Madsen byod-csa-02

MIS Training Institute Session # - Slide 1© COMPANY NAME

BYODIt's an 'identity' thing

BYOD- it's an Identity ThingSession #36

Thursday, November 8, 2012

1.45-2.45pm

Paul Madsen (@pmadsen)

Senior Technical Architect

Ping Identity


A little bit about me


WHAT'S THE BIG DEAL?BYOD



B Y O DYOUR

RING

WN

DEVICES

BROUGHT


Context

COIT BYOD

Social

App stores Personal

Cloud

will.i.am keynoting Cloudforce


[reputable analyst firm] says [X%] of Fortune 500

will confront BYOD by [201Y]


So why

allow it?


SHadow IT

HAPPENS


Sun ThurWedTueMon Fri Sat

prod

uctiv

ity BYOD

Traditional9-5

Employee productivity as a function of time

Value prop


Fundamental challenge

A single device must support two 'masters'


Err no….


Choices Mobile Device Management (MDM)

applies enterprise policy to the device as a whole PIN, wipe, VPN etc

Mobile Application Management (MAM) focuses on the business apps ON the device App store, security added onto

binaries either through SDK or 'wrapping'


Granularity


BYOD Balancing Act

Security

PrivacyProductivity

Standards


Balancing Act

Productivity



Productivity vs time

time

prod

uctiv

ity

'Well I guess I can play Angry Birds until IT sets me up'

ideal reality

'Whoa, I can still login!'

hired fired

'Now what was my password again??'


GTD Requirements

1. Initial GTD - Quickly get new employees up and running with the applications their role demands

2. Ongoing GTD - Provide employees single sign on experience in day to day work

3. Stop GTD - Reduce/remove permissions when necessary


Balancing Act

Privacy


Privacy

the right to be let alone—the

most comprehensiv

e of rights and the right most valued by civilized

menLouis Dembitz Brandeis


Granularity of IT control

Priv

acy


Partioning for privacy1. Divide the phone in 'half'

– one side for business applications & data, another for personal

2. IT's mandate is to manage & secure the apps & data on the business side

3. IT has no mandate (nor, hopefully, desire) to touch apps & data on the personal side


Balancing Act

Security


IT'S NOT ABOUT THE DEVICE


It's the data


Protecting the data

1. Ensure that user/app can access only appropriate data

Authorization based on role

2. Protect data in transit SSL

3. Protect data on device PIN, Encryption

4. Remove access to data when appropriate Wipe stored data (or keys) Revoke access to fresh data

IDM

MAM

MDM


MIM?


MDM – No screen capture

MAM – No screen capture when in email app

MIM – No screen capture for this document


Balancing Act

Standards


Why standards?

Framework implies interplay between Enterprise IdM MAM architecture

MAM servers MAM agent

Applications On-prem SaaS


ComponentsEnterprise

Device

MAM

BrowserMAM

SaaS2

SaaS1

SaaS1

SaaS2


Standards

SCIM (System for Cross-Domain Identity Management) to provision identities as necessary to MAM and SaaS providers

SAML (Security Assertion Markup Language) to bridge enterprise identity to MAM and SaaS providers

OAuth to authorize MAM agents, and SaaS native apps


Device

BrowserMAM

SaaSSaaS1

ComponentsEnterprise

MAM

SaaS1 SaaS

SCIM

SCIM

SCIM

SAML

SAMLSAML

OAUTH

OAUTH

OAUTH


Device

BrowserMAM

SaaSSaaS1

Bob 'pursuing other ventures'Enterprise

MAM

SaaS1 SaaS

SCIM (delete)

SCIM (delete)

SCIM (delete)

WIpe

wipewipe


Device

BrowserMAM

SaaSSaaS1

Bob 'loses phone in cab'Enterprise

MAM

SaaS1 SaaS

SCIM (status=0)

SCIM (status=0)

SCIM (status=0)

LOCK=Y


Enterprise

Device

Native appAuthz agent

Application Provider



Native appNative

appNative appNative

appNative app

Nativeapp

Wrapping up


Business Personal

Corp Identity

MAM

Policy

Apps

App

App

Tokens

Tokens

Tokens

REST

REST

IdentityIdentityIdentity

Data


Thank you

@paulmadsen


Summary1. Divide device & leave employee

personal data alone

2. Provision apps via MAM based on employee identity & roles into employee 'side'

3. Provision tokens to those apps via IdM based on employee identity & roles

4. Apps use tokens on API calls to corresponding Cloud

Technology

Madsen byod-csa-02