Slide 1

Consumer/Enterprise Identity Realities in a Cloud/Mobile WorldAndy Zmolek @zmolekDirector of Technology Partnerships,Divide andy.zmolek@divide.com

Its a cloud/mobile world nowConsumers drive disruptive innovation; enterprise follows later (CoIT)Identity moves from self-contained to server-defined and is now cloud-definedMost enterprise IT is still stuck in a computing 2.0 mindset

Central/TerminalComputingServer/DeviceComputingCloud/MobileComputing1.02.03.0Identity is re-defined in each computing waveDo you see a pattern?Central/TerminalComputingServer/DeviceComputingCloud/MobileComputingEquipment owned byenterprise or consumerVendor selection by enterprise or consumerSome shared use of enterprise deviceSome control of enterprise dataModerate salesand deployment cyclesDuty cycle: 5-10 yearsSoftware: packagedLAN/WAN-orientedIT DepartmentEquipment more oftenconsumer-owned (trend)Consumer typically drives vendor selectionConsumer AND enterprise use of same deviceDeep fear of losing control of enterprise dataShort sales anddeployment cyclesDuty cycle: 2 years (or less)Software: cloud/app store/webCloud-oriented? (to be named)Enterprise owns and controls equipmentVendor selection byenterprise onlyNo consumer use

Complete control ofenterprise dataLong sales anddeployment cyclesDuty cycle: 15-20 yearsSoftware: build-to-suitLocally-orientedMIS Department

SERVER/DEVICE MINDSET

Employees use only enterprise assets to connect to enterprise services; personally-owned devices are the exception

Most IT services are limited to specific approved devices and physical locations

IT control (or wipe) for the whole device

IT focus on device lifecycle support which is strongly bound to IT services

Corporate data never allowed on employee-owned devices unless device is under IT control

User experience rarely a critical factor for the success of new service launches other factors of equal or greater weight7

CLOUD/MOBILE MINDSET

Employees use their own devices as often or more than enterprise devices; a personally owned devices now the norm

New IT services must extend to any device, anywhere

IT control (or wipe) just enterprise content

IT focus on service lifecycle support which is only loosely bound to devices

Corporate data allowed on devices not owned by the enterprise, as long as data itself remains under enterprise control

Overall user experience critical to successful new IT service launchvs.CLOUD/MOBILE IDENTITIES6SECURE MESSAGINGMOBILE DEVICE MANAGEMENT (MDM)MOBILE APPLICATIONS MANAGEMENT (MAM)SECURE CONTAINER & VIRTUALIZATIONv1.0v1.5v2.0Corporate Identity Dual IdentityEnterprise Identity EvolutionTraditionally based on Windows Active DirectoryNext, single sign-on (SSO) extends to new corporate applications through proprietary Identity and Access Management (IAM) solutionsMost recent trends in enterprise identity:1. SaaS apps using WebSSO (SAML, oAuth)2. Google Apps syncs with or replaces ADSmaller companies and startup can now skip AD yet get a better user experience, plus SSO

Identity Choices

How did IT lose control of identity?ConsumerizationSaaS / Google AppsMobile BYOD

5My employees are happy with apps and devices we give themWe dont need a BYOD programWere in control of employee identity and access management

Who does that department think they are buying a SaaS service without me?What makes every exec think they have the right to choose their own device?If you add another app or service, you need to follow my IAM rules or else!

Were never going to get all our corporate apps under a single SSOBYOD will never work here; we could never support itWeve completely lost control because of SaaS apps and mobile

As long as you tie identity back to AD, you can add new SaaS offerings Everyone can BYOD, but only from this list of approved devicesYou need to give me control of your personal device

We only need to manage corporate apps & data on employee-owned devicesIdentity belongs in the cloud and open standards make integration easyWere eliminating most of our server based infrastructure and moving to Google Apps / Amazon Web Services / etc.

