1

EVOLUTION OF IAM: MOVING TO BYOD ANDBEYOND

OUR APPROACH ON MOBILE TECHNOLOGY

White Paperwww.gooddoglabs.com

2

03

040506

0910

INTRODUCTION

THE CHALLENGE OF MOBILE COMPLEXITYLEVERAGING CURRENT IAM FOR MOBILEUSE CASE

ABOUT GOOD DOG LABS, INCGET IN TOUCH

Text and images Copyright ©Good Dog Labs Inc.

CONTENTWhat this White Paper is about...

3

INTRODUCTION

Days when people worked only in front of their PC or laptop are long gone. Nowadays, business is done differently and more efficiently with employees working with flexible hours and from outside their office. Employees and contractors have become completely mobile and with the help of mobile devices, they can source company´s products, move a supply chain along, perform critical business transactions, and provide services from outside the office and at any time of day. In order to do their jobs successfully, they need to have access to their applications and resources, and that access needs to be fast, simple and completely secure.

When we talk about Identity And Access Management (IAM) solutions, no IAM solution is complete without its mobile component. As companies turn to cloud and mobile technologies as a way of boosting their efficiency and productivity while cutting down their costs, managing identities and access to their infrastructure and information has become important and challenging at the same time.

This white paper will provide general insight into the importance of mobile security and offer information on some of the biggest challenges in IAM today. It will also show an IAM implementation example for mobile which will show how to leverage past IAM investments and make them future-proof at the same time.

4

THE CHALLENGE OF MOBILE COMPLEXITY

While on one hand businesses can become more productive and closer to their customers with the use of mobile devices, and on the other, these same devices can present a serious risk to the enterprise infrastructure. Sensitive information about the enterprise and/or customer data can be stored on these devices and employees often use cloud-sharing applications to share this information while not thinking about possible risks.

Mobile Device Management (MDM) solutions are a great step forward in addressing some of the mobile device, application, and data security issues, but the levels of exposure has risen to the application and identity layers. Initially, it was common for MDM solutions to enforce a password policy, provide two factor authentication, and add and option for remote deletion of the sensitive data on the mobile device. While these options are both useful and necessary, MDM is only a part of the solution as it was not appropriate in all circumstances. For example, with MDM, employees and contractors are not in the range of IT controls so they cannot provide specific application and data protection security controls on all the applications and identities that are used on these devices. In addition, extending an MDM solution to provide adequate protection and controls for remote application programming interfaces (APIs) is a must in today’s API driven application framework. IAM quickly proved itself as an important business tool for maintaining security and improving both the user experience and the business performance itself. However, despite all of the improvements and technological ad-vancements in recent years, IAM still remains a constant challenge for many companies who struggle with secur-ing access to their critical infrastructure. With issues such as orphan accounts, lack of monitoring and control over privileged accounts, mobile devices present new and unique issues to the enterprise, especially with BYOD (Bring Your Own Device).

The growing complexity of technology and business processes that are changing because of mobile devices are making these issues even worse, and while IAM is all about dealing with security and risk, business leaders are starting to look at IAM implementations from a purely financial point of view. While it should be easy to prove a positive ROI on their IAM investment, that is rarely the case, mainly because the costs of an ineffective IAM imple-mentation can be well hidden. Together with the constantly evolving technology, one question often comes to mind: Will it still work tomorrow?

5

even years for the largest enterprises. This is due to the existing approach to both designing and implementing IAM technologies.

With the rise of mobile devices, the first of the “tomorrows” that we mention in the previous chapter was yesterday and business owners are now looking for a way on how to achieve the same benefits for their BYOD users without throwing away their past investments in IAM.

In order to extend IAM to BYOD, there was a need to separate confidential enterprise, application, and identity data on multiple mobile devices. Thinking of all the standard security requirements such as confidentiality, integrity, and availability on all three contexts (User, Application, Device) is one of the best ways to methodically protect the BYOD or enterprise mobile strategy. From a security infrastructure and application perspective, containerization technology offers a way that gives every application a secured flexible runtime container. The practical approach of thinking of BYOD security in these three different contexts is that you can accelerate your cloud and mobile application deployments by address key security requirements in smaller packages. This not only reduces implementation time but also increases the quality of the security and IAM measures put in place.

