The mobile game changer

Smartphones and tablets are becoming ubiquitous in the workplace, and IT and security executives are having to accept the fact that the "bring your own device" and " consumerization of IT" trends are for real. This isn't a bad thing, considering the potential benefits such as productivity gains, improved collaboration and enhanced customer service.

But a key question for organizations, in terms of security, is what impact the mobility trend will have on identity management. Many IT and security executives have worked hard in recent years developing ID management strategies and procedures for their enterprises, and how the presence of smartphones and tablets affects those efforts is no small consideration.

Industry research shows that the move to mobile devices will continue for the next several years. By 2015, the worldwide mobile worker population will reach an estimated 1.3 billion, representing 37 percent of the total workforce, according to a report released in January 2012 by International Data Corporation (IDC) in Framingham, Mass. That would represent an increase from just over one billion in 2010, the research firm says in its study, the "Worldwide Mobile Worker Population 2011-2015 Forecast."

Also see: " The ABCs of identity management"

Given that mobile devices are proving to be such integral tools for accessing corporate data and applications, companies will have to be vigilant about making sure they know who is using the devices at any given time and that those users are authorized to gain access to vital business information.

"From the first day an enterprise end-user is welcomed on board, to the day they eventually leave the organization -- and every workday in between -- their ability to access essential enterprise systems, applications and data is made possible by enterprise-issued identities and corresponding access privileges," says Derek Brink, vice president and research fellow, IT Security at research firm Aberdeen Group in Boston.

"The processes and workflow for managing enterprise identities and access privileges over their lifecycle, from initial provisioning to real-time daily operations to ongoing end-user support to eventual de-provisioning and revocation, are for most companies as fundamental as power and payroll," Brink says. "Performed well, they are highly efficient but virtually unseen. Performed poorly, they are the source of unnecessary friction and costly end-user frustration."

But smartphones and tablets themselves are not driving changes in how enterprise-issued identities and corresponding access privileges are managed, Brink says. "The identity and access lifecycle is pretty much the same, whether you are logging in from your laptop or from your new iPad3," he says. "The bigger changes being driven by these devices would have to be in how enterprises think about protecting their sensitive data, or about how they choose to deliver their critical applications."

Also see: " Three ID management challenges"

There is one key way that mobile devices are affecting enterprise identity and access management strategies, Brink notes. "As enterprises reevaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, solution providers are responding by developing innovative options for authentication that leverage what is arguably the most personal, indispensable and ubiquitous of all modern devices: smartphones and tablets," he says.

The most common mobile options for end-user authentication in the enterprise that Aberdeen sees in its IT security research are one-time passwords, digital certificates and out-of-band authentication.

ID Management StrategiesOrganizations whose employees are using tablets and smartphones in the workplace are making identity management a key part of their security efforts in this shifting environment.

Automatic Data Processing Inc. (ADP), a Roseland, N.J., provider of human resources, payroll, tax and benefits administration services, supports mobile platforms including the Apple iPhone and iPad and RIM BlackBerry.

ADP employees use the devices for a variety of purposes, including access to email and applications such as backoffice automated workflow, human resources and purchasing, says Roland Cloutier, vice president and CSO. Recently ADP began deploying business applications such as customer relationship management (CRM) software on mobile devices.

The firm controls and manages smartphones and tablets, including the identity of users, via a mobile device management (MDM) application that is loaded on all the devices registered for access to the company's data and applications. Cloutier says the company doesn't actually connect mobile users directly to the network, but provides access to data through mobile gateways.

"We not only make people register their devices but we make them download the [MDM] agent and [provide written consent] that we can control some basic device protection capabilities" of the products, Cloutier says. "So for example we have e-discovery evidence-gathering capabilities of the device, and they agree to hand over the device for any legal matters." The company also has the ability to remotely wipe devices in the event they are lost or stolen and has used this capability on several occasions.

ADP users must be authenticated before they can get access to corporate information, and who gets to access specific types of data and applications depends on the individual's role in the company and the type of device being used, Cloutier says.

"We created authentication requirements based on the type of data" and who needs access to the information, Cloutier says. While the advent of mobile devices in the workplace did not result in ADP having to change its overall identity management procedures, it did force the company to take a closer look at its risk review data access processes.

Risk assessments could no longer assume non-transportation outside a corporate-protected device and control requirements, and data flow approval had to take into consideration mobility and the maximum level of control function available on any given platform, Cloutier says.

"As far as getting identity management under control, I think [the proliferation of mobile devices] has had a positive effect in making sure we remain consistent in our authentication mechanism," Cloutier says. "It has helped us to create rigor around our authentication platforms."

For example, increased mobility has enabled ADP to force applications developers at the company to consolidate their authentication platforms to centralized identity management authorities. "The bottom line, if they want their application available on mobile, they need to use IT's managed authentication platform," Cloutier says.

It does not make sense to create a second set of identities for users on mobile devices, Cloutier says. "You'll be watering down your control capabilities," he says "Access [to] data by individuals will remain fluid, including location, device, etc. Creating controls and monitoring capabilities that map users to data and data to use gets exponentially more difficult with each system added to an enterprise."

In addition, control technology requires identity management integration, and integrating multiple identity repositories to any system or control can lead to platform stability issues and higher costs, and affects a company's ability to be agile, Cloutier says. "Focus on proxied authentication or managed authentication through mobile device management-like applications," he says.

At Purdue University Calumet in Hammond, Ind., most of the administrative staff, about 300 people, are now using smartphones (iPhone, Android, Windows, BlackBerry), says Frank Cervone, vice chancellor for information services and CIO. Tablet adoption has been lower, with at about 100 employees using iPads or Windows-based tablets.

For both types of devices the primary business application is email and calendaring, Cervone says. "We have a virtual desktop capability for a limited set of applications, but have not seen much interest in using that functionality yet," he says.

Mobile devices have added a bit of complexity to identity management at Purdue because identity management is "pretty much a manual affair on Apple and Android devices," Cervone says. "We have had to develop more online help so people can make the needed adjustments to their accounts on their own rather than having to come to the help desk or call in."

The university is also looking at software tools that would help make the management of identities simpler for managers as well as end users, Cervone says. "We are also looking at various options for stricter enforcement of controls to limit data loss," he says.

"At this point it has been more of an issue with authentication rather than ID management, since the applications have been limited so far, for the most part, to email and calendaring," Cervone says. "All other applications [use] standard university authentication."

Purdue requires all university-issued devices to have either a PIN or some other type of locking mechanism to prevent unbridled access, Cervone says, as well as authentication for access to the university network.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags id managementapplicationssecuritymobile securitysmartphonessoftwareData Protection | Wirelessdata protectionBYODconsumer electronicsIDC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts