Effective Identity
and Access
Management in
a Mobile World
A Good Technology Whitepaper
Mobile Identity and Access Management
Mobile Challenges
The Multi-Factor Solution for Personal Mobil...
Few developments have created more IT disruption in the past five years than the explosion of mobile devices
Effective Identity and Access Management in a Mobile World | good.com 4
According to IDC (Market Analysis:Worldwide Mobile...
Effective Identity and Access Management in a Mobile World | good.com 5
The Multi-Factor Solution for Personal Mobile Devi...
Effective Identity and Access Management in a Mobile World | good.com 6
The MicroSD option also consists of small form fac...
Effective Identity and Access Management in a Mobile World | good.com 7
Good Vault:
strong authentication to
GFE today, ex...
Effective Identity and Access Management in a Mobile World | good.com 8
About Good Technology
Mobility is here, an...
Upcoming SlideShare
Loading in …5

A Guide to Effective Identity and Access Management for Mobile


Published on

Alongside the mobile trend are new security challenges, a direct result of organizations' inability to enforce tight control over employees' personal devices. Download "Effective Identity and Access Management in a Mobile World" to learn about a new, cost-effective and easy solution enabling employees to access corporate data and apps quickly and easily, without the need to interfere with users' already personalized mobile devices.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Guide to Effective Identity and Access Management for Mobile

