight

7

CLOUD/MOBILE MINDSET

• Employees use their own devices as often or more than enterprise devices; a personally owned devices now the norm

• New IT services must extend to any device, anywhere

• IT control (or wipe) just enterprise content

• IT focus on service lifecycle support which is only loosely bound to devices

• Corporate data allowed on devices not owned by the enterprise, as long as data itself remains under enterprise control

• Overall user experience critical to successful new IT service launch

vs.

CLOUD/MOBILE IDENTITIES

6

SECURE MESSAGINGMOBILE DEVICE

MANAGEMENT (MDM)MOBILE APPLICATIONS MANAGEMENT (MAM)

SECURE CONTAINER & VIRTUALIZATION

v1.0 v1.5 v2.0

Corporate Identity Dual Identity

Enterprise Identity Evolution• Traditionally based on Windows Active Directory• Next, single sign-on (SSO) extends to new

corporate applications through proprietary Identity and Access Management (IAM) solutions

• Most recent trends in enterprise identity:1. SaaS apps using WebSSO (SAML, oAuth)2. Google Apps syncs with or replaces AD

• Smaller companies and startup can now skip AD yet get a better user experience, plus SSO

Identity Choices

How did IT lose control of identity?• Consumerization• SaaS / Google Apps• Mobile BYOD

5

• My employees are happy with apps and devices we give them

• We don’t need a BYOD program

• We’re in control of employee identity and access management

• Who does that department think they are buying a SaaS service without me?

• What makes every exec think they have the right to choose their own device?

• If you add another app or service, you need to follow my IAM rules or else!

• We’re never going to get all our corporate apps under a single SSO

• BYOD will never work here; we could never support it

• We’ve completely lost control because of SaaS apps and mobile

• As long as you tie identity back to AD, you can add new SaaS offerings

• Everyone can BYOD, but only from this list of approved devices

• You need to give me control of your personal device

• We only need to manage corporate apps & data on employee-owned devices

• Identity belongs in the cloud and open standards make integration easy

• We’re eliminating most of our server based infrastructure and moving to Google Apps / Amazon Web Services / etc.

ACCEPTANCE

BARGAINING

ANGER

DEPRESSION

DENIAL

5 Stages for IT

• Seen in the wild: new BYOD programs with staggeringly low take rates- Enterprises claim the right to block personal apps and wipe devices owned personally by employees- Employees scared off by overbroad legal agreements they must sign to participate- BYOD terms may seem far worse than those that apply to corporate devices

• BYOD is a two-way street - don’t invite a deadlock- Involve employee stakeholder participants at all stages of program creation, not just HR and Legal- Seek out approaches that respect employee ownership of devices, regardless of whether a stipend is provided- Recognize the value of solutions that offer employee privacy and offer freedom of choice for devices and apps

• Be aware that your biggest productivity gains may be realized in unexpected ways- Enable your employees and executives to respond more quickly to events on the device of their choosing, and they will be more likely to have it with them when it matters- Giving them an app they enjoy using will pay much greater dividends than just meeting their basic needs

• Don’t be tempted by solutions that cater to the illusion of control - Many of these solutions also deliver difficult and frustrating user experiences, leading to employee disuse- Don’t try to apply complex and burdensome policies to mobile that you’d never try to force-fit on your PCs

• For maximum impact, embrace the Cloud/Mobile approach- Focus more on apps and services, less on devices and servers- Consumerization of IT means your employees are already comfortable thinking this way

4

Employees Can (and Do) Filibuster

IDENTITY REALITIES

Identity Realities• BYOD means most of the identities on a

mobile device are not under enterprise control

• Enterprises still need to come to terms with this, but the will try to pull the web and mobile ecosystems back into Computing 2.0

New Identity Reality Example: Android

New iOS 7 Identity ApproachesiOS Keychain was originally set up to store credentials for asingle app or group of apps from a single developer• An enterprise that delivered their own applications could

use the keychain to assist with SSO but could not extend keychain to apps by 3rd party developers

iOS 7 introduces two new concepts to the Keychain:• iCloud keychain for storing credentials across devices• Apple’s new Kerberos-based SSO solution (requires

MDM-managed device with enterprise app provisioning; each app must use NSURL APIs supplied by Apple)

Apple has left it up to the app developers to envision how SAML or OAuth might be used in conjunction with their new SSO scheme.

Mobile Identity and CertificatesCertificates can be an excellent solution to identity assertion when enterprise IT is disciplined• Avoid temptations to take operational shortcuts in how certificates are provisioned• Never let the private key of the certificate leave the device (easier said than done)

– If the certificated is to be stored in the iOS keychain, don’t allow iCloud to copy it– Android doesn’t have a true keychain – certificates don’t belong in Account Manager

• Look carefully at the process for authenticating certificate signing requests and pay attention to what credentials are used to generate the certificate. Be sure that transitive trust makes sense when password-based credentials are part of the process.

Certificates stored inside individual apps can’t be directly shared with other apps, so if the intended scope of the certificate is for multiple apps on the device, storing the certificate in the work “container” of a dual-persona solution can protect it from exposure.

Unique device identifiers (like UDID, MAC address, IMEI, MEID, etc) are often used similarly to “authenticate” but the application and back-end SaaS service must trust that the OS has not been compromised. And SaaS services should not trust identifier data from 3rd-party apps.

