consumer/enterprise identity realities in a cloud/mobile world andy zmolek @zmolek director of...
TRANSCRIPT
![Page 1: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/1.jpg)
![Page 2: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/2.jpg)
Consumer/Enterprise Identity Realities in a Cloud/Mobile World
Andy Zmolek @zmolekDirector of Technology Partnerships,Divide [email protected]
![Page 3: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/3.jpg)
IT’S A CLOUD/MOBILE WORLD NOW
![Page 4: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/4.jpg)
• Consumers drive disruptive innovation; enterprise follows later (CoIT)• Identity moves from self-contained to server-defined and is now cloud-defined• Most enterprise IT is still stuck in a computing 2.0 mindset
Central/TerminalComputing
Server/DeviceComputing
Cloud/MobileComputing
1.0
2.0
3.0
Identity is re-defined in each computing wave
![Page 5: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/5.jpg)
Do you see a pattern?Central/TerminalComputing
Server/DeviceComputing
Cloud/MobileComputing
• Equipment owned byenterprise or consumer
• Vendor selection by enterprise or consumer
• Some shared use of enterprise device
• Some control of enterprise data
• Moderate salesand deployment cycles
• Duty cycle: 5-10 years• Software: packaged• LAN/WAN-oriented• IT Department
• Equipment more oftenconsumer-owned (trend)
• Consumer typically drives vendor selection
• Consumer AND enterprise use of same device
• Deep fear of losing control of enterprise data
• Short sales anddeployment cycles
• Duty cycle: 2 years (or less)• Software: cloud/app store/web• Cloud-oriented• ? (to be named)
• Enterprise owns and controls equipment
• Vendor selection byenterprise only
• No consumer use
• Complete control ofenterprise data
• Long sales anddeployment cycles
• Duty cycle: 15-20 years• Software: build-to-suit• Locally-oriented• MIS Department
![Page 6: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/6.jpg)
SERVER/DEVICE MINDSET
• Employees use only enterprise assets to connect to enterprise services; personally-owned devices are the exception
• Most IT services are limited to specific approved devices and physical locations
• IT control (or wipe) for the whole device
• IT focus on device lifecycle support which is strongly bound to IT services
• Corporate data never allowed on employee-owned devices unless device is under IT control
• User experience rarely a critical factor for the success of new service launches – other factors of equal or greater weight
7
CLOUD/MOBILE MINDSET
• Employees use their own devices as often or more than enterprise devices; a personally owned devices now the norm
• New IT services must extend to any device, anywhere
• IT control (or wipe) just enterprise content
• IT focus on service lifecycle support which is only loosely bound to devices
• Corporate data allowed on devices not owned by the enterprise, as long as data itself remains under enterprise control
• Overall user experience critical to successful new IT service launch
vs.
![Page 7: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/7.jpg)
CLOUD/MOBILE IDENTITIES
![Page 8: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/8.jpg)
6
SECURE MESSAGINGMOBILE DEVICE
MANAGEMENT (MDM)MOBILE APPLICATIONS MANAGEMENT (MAM)
SECURE CONTAINER & VIRTUALIZATION
v1.0 v1.5 v2.0
Corporate Identity Dual Identity
![Page 9: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/9.jpg)
Enterprise Identity Evolution• Traditionally based on Windows Active Directory• Next, single sign-on (SSO) extends to new
corporate applications through proprietary Identity and Access Management (IAM) solutions
• Most recent trends in enterprise identity:1. SaaS apps using WebSSO (SAML, oAuth)2. Google Apps syncs with or replaces AD
• Smaller companies and startup can now skip AD yet get a better user experience, plus SSO
![Page 10: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/10.jpg)
Identity Choices
![Page 11: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/11.jpg)
![Page 12: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/12.jpg)
![Page 13: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/13.jpg)
![Page 14: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/14.jpg)
How did IT lose control of identity?• Consumerization• SaaS / Google Apps• Mobile BYOD
![Page 15: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/15.jpg)
5
• My employees are happy with apps and devices we give them
• We don’t need a BYOD program
• We’re in control of employee identity and access management
• Who does that department think they are buying a SaaS service without me?
• What makes every exec think they have the right to choose their own device?
• If you add another app or service, you need to follow my IAM rules or else!
• We’re never going to get all our corporate apps under a single SSO
• BYOD will never work here; we could never support it
• We’ve completely lost control because of SaaS apps and mobile
• As long as you tie identity back to AD, you can add new SaaS offerings
• Everyone can BYOD, but only from this list of approved devices
• You need to give me control of your personal device
• We only need to manage corporate apps & data on employee-owned devices
• Identity belongs in the cloud and open standards make integration easy
• We’re eliminating most of our server based infrastructure and moving to Google Apps / Amazon Web Services / etc.
