MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Transcription

1 MOBILITY Transforming the mobile device from a security liability into a business asset. pingidentity.com

2 Table of Contents Introduction 3 Three Technologies That Securely Unleash Mobile and BYOD 4 Three Technology Pillars That Support Mobile and BYOD 5 1. Mobile-based Authentication 5 2. Single Sign-on 6 3. Application Programming Interfaces 7 The Critical Role of Standards for a Secure BYOD Architecture 8 Summary 9

3 INTRODUCTION Using personally-owned mobile devices for work is a fast-moving trend. IDC estimates that 55 percent of all phones used in business will be employeeowned by 2015, with other thought leaders stating that 81 percent of employees today use their mobile devices for work. Meeting these statistics, it is estimated that by 2017, two in three organizations will adopt a bring your own device (BYOD) policy. These above-mentioned trends are no surprise. Organizations realize that a highly mobile employee is likely to be highly productive. There is a tangible value in allowing employees to get work done during their commutes. However popular, the BYOD trend is not all roses. The inherent nature of employee-owned devices used within the workplace is a legitimate concern for IT. Where IT can implement tight control over company-owned devices, they are unable to do so with those that are employee-owned. Furthermore, employees demand ease and convenience. If they experience IT interfering with their ability to get work done, they will seek work-around options. For every functionality denied by IT, there is a shadow IT third-party application that employees can sign up for with a credit card and subsequently expense. It is therefore critical to find a way to support employee-owned devices with methods that secure organizational data and transactions and uninhibit getting work done. of employees use their of organizations will adopt movile devices for work a BYOD policy by MOBILITY IS A BUSINESS ASSET

4 THREE TECHNOLOGIES THAT SECURELY UNLEASH BYOD Mobile-based authentication Single sign-on APIs To support employee-owned devices, you must secure sensitive business data accessed and stored on mobile devices while enabling employees to easily do their job. An architecture capable of supporting mobile must therefore provide: Application and data security protecting the sensitive business information accessed by and stored on mobile devices. User enablement ensuring that employees can perform the duties of their role when and where they wish to, fundamentally allowing them to get things done. By utilizing the following three technology pillars, you can provide application and data security as well as support user enablement. Mobile-based authentication leveraging the capabilities of smartphones to provide secure and easy sign-on. Single sign-on across web and native applications giving employees a seamless user experience for both web and native mobile applications. Application Programming Interfaces (APIs) granting access for business data only to authorized applications and users. 4

5 THREE TECHNOLOGIES THAT SUPPORT BYOD 1. MOBILE-BASED AUTHENTICATION There is a trend moving away from authentication schemes relying on what you know, such as a password, to what you have, such as a key fob or fingerprint. With passwords being such a major culprit in hacking schemes, what you have authentication factors are fast becoming much more relevant. Due to their features, smartphones can provide a useful what you have authentication factor. They can be used for second-factor authentication, or can replace what you know factors (passwords) completely as a singlefactor authentication device. ARE ARE HAVE TREND HAVE KNOW KNOW What Makes Smartphones Great for Authentication Effectively, a smartphone is a powerful portable computer that can enable robust authentication models by leveraging the following features: Connected. Mobile phones are on the network and can therefore respond to many different prompts or challenges. Computative. Modern phones have computational and storage abilities, so they can support cryptographic operations. Storage. Smartphones allow the storage of identifiers, secrets and credentials used in authentication schemes. User Interface (UI). Smartphones have a user interface that can be used to involve the owner in authentication factors when relevant, such as entering a local pin, swiping the screen or, in the future, using their fingerprint. Inexpensive. Compared to tokens or other authentication devices, smartphones are much more costeffective and easily remembered by their owners. Using Mobile Phones for Authentication Different mobile-based authentication schemes leverage features in different combinations. For instance, PingID is a mobile based authentication scheme that authenticates users by sending a challenge to an application installed on the user s previously registered device through the Google Cloud Messaging for Android or Apple Push Notification Services. Upon receipt, the user simply swipes their screen to answer the challenge. Utilizing a smartphone for authentication is more dyanmic, cheaper and lower-mainentance than FOBs. 5

