E -BOOK MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK MOBILITY 1
04 INTRODUCTION 06 THREE TECHNOLOGIES THAT SECURELY UNLEASH MOBILE AND BYOD TABLE OF CONTENTS 07 12 THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD THE CRITICAL ROLE OF STANDARDS FOR A SECURE BYOD ARCHITECTURE 14 SUMMARY
MOBILITY IS A BUSINESS E-BOOK MOBILITY 3
INTRODUCTION Using personally owned mobile devices for work is a fast-moving trend. IDC estimates that 55 percent of all phones used in business will be employee-owned by 2015, with other thought leaders stating that 81 percent of employees today use their mobile devices for work. Meeting these statistics, it s estimated that by 2017, two in three organizations will adopt a bring your own device (BYOD) policy. These above-mentioned trends are no surprise. Organizations realize that a highly mobile employee is likely to be highly productive. There s a tangible value in allowing employees to get work done during their commutes. However popular, the BYOD trend is not all roses. The inherent nature of employee-owned devices used within the workplace is a legitimate concern for IT. Where IT can implement tight control over company-owned devices, they re unable to do so with those that are employee-owned. Furthermore, employees demand ease and convenience. If they experience IT interfering with their ability to get work done, they will seek work-around options. For every functionality denied by IT, there s a shadow IT third-party application that employees can sign up for with a credit card and subsequently expense. This is why it s critical to find a way to support employee-owned devices with methods that secure organizational data and transactions and uninhibit getting work done. of employees use their movile devices for work of organizations will adopt a BYOD policy by 2017 E-BOOK MOBILITY 4
THREE TECHNOLOGIES THAT SECURELY UNLEASH MOBILE AND BYOD E-BOOK MOBILITY 5
THREE TECHNOLOGIES THAT SECURELY UNLEASH MOBILE AND BYOD To support employee-owned devices, you must secure sensitive business data accessed and stored on mobile devices while enabling employees to easily do their job. An architecture capable of supporting mobile must therefore provide: Application and data security protecting the sensitive business information accessed by and stored on mobile devices. Mobile-based Authentication User enablement ensuring that employees can perform the duties of their role when and where they wish to, fundamentally allowing them to get things done. By utilizing the following three technology pillars, you can provide application and data security as well as support user enablement. Mobile-based authentication leveraging the capabilities of smartphones to provide secure and easy sign-on. Single Sign-on SSO across web and native applications giving employees a seamless user experience for both web and native mobile applications. Application Programming Interfaces (APIs) granting access for business data only to authorized applications and users. APIs E-BOOK MOBILITY 6
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD E-BOOK MOBILITY 7
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD WHAT MAKES SMARTPHONES GREAT FOR AUTHENTICATION Effectively, a smartphone is a powerful portable computer that can enable robust authentication models by leveraging the following features: Connected. Mobile phones are on the network and can therefore respond to many different prompts or challenges. Computative. Modern phones have computational and storage abilities, so they can support cryptographic operations. Storage. Smartphones allow the storage of identifiers, secrets and credentials used in authentication schemes. User Interface (UI). Smartphones have a user interface that can be used to involve the owner in authentication factors when relevant, such as entering a local pin, swiping the screen or, in the future, using their fingerprint. MOBILE-BASED AUTHENTICATION There s a trend moving away from authentication schemes relying on what you know, such as a password, to what you have, such as a key fob or fingerprint. With passwords being such a major culprit in hacking schemes, what you have authentication factors are fast becoming much more relevant. Inexpensive. Compared to tokens or other authentication devices, smartphones are much more cost effective and easily remembered by their owners. USING MOBILE PHONES FOR AUTHENTICATION Different mobile-based authentication schemes leverage features in different combinations. For instance, PingID is a mobile-based authentication scheme that authenticates users by sending a challenge to an application installed on the user s previously registered device through Google Cloud Messaging for Android or Apple Push Notification Services. Upon receipt, the user simply swipes their screen to answer the challenge. Due to their features, smartphones can provide a useful what you have authentication factor. They can be used for second-factor authentication, or can replace what you know factors (passwords) completely as a single-factor authentication device. Utilizing a smartphone for authentication is more dyanmic, cheaper and lower-mainentance than FOBs. E-BOOK MOBILITY 8
