BYOD

It's an 'identity' thing

BYOD- it's an Identity Thing

Paul Madsen (@pmadsen)

Senior Technical Architect

Ping Identity

A little bit about me

WHAT'S THE BIG DEAL?BYOD

B Y O DYOUR

RING

WN

DEVICES

BROUGHT

Context

COIT BYOD

Social

App stores Personal

Cloud

will.i.am keynoting Cloudforce

[reputable analyst firm] says [X%] of Fortune 500 will

confront BYOD by [201Y]

So whyallow it?

SHadow ITHAPPENS

Sun ThurWedTueMon Fri Sat

prod

uctiv

ity mobile

Traditional9-5

Employee productivity as a function of time

Fundamental challenge

A single device must support two 'masters'

Err no….

Choices• Mobile Device Management (MDM) applies

enterprise policy to the device as a whole– PIN, wipe, VPN etc

• Mobile Application Management (MAM) focuses on the business apps ON the device– App store, security added onto binaries

either through SDK or 'wrapping'

Granularity

BYOD Balancing Act

Security

PrivacyEnablement

Standards

Balancing Act

Productivity

Productivity vs time

time

prod

uctiv

ity

'Well I guess I can play Angry Birds until IT sets me up'

ideal reality

'Whoa, I can still login!'

hired fired

'Now what was my password again??'

GTD Requirements

1. Initial GTD - Quickly get new employees up and running with the applications their role demands

2. Ongoing GTD - Provide employees single sign on experience in day to day work

3. Stop GTD - Reduce/remove permissions when necessary

Balancing Act

Privacy

Privacythe right to be let alone—the

most comprehensiv

e of rights and the right most valued by civilized

menLouis Dembitz Brandeis

Granularity of IT control

Priv

acy

Partioning for privacy1. Divide the phone in 'half'

– one side for business applications & data, another for personal

2. IT's mandate is to manage & secure the apps & data on the business side

3. IT has no mandate (nor, hopefully, desire) to touch apps & data on the personal side

Balancing Act

Security

IT'S NOT ABOUT THE DEVICE

It's the data

Protecting the data1. Ensure that user/app can access only

appropriate data– Authorization based on role

2. Protect data in transit– SSL

3. Protect data on device– PIN, Encryption

4. Remove access to data when appropriate– Wipe stored data (or keys)– Revoke access to fresh data

IDM

MAM

MDM

MIM?

MDM – No screen captureMAM – No screen capture when in email app

MIM – No screen capture for this document

Balancing Act

Standards

Why standards?

• Framework implies interplay between – Enterprise IdM– MAM architecture

• MAM servers• MAM agent

– Applications• On-prem• SaaS

ComponentsEnterprise

Device

MAM

BrowserMAM

SaaS2

SaaS1

SaaS1

SaaS2

Standards• SCIM (System for Cross-Domain Identity

Management) to provision identities as necessary to MAM and SaaS providers

• SAML (Security Assertion Markup Language) to bridge enterprise identity to MAM and SaaS providers

• OAuth to authorize MAM agents, and SaaS native apps

Device

BrowserMAM

SaaSSaaS1

ComponentsEnterprise

MAM

SaaS1 SaaS

SCIM

SCIM

SCIM

SAML

SAMLSAML

OAUTH

OAUTH

OAUTH

Device

BrowserMAM

SaaSSaaS1

Bob 'pursuing other ventures'Enterprise

MAM

SaaS1 SaaS

SCIM (delete)

SCIM (delete)

SCIM (delete)

WIpe

wipewipe

Device

BrowserMAM

SaaSSaaS1

Bob 'loses phone in cab'Enterprise

MAM

SaaS1 SaaS

SCIM (status=0)

SCIM (status=0)

SCIM (status=0)

LOCK=Y

Enterprise

Device

Native appAuthz agent

Application Provider

Application Provider

Application Provider

Native appNative

appNative appNative

appNative app

Nativeapp

Wrapping up

Business Personal

Corp Identity

MAM

Policy

Apps

App

App

Tokens

Tokens

Tokens

REST

REST

IdentityIdentityIdentity

Data

Thank you@paulmadsen

Summary1. Divide device & leave employee personal data

alone2. Provision apps via MAM based on employee

identity & roles into employee 'side'3. Provision tokens to those apps via IdM based on

employee identity & roles4. Apps use tokens on API calls to corresponding

Cloud