Along with “smaller packages” comes the inevitable mobile containerization which transforms the mobile application into a self contained operating environment by segregating it from all of the other applications on the device, allowing it to coexist with other personal user information. The concept of containerization of applications does not have to stop at mobile devices or mobile application platforms. You may take advantage of all the benefits application containerization and bring it to your IAM program and use this as a way to automate your IAM implementation and significantly reduce your implementation costs. Containerization also allows an enterprise to become much more flexible regarding the IAM and application deployment models such as on premise, cloud, or hybrid without suffering large infrastructure or migration costs. One of the key methods of protecting and enhancing an IAM investment is to containerize a set of core and critical functions that are small but pack a punch.

Good Dog Labs uses containerized IAM Microservices, which enable companies to abstract the complexity of building mobile applications and allows users to seamlessly reach their IAM services from their mobile devices. Doing all of this while actually improving the user experience. These IAM Microservices are implemented by IAM.Dockables technology, which means that they operate as completely autonomous services and can run anywhere, on premise and Cloud. They can be easily joined with any existing IAM solution such as CA, IBM and Oracle. This way, not only do business owners keep their initial investments, they are future-proofing their IAM implementation for the technology of tomorrow.

Regardless of whether an enterprise´s current IAM implementation is effective or not, their owners have invested money to receive the benefits that it was offering. Robust IAM solutions give their users an efficient and unified experience in which they use a single sign-on approach to authenticate only once and gain access to everything they need. This of course, is easier said than done.

Single Sign On is the result or the “effect” of an application integration and enablement effort that may take months or

LEVERAGING CURRENT IAM FOR MOBILE

6

USE CASE Background

The business employs a mobile product purchasing application that is used by employees to interact with enterprise web services in order to source products and services. In order to have a secure and user-friendly environment, the business needs a highly scalable, standardized and future-proofed Identity and Access Management capability that will address the following fundamental questions:

1. Can the business trust the device that employees use to connect to the network in order to conduct business?2. Can the business trust the application used by the employee while conducting business?3. Can the business trust the identity associated with the device and application used to submit purchases for product and services?4. How can the IAM solution have minimal impact to the mobile application development process?5. How can the IAM solution be leveraged for the short and long term IAM strategy?

In order to address these questions, IAM must address the device authentication/authorization, application authentication/authorization and user authentication/authorization with an optional second factor to establish trust in the identity that is conducting business with the secure enterprise web services. The solution must also provide a non-mobile (Common Server Side Solution) operating environment specifically for providing OAuth/OpenID Connect and JW* (JSON Web Token, JSON Web Encryption, JSON Web Signature) capabilities. This will allow for cost effective support for any device, any mobile operating system, and any application to leverage OAuth/OpenID and JW* capabilities.Once trust has been established with the device, application, and identity, standard JSON Web Tokens in addition to OAuth secrets and tokens (access token and refresh token) can be issued as authorization tokens in order for the application and identity to interact with the secure protected resources and APIs. By addressing these fundamental questions, the Client can enable business transactions that are non-disruptive to the end user and maintain a strong

Benefits of IAM.Dockables:

• Device and platform independent• Location independent• Enhanced User Experience• Unified security and scalability

With all the issues that BYOD and mobile devices bring to the game, it would seem imperative for business owners to extend their current IAM solutions to mobile devices. Still, business owners have trouble in justifying the time, energy and money needed in order to do so. How can they extend their current IAM solution to mobile devices without having to make considerable new investments and losing the one that they made for their current IAM solution? Let’s explore a real use case to find out.

• Capability-driven approach• Lend themselves to infrastructure automation• High-business value• Strong technology adoption

7

security posture.

Mobile Client ApproachCross platform support for the business application would require custom development and mandate the usage of respective OAuth/OpenID Connect libraries for the target platform (i.e. Windows, Android and iOS). To remove this level of complexity, Oauth\OpenID Connect and JW* flows can be abstracted from the Client´s application into standardized REST/JSON API calls into a security and mobile middleware service such as the IAM.Dockables. IAM.Dockables call back into the existing IAM for Mobile Functional Components to complete OAuth/OpenID Connect flows and return data (i.e. secrets, access token, refresh tokens, JSON web tokens) after device/application registration and two factor PIN authentication. Data can then be protected locally on the client (device) by using data protection APIs respective to the mobile device operating system.