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD SINGLE SIGN-ON (SSO) Nothing slows down and frustrates employees more than having to call the help desk to get a password reset. With SSO, you can maximize productivity by minimizing the number of explicit credentials (passwords) needed to access applications. SSO improves security for the enterprise as well as significantly improves the productivity and overall work enjoyment of employees. So, how does this tie in to BYOD and mobile phones? Mobile SSO enables users to sign on once to a secure SSO application on their mobile device and have instant access to all of their enterprise applications. Another reason for SSO for mobile devices is that user credentials are typically stored on the device itself. Therefore, when a device is stolen, the credentials stored on it are stolen. With 27 percent of adults experiencing a lost or stolen device, it s crucial to keep corporate credentials off of devices. With SSO and mobile-based authentication, sign-on credentials are not stored on the device, and authentication and authorization is done via standardized mechanisms (standards). (See the standards section for detailed information on their role in SSO.) When a device is stolen, the credentials stored on it are stolen. That s a problem when 27% of adults mobile devices have been lost or stolen. This can be avoided with SSO. SSO solutions, such as PingOne, provide standards-based SSO for mobile. E-BOOK MOBILITY 9
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD APPLICATION PROGRAMMING INTERFACES (API) The primary way that native mobile applications gain access to corporate data is through application programming interfaces (APIs). By securing APIs, you can be confident that the user is allowed access to the application data, no matter where they are or what application or device they re using. Securing APIs using a standards-based approach is critical to scalability and development productivity. Many organizations build authentication into each mobile application, which creates significant overhead for developers and generally isn t as secure. The best practice for mobile security is to utilize the standardized OAuth 2.0 protocol, which uses access tokens on API calls. By validating the token, the API is able to determine which employee is requesting access to the native application, and then determine authorization based on that employee s access rights. (See the standards section for more information on their role in API security.) Modern access management solutions, like PingAccess and PingFederate, provide both web and API access management with both proxy- and agent-based implementation options. E-BOOK MOBILITY 10
THE CRITICAL ROLE OF STANDARDS FOR A SECURE BYOD ARCHITECTURE
THE CRITICAL ROLE OF STANDARDS FOR A SECURE BYOD ARCHITECTURE Standards are the critical role-players in mobile security (and identity security). They support mobile-based authentication, SSO from any device and any location and simple API authorization by enabling secure, encrypted authentication, authorization and access across web and mobile platforms. Support of standards brings security to any device, browser or client that is accessing information from applications. Additionally, support reduces the integration efforts between multiple organizations when sharing applications or information. Standards, such as SAML, OAuth 2.0, OpenID Connect, and standard models such as FIDO and NAPPS, have been and are independently reviewed and developed by leading security professionals to provide the strongest levels of security. All Ping Identity products and solutions are built on standards. Security Assertion Markup Language (SAML) is the standard that powers web SSO and allows businesses to safely share identity information across domains for authentication and authorization. OAuth 2.0 is the industry standard for controlling access to APIs using secure access tokens instead of usernames and passwords. OpenID Connect (Connect) is a new standard that provides a best-of-breed approach to both web SSO and API access, building on SAML and OAuth. The FIDO (Fast Identity Online) Alliance is defining an alternative mobile-based authentication model one that can leverage the emerging biometric capabilities of devices. The OpenID Foundation s Native Applications (NAPPS) working group is defining an architecture that will enable the SSO experience across native applications and, critically, for mobile web apps as well. E-BOOK MOBILITY 12
SUMMARY
SUMMARY Leading organizations are embracing the mobile and BYOD phenomenon and intelligently securing corporate data and applications while empowering their mobile employees to be more productive than ever. The pillars below have been found to be critical success factors to getting the most out of your mobile initiatives: Mobile-based authentication leveraging the capabilities of smartphones to provide secure and easy sign-on, such as provided by PingID. SSO across web and native applications giving employees a seamless user experience for both web and native mobile applications, such as provided by PingOne. Application Programming Interfaces (APIs) granting access for business data only to authorized applications and users, such as provided by PingAccess and PingFederate. Using these standards-based technology pillars, you can unlock the potential of BYOD. Visit pingidentity.com to find out more about how Ping Identity solutions can help you transform mobile into a business asset. E-BOOK MOBILITY 14 Ping Identity is the leader in Identity Defined Security for the borderless enterprise, allowing employees, customers and partners access to the applications they need. Protecting over one billion identities worldwide, the company ensures the right people access the right things, securely and seamlessly. More than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens, trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. Copyright 2016 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, their respective product marks, the Ping Identity trademark logo, and IDENTIFY are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 7/16 3053