Passwords Not Dead Yet• The most common enterprise mobile application remains email, and the most common

protocol for obtaining it is ActiveSync – but it requires a cached password credential

• If you’ve got to store it (and it has to be reversibly stored to use with ActiveSync), then why not re-use the credential to authenticate to other Microsoft-based enterprise services?

• Some ActiveSync proxies and gateways can do this transparently for HTTP-based traffic from mobile devices when properly configured

• 3rd-party SDKs that enable native mobile apps to bind to Microsoft domains when used with certain MDM agents on devices or at the container level with certain container solutions

user@enterprise.com

P@55w0rd!

Authorization Agent ApproachBy introducing an AZA onto the device (or even better: to the enterprise container on that device), native enterprise applications can leverage the AZA for a fully-featured shared SSO• Rather than each application individually obtaining OAuth tokens for itself, tokens are obtained by the

AZA through mobile web browser (or secure container browser)• Native applications pass tokens received from the AZA directly to back-end SaaS services just as their

browser-based equivalentsAZA Advantages• For user, enables an SSO experience for native applications with explicit authentication and authorization

only required for the AZA itself• For enterprise, provides a centralized control point for application access, tokens issued to native apps are

identical to those used with web apps• For the app developer, provides easy SSO integration; AZA-based authentication follows HTML patterns

used to obtain application tokens Additional Advantages of AZA when used with secure container / dual-persona• Personal use of browser is separate from enterprise browser – no enterprise data leakage• Enterprise applications under direct control of enterprise IT• Leverage certificates and container passcode to eliminate manual password input for AZA

itself without impacting personal-side user experience or adding excess risk

Look for progress to come out of the OpenID Foundation Native Applications Working Group

THE IMPLICATIONS

Implications Discussion• App developers

– Choice of identity provider support matters– Consumer and enterprise identity options

• Identity provider– Don’t stop with AD: look at Google Apps as a valid ID source

• Consumer/employee– Which consumer identity providers do I trust personally?– What permissions am I granting SaaS apps with my work identity?

• Enterprise– Do I double-down on Active Directory for identity?– Or do I let go and build it via a cloud provider (Google Apps)?

Long-term Ecosystem Impacts• AD / Microsoft influence wanes

– Enterprise-class federated cloud identity alternatives– Costly server-based licensing model no longer attractive

• Policy federation and consolidation– Too many separate sources of enterprise policies– AD, NAC, Firewalls, Proxies, MDM – not coordinated– Need for LDAP equivalent for policy (XACML isn’t enough)

• Presence and availability federation– Need to be able to share key information about methods and modes by which

I’m available for communication– BUT I need to control who gets to know what about my presence and availability:

requires BOTH federated identity AND federated policy• BTW, border-oriented security became moot with SaaS

ABOUT DIVIDE

3

Andrew Toy - Chief Executive Officer• Vice President Mobile, Viacom

• Vice President Mobile, Morgan Stanley

Alexander Trewby - Chief Operating Officer• Vice President Mobile, Morgan Stanley

David Zhu, Chief Technology Officer• Director of Engineering, Smule

• Lead Mobile Engineer

Founded January 2010

Located New York (HQ)LondonHong Kong75+ Employees

Funding $25M total$12M Series B$11M Series A$1.8M Seed

8

Vodaphone Profile Manager, powered by Divide

Divide PIM for MobileIron AppConnect

Divide for Tangoe MDM

Divide for IBM Endpoint Manager

Divide for Verizon EMaaS (Enterprise Mobility as a Service)

Divide Connect powered by F5

Divide Files powered by Box

10

PERSONAL ENTER PASSCODE WORKSPACE

Multiplying Identities with Divide

Divide Launcher

• Secure work container for iOS & Android

• Native User Experience

• Extensible: VPN & UC (Divide Connect, Divide Voice)

11

Cloud Management

• IT control of the container

• User self-service

• MDM APIs enable management via 3rd-Party MDM console

Business Applications

• Common apps for all employees: email, contacts, calendar, web browser, file manager, etc.

• Third-party apps provisioned via employee group policies

• Secure file storage

Employee, Fortune 50 Multinational IT Director, Fortune 50 Pharmaceutical

IT Director, Fortune 10 Conglomerate

13

“I love this. It's what I wanted in a personally liable

work phone.

“We see Divide becoming our standard platform for

not just Android and BYOD, but for all mobility.”

“Divide addresses our need to integrate

with our existing IT infrastructure, especially network security (VPN)

and our Identity infrastructure.”

USER EXPERIENCESECURITY

Divide User Survey - Fortune 25 Technology Multinational 817 active

users in 47 countries, survey included 500 respondents

OPEN & EXTENSIBLE

Most common user comment: “liberated my personal device”- 75% said Divide improved their ability to work on personal devices

- 81% felt they could successfully accomplish business tasks with Divide

- 88% were confident that Divide kept their personal data private

- 85% said Divide was easy for them to install, configure, and use

- 81% felt Divide had the features they needed

- 86% would recommend Divide to others

- 73% preferred Divide to their existing corporate BYOD offering

- 96% said it was easy for them to find the functions they need within Divide

QUESTIONS & MORE DISCUSSION

THANK YOU!