ACCEPTANCE

BARGAINING

ANGERDEPRESSIONDENIAL5 Stages for ITKubler-Ross StagesSeen in the wild: new BYOD programs with staggeringly low take rates- Enterprises claim the right to block personal apps and wipe devices owned personally by employees- Employees scared off by overbroad legal agreements they must sign to participate- BYOD terms may seem far worse than those that apply to corporate devices

BYOD is a two-way street - dont invite a deadlock- Involve employee stakeholder participants at all stages of program creation, not just HR and Legal- Seek out approaches that respect employee ownership of devices, regardless of whether a stipend is provided- Recognize the value of solutions that offer employee privacy and offer freedom of choice for devices and apps

Be aware that your biggest productivity gains may be realized in unexpected ways- Enable your employees and executives to respond more quickly to events on the device of their choosing, and they will be more likely to have it with them when it matters- Giving them an app they enjoy using will pay much greater dividends than just meeting their basic needs

Dont be tempted by solutions that cater to the illusion of control - Many of these solutions also deliver difficult and frustrating user experiences, leading to employee disuse- Dont try to apply complex and burdensome policies to mobile that youd never try to force-fit on your PCs

For maximum impact, embrace the Cloud/Mobile approach- Focus more on apps and services, less on devices and servers- Consumerization of IT means your employees are already comfortable thinking this way4Employees Can (and Do) FilibusterIdentity realitiesIdentity RealitiesBYOD means most of the identities on a mobile device are not under enterprise controlEnterprises still need to come to terms with this, but the will try to pull the web and mobile ecosystems back into Computing 2.0

New Identity Reality Example: Android

New iOS 7 Identity Approaches

iOS Keychain was originally set up to store credentials for asingle app or group of apps from a single developerAn enterprise that delivered their own applications coulduse the keychain to assist with SSO but could not extend keychain to apps by 3rd party developers

iOS 7 introduces two new concepts to the Keychain:iCloud keychain for storing credentials across devicesApples new Kerberos-based SSO solution (requires MDM-managed device with enterprise app provisioning; each app must use NSURL APIs supplied by Apple)

Apple has left it up to the app developers to envision how SAML or OAuth might be used in conjunction with their new SSO scheme.

Mobile Identity and Certificates

Certificates can be an excellent solution to identity assertion when enterprise IT is disciplinedAvoid temptations to take operational shortcuts in how certificates are provisionedNever let the private key of the certificate leave the device (easier said than done)If the certificated is to be stored in the iOS keychain, dont allow iCloud to copy itAndroid doesnt have a true keychain certificates dont belong in Account ManagerLook carefully at the process for authenticating certificate signing requests and pay attention to what credentials are used to generate the certificate. Be sure that transitive trust makes sense when password-based credentials are part of the process.

Certificates stored inside individual apps cant be directly shared with other apps, so if the intended scope of the certificate is for multiple apps on the device, storing the certificate in the work container of a dual-persona solution can protect it from exposure.

Unique device identifiers (like UDID, MAC address, IMEI, MEID, etc) are often used similarly to authenticate but the application and back-end SaaS service must trust that the OS has not been compromised. And SaaS services should not trust identifier data from 3rd-party apps.Passwords Not Dead Yet

The most common enterprise mobile application remains email, and the most common protocol for obtaining it is ActiveSync but it requires a cached password credential

If youve got to store it (and it has to be reversibly stored to use with ActiveSync), then why not re-use the credential to authenticate to other Microsoft-based enterprise services?

Some ActiveSync proxies and gateways can do this transparently for HTTP-based traffic from mobile devices when properly configured

