Upload
paul-madsen
View
785
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Role of IdM in addressing BYOD
Citation preview
MIS Training Institute Session # - Slide 1© COMPANY NAME
BYODIt's an 'identity' thing
BYOD- it's an Identity ThingSession #36
Thursday, November 8, 2012
1.45-2.45pm
Paul Madsen (@pmadsen)
Senior Technical Architect
Ping Identity
MIS Training Institute Session # - Slide 2© COMPANY NAME
A little bit about me
MIS Training Institute Session # - Slide 3© COMPANY NAME
WHAT'S THE BIG DEAL?BYOD
MIS Training Institute Session # - Slide 4© COMPANY NAME
MIS Training Institute Session # - Slide 5© COMPANY NAME
B Y O DYOUR
RING
WN
DEVICES
BROUGHT
MIS Training Institute Session # - Slide 6© COMPANY NAME
Context
COIT BYOD
Social
App stores Personal
Cloud
will.i.am keynoting Cloudforce
MIS Training Institute Session # - Slide 7© COMPANY NAME
[reputable analyst firm] says [X%] of Fortune 500
will confront BYOD by [201Y]
MIS Training Institute Session # - Slide 8© COMPANY NAME
So why
allow it?
MIS Training Institute Session # - Slide 9© COMPANY NAME
SHadow IT
HAPPENS
MIS Training Institute Session # - Slide 10© COMPANY NAME
Sun ThurWedTueMon Fri Sat
prod
uctiv
ity BYOD
Traditional9-5
Employee productivity as a function of time
Value prop
MIS Training Institute Session # - Slide 11© COMPANY NAME
Fundamental challenge
A single device must support two 'masters'
MIS Training Institute Session # - Slide 12© COMPANY NAME
Err no….
MIS Training Institute Session # - Slide 13© COMPANY NAME
Choices Mobile Device Management (MDM)
applies enterprise policy to the device as a whole PIN, wipe, VPN etc
Mobile Application Management (MAM) focuses on the business apps ON the device App store, security added onto
binaries either through SDK or 'wrapping'
MIS Training Institute Session # - Slide 14© COMPANY NAME
Granularity
MIS Training Institute Session # - Slide 15© COMPANY NAME
BYOD Balancing Act
Security
PrivacyProductivity
Standards
MIS Training Institute Session # - Slide 16© COMPANY NAME
Balancing Act
Productivity
MIS Training Institute Session # - Slide 17© COMPANY NAME
MIS Training Institute Session # - Slide 18© COMPANY NAME
Productivity vs time
time
prod
uctiv
ity
'Well I guess I can play Angry Birds until IT sets me up'
ideal reality
'Whoa, I can still login!'
hired fired
'Now what was my password again??'
MIS Training Institute Session # - Slide 19© COMPANY NAME
GTD Requirements
1. Initial GTD - Quickly get new employees up and running with the applications their role demands
2. Ongoing GTD - Provide employees single sign on experience in day to day work
3. Stop GTD - Reduce/remove permissions when necessary
MIS Training Institute Session # - Slide 20© COMPANY NAME
Balancing Act
Privacy
MIS Training Institute Session # - Slide 21© COMPANY NAME
Privacy
the right to be let alone—the
most comprehensiv
e of rights and the right most valued by civilized
menLouis Dembitz Brandeis
MIS Training Institute Session # - Slide 22© COMPANY NAME
Granularity of IT control
Priv
acy
MIS Training Institute Session # - Slide 23© COMPANY NAME
Partioning for privacy1. Divide the phone in 'half'
– one side for business applications & data, another for personal
2. IT's mandate is to manage & secure the apps & data on the business side
3. IT has no mandate (nor, hopefully, desire) to touch apps & data on the personal side
MIS Training Institute Session # - Slide 24© COMPANY NAME
Balancing Act
Security
MIS Training Institute Session # - Slide 25© COMPANY NAME
IT'S NOT ABOUT THE DEVICE
MIS Training Institute Session # - Slide 26© COMPANY NAME
It's the data
MIS Training Institute Session # - Slide 27© COMPANY NAME
Protecting the data
1. Ensure that user/app can access only appropriate data
Authorization based on role
2. Protect data in transit SSL
3. Protect data on device PIN, Encryption
4. Remove access to data when appropriate Wipe stored data (or keys) Revoke access to fresh data
IDM
MAM
MDM
MIS Training Institute Session # - Slide 28© COMPANY NAME
MIM?
MIS Training Institute Session # - Slide 29© COMPANY NAME
MDM – No screen capture
MAM – No screen capture when in email app
MIM – No screen capture for this document
MIS Training Institute Session # - Slide 32© COMPANY NAME
Balancing Act
Standards
MIS Training Institute Session # - Slide 33© COMPANY NAME
Why standards?
Framework implies interplay between Enterprise IdM MAM architecture
MAM servers MAM agent
Applications On-prem SaaS
MIS Training Institute Session # - Slide 34© COMPANY NAME
ComponentsEnterprise
Device
MAM
BrowserMAM
SaaS2
SaaS1
SaaS1
SaaS2
MIS Training Institute Session # - Slide 35© COMPANY NAME
Standards
SCIM (System for Cross-Domain Identity Management) to provision identities as necessary to MAM and SaaS providers
SAML (Security Assertion Markup Language) to bridge enterprise identity to MAM and SaaS providers
OAuth to authorize MAM agents, and SaaS native apps
MIS Training Institute Session # - Slide 36© COMPANY NAME
Device
BrowserMAM
SaaSSaaS1
ComponentsEnterprise
MAM
SaaS1 SaaS
SCIM
SCIM
SCIM
SAML
SAMLSAML
OAUTH
OAUTH
OAUTH
MIS Training Institute Session # - Slide 37© COMPANY NAME
Device
BrowserMAM
SaaSSaaS1
Bob 'pursuing other ventures'Enterprise
MAM
SaaS1 SaaS
SCIM (delete)
SCIM (delete)
SCIM (delete)
WIpe
wipewipe
MIS Training Institute Session # - Slide 38© COMPANY NAME
Device
BrowserMAM
SaaSSaaS1
Bob 'loses phone in cab'Enterprise
MAM
SaaS1 SaaS
SCIM (status=0)
SCIM (status=0)
SCIM (status=0)
LOCK=Y
MIS Training Institute Session # - Slide 41© COMPANY NAME
Enterprise
Device
Native appAuthz agent
Application Provider
Application Provider
Application Provider
Native appNative
appNative appNative
appNative app
Nativeapp
Wrapping up
MIS Training Institute Session # - Slide 43© COMPANY NAME
Business Personal
Corp Identity
MAM
Policy
Apps
App
App
Tokens
Tokens
Tokens
REST
REST
IdentityIdentityIdentity
Data
MIS Training Institute Session # - Slide 44© COMPANY NAME
Thank you
@paulmadsen
MIS Training Institute Session # - Slide 45© COMPANY NAME
Summary1. Divide device & leave employee
personal data alone
2. Provision apps via MAM based on employee identity & roles into employee 'side'
3. Provision tokens to those apps via IdM based on employee identity & roles
4. Apps use tokens on API calls to corresponding Cloud