Two of the biggest recent IT trends have been cloud computing and mobile, and they are changing the approach we take to managing mobile identity. Connecting mobile apps to cloud-based services has revolutionized the way in which we create and consume digital information. Much of the growth in mobile and cloud computing has been driven by employees who have quickly embraced the agility and flexibility of choosing an app to match their own requirements. Mobile linked to cloud computing allows people to access services from a variety of endpoint devices that run a mixture of operating systems. For example, content can be created on an Apple iPhone and then accessed from an Android tablet. Frequently, employees use their own mobile devices for a combination of work and private computing in either official (bring your own device or BYOD) or unofficial (shadow IT) scenarios. A mobile and app-driven world can also lead to a headache for mobile identity management.
The need to support mobile identities has created challenges for information security in a number of ways, including creating adequate trust frameworks for mobile devices and securing data outside the perimeter of an organization's direct control. There are also challenges to enforcing a company's identity and access management (IAM) policy with a mixture of company- and employee-owned mobile devices. Companies have little direct control over some devices that may be creating and storing company information in cloud-based systems.
Traditional IAM solutions that have been designed for use within the perimeter are proving to be inappropriate in this new, agile IT world. Delivering flexible and appropriate authentication and access management tools to a variety of mobile devices without creating a poor user experience is a challenge.
There is a need to implement new IAM solutions that meet the needs of mobile and cloud users. So how can this be achieved?
There are solutions available that allow enterprise IAM tools to extend to the mobile endpoint and into the cloud, which support a mixture of strong (mobile appropriate) authentication and identity management. This includes the ability to support identity features such as identity federation, single sign-on (SSO), provisioning, and policy deployment and enforcement. The solution also needs to support information and users when they are outside the traditional boundaries of an organization. One method in which a modern identity and access management solution supports both mobile and cloud computing is to incorporate a risk-centric approach. This involves a risk assessment to be performed in real time to determine the context and business risk of an authorization request. For instance, it looks at what device is being used to access a service. Is it company-owned and controlled? Is it owned by an employee and does it have employer-issued BYOD software controls on it? Is it attempting to access IT assets that are within or outside the controlled perimeter? The creation of a dynamic authorization risk profile determines the level of access a user is allocated for that particular session.
In practical terms, a sales person may have access to a SaaS-supplied CRM system on their mobile phone but may be excluded from accessing the order processing features-especially when they are accessing the system from certain geographic locations, for instance using a free hotel Wi-Fi network. The context of a business drives authorization controls, and a more flexible IT service approach that supports the increasing use of mobile and cloud computing is becoming necessary.
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: BYOD, Cloud Computing, IAM, Mobile, Mobile Identity, Shadow IT