3rd-party SDKs that enable native mobile apps to bind to Microsoft domains when used with certain MDM agents on devices or at the container level with certain container solutions

user@enterprise.com

P@55w0rd!Authorization Agent ApproachBy introducing an AZA onto the device (or even better: to the enterprise container on that device), native enterprise applications can leverage the AZA for a fully-featured shared SSORather than each application individually obtaining OAuth tokens for itself, tokens are obtained by the AZA through mobile web browser (or secure container browser)Native applications pass tokens received from the AZA directly to back-end SaaS services just as their browser-based equivalentsAZA AdvantagesFor user, enables an SSO experience for native applications with explicit authentication and authorization only required for the AZA itselfFor enterprise, provides a centralized control point for application access, tokens issued to native apps are identical to those used with web appsFor the app developer, provides easy SSO integration; AZA-based authentication follows HTML patterns used to obtain application tokens Additional Advantages of AZA when used with secure container / dual-personaPersonal use of browser is separate from enterprise browser no enterprise data leakageEnterprise applications under direct control of enterprise ITLeverage certificates and container passcode to eliminate manual password input for AZA itself without impacting personal-side user experience or adding excess risk

Look for progress to come out of the OpenID Foundation Native Applications Working Group

THE ImplicationsImplications DiscussionApp developersChoice of identity provider support mattersConsumer and enterprise identity optionsIdentity providerDont stop with AD: look at Google Apps as a valid ID sourceConsumer/employeeWhich consumer identity providers do I trust personally?What permissions am I granting SaaS apps with my work identity?EnterpriseDo I double-down on Active Directory for identity?Or do I let go and build it via a cloud provider (Google Apps)?Long-term Ecosystem ImpactsAD / Microsoft influence wanesEnterprise-class federated cloud identity alternativesCostly server-based licensing model no longer attractivePolicy federation and consolidationToo many separate sources of enterprise policiesAD, NAC, Firewalls, Proxies, MDM not coordinatedNeed for LDAP equivalent for policy (XACML isnt enough)Presence and availability federationNeed to be able to share key information about methods and modes by which Im available for communicationBUT I need to control who gets to know what about my presence and availability: requires BOTH federated identity AND federated policyBTW, border-oriented security became moot with SaaSAbout Divide3Andrew Toy - Chief Executive OfficerVice President Mobile, ViacomVice President Mobile, Morgan Stanley

Alexander Trewby - Chief Operating OfficerVice President Mobile, Morgan Stanley

David Zhu, Chief Technology OfficerDirector of Engineering, SmuleLead Mobile Engineer

Founded January 2010

Located New York (HQ)LondonHong Kong75+ Employees

Funding$25M total$12M Series B$11M Series A$1.8M Seed8Vodaphone Profile Manager, powered by DivideDivide PIM for MobileIron AppConnectDivide for Tangoe MDMDivide for IBM Endpoint ManagerDivide for Verizon EMaaS (Enterprise Mobility as a Service)Divide Connect powered by F5Divide Files powered by Box10PERSONALENTER PASSCODEWORKSPACEMultiplying Identities with DivideDivide Launcher

Secure work container for iOS & Android

Native User Experience

Extensible: VPN & UC (Divide Connect, Divide Voice)

11Cloud Management

IT control of the container

User self-service

MDM APIs enable management via 3rd-Party MDM consoleBusiness Applications

Common apps for all employees: email, contacts, calendar, web browser, file manager, etc.

Third-party apps provisioned via employee group policies

Secure file storage

Employee, Fortune 50 Multinational

IT Director, Fortune 50 Pharmaceutical

IT Director, Fortune 10 Conglomerate

13I love this. It's what I wanted in a personally liable work phone.We see Divide becoming our standard platform for not just Android and BYOD, but for all mobility.

Divide addresses our need to integrate with our existing IT infrastructure, especially network security (VPN) and our Identity infrastructure.

USER EXPERIENCESECURITYDivide User Survey - Fortune 25 Technology Multinational 817 active users in 47 countries, survey included 500 respondentsOPEN & EXTENSIBLEMost common user comment: liberated my personal device- 75% said Divide improved their ability to work on personal devices- 81% felt they could successfully accomplish business tasks with Divide- 88% were confident that Divide kept their personal data private- 85% said Divide was easy for them to install, configure, and use- 81% felt Divide had the features they needed- 86% would recommend Divide to others- 73% preferred Divide to their existing corporate BYOD offering- 96% said it was easy for them to find the functions they need within DivideQuestions & more DiscussionThank YOU!