Benefits Of The Security Abastraction ApproachBi-Directional communication by the IAM.Dockables to the mobile device via standard REST/JSON web services allows for a standard business application development approach to be used. There are no special application security techniques or libraries required to be integrated by the business application developer saving mobile application development time, reducing development costs, and expediting business application release timelines. The application’s service layer calls standard REST/JSON web services in enterprise environment in order to publish information into the internal systems. Devices can use offline modes then synchronize when in the protected enterprise network. There is no need to store any necessary security software configuration that may expose a business’s mobile security products and strategy. This makes it very difficult for an attacker to extract and or deduce information about security systems in use. All complexity is delegated to the IAM.Dockables running in the protected

and secure enterprise environment. In addition, VPN usage by employees and contractors is not required.

High-Level Solution ApproachThe following is the proposed high-level solution approach for abstracting OAuth/OpenID and JW* capabilities from the mobile application’s various mobile devices to a centralized IAM.Dockable that leverages a business’s existing IAM functions and products.

Mobile DeviceMobile devices are evolving with each day and while it is difficult to predict in which direction the evolution will take them, one thing is certain: they are here to stay. Many business owners have accepted the security on their network and computers as something normal and necessary but, they still overlook their mobile security. With more and more employees using their own devices to access their business resources, it is imperative to have a security solution that is built to address the issues that BYOD brings.

8

IAM has become the core for all things related to security and is starting to become so for mobile devices as well. By having an IAM solution that is not written for a specific mobile operating system, business owners can success-fully solve the security issues of their mobile devices and extend their OAuth/OpenID capabilities for BYOD.The mobile device IAM.Dockable addresses this by abstracting the security and Identity And Access Management functionality from the client application so complexity does not get transferred to the final business application but instead managed centrally from a quick to deploy IAM automated model.

Mobile IAM.DockablesIAM.Dockables operate as completely autonomous services, can be easily configured and can run anywhere. IAM.Dockables can work on premise, Cloud and Hybrid Cloud environments. They enable a very specific set of business capabilities and are inherent to the application composition. Any changes to IAM industry protocols can be seam-lessly integrated into IAM.Dockables without affecting the system as a whole. They allow for easy deployment, customization, maintenance and a cost-effective cloud transition for all business applications. With all the benefits that IAM.Dockables bring to the market, a mobile IAM.Dockable can successfully tame the wild beast called BYOD. It can do that by simply abstracting its OAuth/OpenID capabilities and quickly extending the existing IAM solution for mobile devices.

Your IAM SystemDeciding to invest in IAM can be hard. Deciding to invest in IAM for mobile can be even harder, mainly because many business owners are not aware of the possible security issues that mobile devices can bring. Another deal-breaker in IAM implementations is the difficulty of calculating the ROI. Identity And Access Manage-ment solutions can be easily explained in qualitative terms, but they are almost always difficult to quantify. While it can be easy to explain what IAM solution will do and what benefits will it bring, putting a dollar figure on those benefits can be a lot more difficult.

With IAM.Dockables, business owners get the ability to upgrade their current IAM solution and extend it to mobile devices. By doing so, they are keeping their initial investment, the one that they have made for their current IAM solution, and they are future-proofing that solution for mobile and for the technology of tomorrow.

9

ABOUT GOOD DOG LABS.

Good Dog Labs, Inc. Was founded in 2014 by information security and Identity and Access Management industry veterans. We are changing how IAM is delivered today to secure business transactions and identities by providing advisory, implementation, and product services that together form an Automated Identity and Access Management Assembly Line.

Our two founders combined have more than 24 years of information security and Identity & Access Management experience and years of IT service management methodology experience.

The team has experience in leading large teams in providing innovative information security solutions and assisting clients with information security strategy and execution. Our passion is helping clients in all industries to design, implement, automate, and monitor information security and IT governance systems and programs.

All of our experience is a result of working with security solution vendors such as IBM, CA, RSA Security, Aveksa, Cyber-Ark, Dell, NetIQ, Thor Technologies (Now Oracle OIM), and identity federation vendors where we have led engineering, consulting, professional services teams to deliver Identity & Access Management, information security products, and solutions to global clients. Want to learn more?For more information on how to extend your current IAM solution to BYOD and beyond, see www.gooddoglabs.com or contact us using the information below.

10

Phone : +1 (877) 713-1186E-mail : info@gooddoglabs.com www.facebook.com/gooddoglabs www.twitter.com/gooddoglabs www.linkedin.com/company/good-dog-labs-inc-

Good Dog Labs, Inc.45 Prospect Street, 5th FloorCambridge MA 02139

GET IN TOUCH WITH US