6 THREE TECHNOLOGIES THAT SUPPORT BYOD 2. SINGLE SIGN-ON SSO improves security for the enterprise as well as significantly improves the productivity and overall work enjoyment of employees. Nothing slows down and frustrates employees more than having to call the help desk to get a password reset. With single sign-on, you can maximize productivity by minimizing the number of explicit credentials (passwords) needed to access applications. SSO improves security for the enterprise as well as significantly improves the productivity and overall work enjoyment of employees. So, how does this tie in to BYOD and mobile phones? Mobile SSO enables users to sign-on once to a secure SSO application on their mobile device and have instant access to all of their enterprise applications. When a device is stolen, the credentials stored on it are stolen. That s a problem when 27% of adults mobile devices have been lost or stolen. This can be avoided with SSO. stolen, the credentials stored on it are stolen. With 27 percent of adults experiencing a lost or stolen device, it s crucial to keep corporate credentials off of devices. With SSO and mobile-based authentication, sign-on credentials are not stored on the device, and authentication and authorization is done via standardized mechanisms (standards). (See the standards section for detailed information on their role in single sign-on.) Another reason for SSO for mobile devices is that user credentials are typically stored on the device itself. Therefore, when a device is Single sign-on solutions, such as PingOne, provide standards-based SSO for mobile. 6

7 THREE TECHNOLOGIES THAT SUPPORT BYOD 3. APPLICATION PROGRAMMING INTERFACES MOBILE SERVER API / WEB KIOSK BROWSER The primary way that native mobile applications gain access to corporate data is through application programming interfaces (APIs). By securing APIs, you can be confident that the user is allowed access to the application data, no matter where they are or what application or device they are using. Securing APIs using a standards-based approach is critical to scalability and development productivity. Many organizations build authentication into each mobile application, which creates significant overhead for developers and generally is not as secure. The best practice for mobile security is to utilize the standardized OAuth 2.0 protocol, which uses access tokens on API calls. By validating the token, the API is able to determine which employee is requesting access to the native application, and then determine authorization based on that employee s access rights. (See the standards section for more information on their role in API security.) Modern access management solutions, like PingAccess and PingFederate, provide both web and API access management with both proxy- and agent-based implementation options. 7

8 THE CRITICAL ROLE OF STANDARDS FOR A SECURE BYOD ARCHITECTURE OAUTH CONNECT NAPPS SAML WEB SSO YOUR NATIVE APP Standards are the critical role-players in mobile security (and identity security). They support mobile-based authentication, single sign-on from any device and any location and simple API authorization by enabling secure, encrypted authentication, authorization and access across web and mobile platforms. Support of standards brings security to any device, browser or client that is accessing information from applications. Additionally, support reduces the integration efforts between multiple organizations when sharing applications or information. Standards, such as SAML, OAuth 2.0, OpenID Connect, and standard models such as FIDO and NAPPS, have been and are independently reviewed and developed by leading security professionals to provide the strongest levels of security. All Ping Identity products and solutions are built on standards. Security Assertion Markup Language (SAML) is the standard that powers web single sign-on and allows businesses to safely share identity information across domains for authentication and authorization. OAuth 2.0 is the industry standard for controlling access to APIs using secure access tokens instead of usernames and passwords. OpenID Connect (Connect) is a new standard that provides a best of breed approach to both web SSO and API access, building on SAML and OAuth. The FIDO (Fast Identity Online) Alliance is defining an alternative mobile-based authentication model one that can leverage the emerging biometric capabilities of devices. The OpenID Foundation s Native Applications (NAPPS) working group is defining an architecture that will enable the single sign-on experience across native applications and, critically, for mobile web apps as well. 8

9 SUMMARY Leading organizations are embracing the mobile and BYOD phenomenon and intelligently securing corporate data and applications while empowering their mobile employees to be more productive than ever. The pillars below have been found to be critical success factors to get the most out of your mobile initiatives: Mobile-based authentication leveraging the capabilities of smartphones to provide secure and easy sign-on, such as provided by PingID. Single sign-on across web and native applications giving employees a seamless user experience for both web and native mobile applications, such as provided by PingOne. Application Programming Interfaces (APIs) granting access for business data only to authorized applications and users, such as provided by PingAccess and PingFederate. Using these standards-based technology pillars, you can unlock the potential of BYOD. Visit pingidentity.com to find out more about how Ping Identity solutions can help you transform mobile into a business asset. About Ping Identity The Identity Security Company Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 1,200 companies, including 45 of the Fortune 100, rely on our award-winning products to make the digital world a better experience for hundreds of millions of people. For more information, dial U.S. toll-free or , sales@pingidentity.com or visit pingidentity.com Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, the respective product marks, the Ping Identity trademark logo, and Cloud Identity Summit are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 9