ACCEPTANCE
BARGAINING
ANGER
DEPRESSION
DENIAL
5 Stages for IT
![Page 16: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/16.jpg)
• Seen in the wild: new BYOD programs with staggeringly low take rates- Enterprises claim the right to block personal apps and wipe devices owned personally by employees- Employees scared off by overbroad legal agreements they must sign to participate- BYOD terms may seem far worse than those that apply to corporate devices
• BYOD is a two-way street - don’t invite a deadlock- Involve employee stakeholder participants at all stages of program creation, not just HR and Legal- Seek out approaches that respect employee ownership of devices, regardless of whether a stipend is provided- Recognize the value of solutions that offer employee privacy and offer freedom of choice for devices and apps
• Be aware that your biggest productivity gains may be realized in unexpected ways- Enable your employees and executives to respond more quickly to events on the device of their choosing, and they will be more likely to have it with them when it matters- Giving them an app they enjoy using will pay much greater dividends than just meeting their basic needs
• Don’t be tempted by solutions that cater to the illusion of control - Many of these solutions also deliver difficult and frustrating user experiences, leading to employee disuse- Don’t try to apply complex and burdensome policies to mobile that you’d never try to force-fit on your PCs
• For maximum impact, embrace the Cloud/Mobile approach- Focus more on apps and services, less on devices and servers- Consumerization of IT means your employees are already comfortable thinking this way
4
Employees Can (and Do) Filibuster
![Page 17: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/17.jpg)
IDENTITY REALITIES
![Page 18: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/18.jpg)
Identity Realities• BYOD means most of the identities on a
mobile device are not under enterprise control
• Enterprises still need to come to terms with this, but the will try to pull the web and mobile ecosystems back into Computing 2.0
![Page 19: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/19.jpg)
New Identity Reality Example: Android
![Page 20: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/20.jpg)
New iOS 7 Identity ApproachesiOS Keychain was originally set up to store credentials for asingle app or group of apps from a single developer• An enterprise that delivered their own applications could
use the keychain to assist with SSO but could not extend keychain to apps by 3rd party developers
iOS 7 introduces two new concepts to the Keychain:• iCloud keychain for storing credentials across devices• Apple’s new Kerberos-based SSO solution (requires
MDM-managed device with enterprise app provisioning; each app must use NSURL APIs supplied by Apple)
Apple has left it up to the app developers to envision how SAML or OAuth might be used in conjunction with their new SSO scheme.
![Page 21: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/21.jpg)
Mobile Identity and CertificatesCertificates can be an excellent solution to identity assertion when enterprise IT is disciplined• Avoid temptations to take operational shortcuts in how certificates are provisioned• Never let the private key of the certificate leave the device (easier said than done)
– If the certificated is to be stored in the iOS keychain, don’t allow iCloud to copy it– Android doesn’t have a true keychain – certificates don’t belong in Account Manager
• Look carefully at the process for authenticating certificate signing requests and pay attention to what credentials are used to generate the certificate. Be sure that transitive trust makes sense when password-based credentials are part of the process.
Certificates stored inside individual apps can’t be directly shared with other apps, so if the intended scope of the certificate is for multiple apps on the device, storing the certificate in the work “container” of a dual-persona solution can protect it from exposure.
Unique device identifiers (like UDID, MAC address, IMEI, MEID, etc) are often used similarly to “authenticate” but the application and back-end SaaS service must trust that the OS has not been compromised. And SaaS services should not trust identifier data from 3rd-party apps.
![Page 22: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/22.jpg)
Passwords Not Dead Yet• The most common enterprise mobile application remains email, and the most common
protocol for obtaining it is ActiveSync – but it requires a cached password credential
• If you’ve got to store it (and it has to be reversibly stored to use with ActiveSync), then why not re-use the credential to authenticate to other Microsoft-based enterprise services?
• Some ActiveSync proxies and gateways can do this transparently for HTTP-based traffic from mobile devices when properly configured
• 3rd-party SDKs that enable native mobile apps to bind to Microsoft domains when used with certain MDM agents on devices or at the container level with certain container solutions
P@55w0rd!
![Page 23: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/23.jpg)
Authorization Agent ApproachBy introducing an AZA onto the device (or even better: to the enterprise container on that device), native enterprise applications can leverage the AZA for a fully-featured shared SSO• Rather than each application individually obtaining OAuth tokens for itself, tokens are obtained by the
AZA through mobile web browser (or secure container browser)• Native applications pass tokens received from the AZA directly to back-end SaaS services just as their
browser-based equivalentsAZA Advantages• For user, enables an SSO experience for native applications with explicit authentication and authorization
only required for the AZA itself• For enterprise, provides a centralized control point for application access, tokens issued to native apps are
identical to those used with web apps• For the app developer, provides easy SSO integration; AZA-based authentication follows HTML patterns
used to obtain application tokens Additional Advantages of AZA when used with secure container / dual-persona• Personal use of browser is separate from enterprise browser – no enterprise data leakage• Enterprise applications under direct control of enterprise IT• Leverage certificates and container passcode to eliminate manual password input for AZA
itself without impacting personal-side user experience or adding excess risk
Look for progress to come out of the OpenID Foundation Native Applications Working Group
![Page 24: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/24.jpg)
THE IMPLICATIONS
![Page 25: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/25.jpg)
Implications Discussion• App developers
– Choice of identity provider support matters– Consumer and enterprise identity options
• Identity provider– Don’t stop with AD: look at Google Apps as a valid ID source
• Consumer/employee– Which consumer identity providers do I trust personally?– What permissions am I granting SaaS apps with my work identity?
• Enterprise– Do I double-down on Active Directory for identity?– Or do I let go and build it via a cloud provider (Google Apps)?
![Page 26: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/26.jpg)
Long-term Ecosystem Impacts• AD / Microsoft influence wanes
– Enterprise-class federated cloud identity alternatives– Costly server-based licensing model no longer attractive
• Policy federation and consolidation– Too many separate sources of enterprise policies– AD, NAC, Firewalls, Proxies, MDM – not coordinated– Need for LDAP equivalent for policy (XACML isn’t enough)
• Presence and availability federation– Need to be able to share key information about methods and modes by which
I’m available for communication– BUT I need to control who gets to know what about my presence and availability:
requires BOTH federated identity AND federated policy• BTW, border-oriented security became moot with SaaS
![Page 27: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/27.jpg)
ABOUT DIVIDE
![Page 28: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/28.jpg)
3
Andrew Toy - Chief Executive Officer• Vice President Mobile, Viacom
• Vice President Mobile, Morgan Stanley
Alexander Trewby - Chief Operating Officer• Vice President Mobile, Morgan Stanley
David Zhu, Chief Technology Officer• Director of Engineering, Smule
• Lead Mobile Engineer
Founded January 2010
Located New York (HQ)LondonHong Kong75+ Employees
Funding $25M total$12M Series B$11M Series A$1.8M Seed
![Page 29: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/29.jpg)
8
Vodaphone Profile Manager, powered by Divide
Divide PIM for MobileIron AppConnect
Divide for Tangoe MDM
Divide for IBM Endpoint Manager
Divide for Verizon EMaaS (Enterprise Mobility as a Service)
Divide Connect powered by F5
Divide Files powered by Box
![Page 30: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/30.jpg)
10
PERSONAL ENTER PASSCODE WORKSPACE
Multiplying Identities with Divide
![Page 31: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/31.jpg)
Divide Launcher
• Secure work container for iOS & Android
• Native User Experience
• Extensible: VPN & UC (Divide Connect, Divide Voice)
11
Cloud Management
• IT control of the container
• User self-service
• MDM APIs enable management via 3rd-Party MDM console
Business Applications
• Common apps for all employees: email, contacts, calendar, web browser, file manager, etc.
• Third-party apps provisioned via employee group policies
• Secure file storage
![Page 32: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/32.jpg)
Employee, Fortune 50 Multinational IT Director, Fortune 50 Pharmaceutical
IT Director, Fortune 10 Conglomerate
13
“I love this. It's what I wanted in a personally liable
work phone.
“We see Divide becoming our standard platform for
not just Android and BYOD, but for all mobility.”
“Divide addresses our need to integrate
with our existing IT infrastructure, especially network security (VPN)
and our Identity infrastructure.”
USER EXPERIENCESECURITY
Divide User Survey - Fortune 25 Technology Multinational 817 active
users in 47 countries, survey included 500 respondents
OPEN & EXTENSIBLE
Most common user comment: “liberated my personal device”- 75% said Divide improved their ability to work on personal devices
- 81% felt they could successfully accomplish business tasks with Divide
- 88% were confident that Divide kept their personal data private
- 85% said Divide was easy for them to install, configure, and use
- 81% felt Divide had the features they needed
- 86% would recommend Divide to others
- 73% preferred Divide to their existing corporate BYOD offering
- 96% said it was easy for them to find the functions they need within Divide
![Page 33: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/33.jpg)
QUESTIONS & MORE DISCUSSION
![Page 34: Consumer/Enterprise Identity Realities in a Cloud/Mobile World Andy Zmolek @zmolek Director of Technology Partnerships, Divide andy.zmolek@divide.com](https://reader038.vdocuments.site/reader038/viewer/2022110211/56649efe5503460f94c1308d/html5/thumbnails/34.jpg)
THANK YOU!