  1. 1. Effective Identity and Access Management in a Mobile World A Good Technology Whitepaper
  2. 2. Contents Introduction Mobile Identity and Access Management Mobile Challenges The Multi-Factor Solution for Personal Mobile Devices The Good Vault Solution About Good Technology 3 3 4 5 5 8 Effective Identity and Access Management in a Mobile World | good.com 2 A Good Technology Whitepaper
  3. 3. Introduction Few developments have created more IT disruption in the past five years than the explosion of mobile devices in the workplace. Organization after organization has reaped the benefits of mobile devices for employee productivity, collaboration, and customer communication and satisfaction. Hand in hand with the mobile explosion has been the trend of employees bringing their own devices to work, called Bring Your Own Device or BYOD, which has enhanced employee satisfaction, productivity, and competitive advantage in companies looking to hire the best of the younger generation or fulfill the needs of traveling executives. Most often the personal device in question is a mobile device, such as an Apple® iPhone® , iPad® , or Android™ phone or tablet. The challenge for IT has been to balance the obvious business benefits of mobile personalized devices with the need to protect the organization from the confidential data theft, malware, and the other risks they create. The perimeters and doors of IT networks risk being blown wide open as users add devices filled with personal game, music, and other software, and connect to mobile consumer cloud services such as Gmail and Dropbox. The security risks of consumer software and services are well known, as are the challenges of managing and regulating the devices that use them. Organizations must do their best to manage employee mobile devices using mobile device management tools. But an essential part of a mobile management and security strategy is not only securing the mobile device, which is increasingly challenging, but managing and securing its access to applications and confidential organizational information. Mobile Identity and Access Management One of the key components of most organizations’ information security strategy is robust identity and access management (IAM)—the technology and practices used to positively identify users accessing sensitive applications and confidential information and to control their access and use privileges over time. IAM systems are used in large organizations to manage access and privileges for hundreds or thousands of users over their entire identity lifecycle, from the day they join the organization, through all their moves up or down the ranks, to the day they leave. They are essential tools for ensuring that organizational information security policy is adhered to and confidential information does not make it into the hands of the wrong people. Most large organizations already have IAM systems in place. In fact, escalating security threats and widely publicized data breaches have driven the adoption of IAM Systems to unprecedented levels. In a June, 2012 Security Markets Analysis (Market Analysis: Worldwide Identity and Access management 2012-2016 Forecast: Growth Driven by Security, Cloud, and Compliance), IDC predicted that the worldwide identity and access management systems market, which reached $3.7 billion in 2010 and $4.2 billion in 2011, would grow by more than half to $6.6 billion in 2016. The need and growth have been particularly pronounced in highly regulated, security sensitive markets such as government, healthcare, and financial services. Many of these sectors have embraced the benefits of mobile technologies and are looking for ways to integrate them tightly with their existing IAM systems and processes so they can remain secure and compliant. Bulletproof user authentication is particularly critical for devices that move outside the organization, across the country and around the world, where they can easily be lost, hacked, or stolen. It’s also important for devices that mix personal with organizational software and data. Effective Identity and Access Management in a Mobile World | good.com 3 A Good Technology Whitepaper
  4. 4. Effective Identity and Access Management in a Mobile World | good.com 4 According to IDC (Market Analysis:Worldwide Mobile Enterprise Security Software 2012 - 2016 Forecast and Analysis), mobile identity and access management is expected to grow by 27.6 percent between 2010 and 2016. Particularly important is multi-factor authentication that moves beyond user passwords, which are often mismanaged by users and easily guessed and hacked by experts, to more secure tools such as smart cards and token devices, or anything else the user has or is (such as biometrics solutions). Goode Intelligence, an analyst firm that specializes in mobile and information security, predicts that by 2014, 64 percent of multi-factor authentication sales will be mobile-based. In 2012 that number was already over 20 percent. Mobile Challenges The combination of BYOD and mobile device growth presents brand new challenges for user identity and access management in an organization. Until recently IT owned all the devices and software accessing confidential information and could impose tight limitations and controls on them. IT can no longer exercise such tight control over personal devices. And with the use of personal devices, the ever growing corporate perimeter has grown larger and more diffuse, defying attempts at management and control. The challenge is to extend IAM systems to these devices safely and securely, ensuring that each and every personal mobile device user is always strongly authenticated and that his or her access to and use of corporate applications and information are strictly compliant with organizational information security policies. Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption support is also important for mobile email security. S/MIME is used widely by government and other security sensitive organizations to secure email with robust encryption and verify senders. It’s clear that roving users of personal mobile devices need an extra level of authentication beyond most deskbound workers using IT supplied equipment well inside the corporate perimeter. Passwords can be useful inside the perimeter but they have numerous well-known vulnerabilities that become even more pronounced out on the road. It’s difficult to prevent users from making poor password choices that are easy to remember but just as easy and convenient for hackers or device thieves to guess, or to prevent users from using the same password for multiple personal and business accounts or writing passwords down in places that are easy to access. Poor password choices make organizations vulnerable to man-in-the middle and other attacks that can be used to steal confidential information. Clearly, effective password management is often a major headache for most organizations. Many organizations have turned to one-time password tokens as a solution for multi-factor authentication, adding something the user possesses to the requirement of a strong, one-time PIN or password. However, even though tokens are more effective than traditional user passwords, their management has proven to be expensive and resource intensive. They’re often inconvenient for users and are frequently lost. They sometimes lose their synchronization with the centralized identity management system they’re supposed to authenticate with and a number of sophisticated threats and hacks have been developed over the years to overcome their security advantages. Many enterprises have deployed smart cards to provide strong multi-factor authentication, but smart cards require smart card readers, which can be cumbersome for mobile users on the road and interfere with the quick and easy use of mobile devices required to reap their full benefits. A Good Technology Whitepaper
  5. 5. Effective Identity and Access Management in a Mobile World | good.com 5 The Multi-Factor Solution for Personal Mobile Devices What is needed is a strong mobile multi-factor authentication solution that integrates tightly with existing enterprise smart card management and IAM solutions, meets all the stringent needs of security and privacy regulations such as HSPD-12, FIPS, FFIEC, PCI, HITEC, and HIPAA, but is also portable, lightweight, compact, and convenient enough for users to carry and log into corporate applications quickly and easily from the road. Ideally the authentication mechanism should be attached to the mobile device and no more inconvenient to carry home, on the road, to an Internet enabled café, the airport, and across the globe than the mobile device itself. It should also be as user-friendly as possible so users don’t feel it interferes with the quick and easy use of their chosen, often personalized mobile devices. Finally, any multi-factor authentication solution should be easy and cost effective for IT to configure and manage, allowing the use of an organization’s existing standard CAC/PIV smart cards. As a mobile authentication solution it should integrate tightly with current enterprise card management and identity and access management platforms, while providing the flexibility to keep pace with evolving IAM standards as newer, improved technologies become available. The Good Vault Solution Good Technology™ ’s Good Vault™ is one of the first and most comprehensive solutions on the market for extending enterprise identity and access management to mobile and personal devices. Good Vault provides robust mobile multi-factor authentication and secure email for the most security sensitive and regulated organizations. It perfectly balances the needs of IT managers for security and regulatory compliance, with those of executives, and other mobile users, for rapid, easy adoption. Good Vault supports all legacy smart cards as well as Micro SD options for storing user credentials and keys and integrates tightly with Good Technology’s award winning Good for Enterprise™ corporate messaging application. Perhaps most important of all, however, is that Good Vault has been carefully designed to provide airtight security and compliance without compromising the mobile user experience or the compact mobile form factor of typical smart phones. Good Vault employs strong two-factor authentication, requiring each and every user to provide something he or she has—a Secure Element (SE) on a smart or Micro SD card—with something he knows—a personal identification number (PIN). Smart Cards and secure Micro SD cards provide this secure element in highly secure crypto chips, adding hardware protection and tamper resistance to Good for Enterprise’s existing authentication platform. Good Vault works with slim Smart Card and Micro SD reader sleeves that fit directly over smart phones, server side software used by IT for administration and credential issuance and management, and an easy-to-install and configure Good Vault user application for mobile device users. Good Vault’s smart card option supports all the major smart card standards such as CAC, PIV, PIV-1 and CIV. The mobile reader, supplied by Precise Biometrics, Tactivo™ , is a slim casing that fits over the iPhone 4 or 4S, adding only about a half inch in length and .22 in thickness to the device and weighing a mere 1.5 ounces. The solution complies with Apple MFi certification. FCC, CE Marking, GSA FIPS-201, and Unified Capabilities Product listing certifications are either under way or planned. The sleeve is carefully designed so it does not block the iPhone camera, even when the smart card is placed in the reader. In all, there are no compromises to the mobile form factor or user experience. A Good Technology Whitepaper
  6. 6. Effective Identity and Access Management in a Mobile World | good.com 6 The MicroSD option also consists of small form factor cards, similar to smart cards, with embedded PKI cryptographic chips. It also uses a slim casing for the iPhone 4 or 4s and contains a slot for inserting a MicroSD card. It’s supplied by Device Fidelity through HID Identity Assurance, formerly ActivIdentity and now part of HID Global® , and it uses HID’s ActiveID Credential Management System to issue and manage the MicroSD cards for either primary or derived credentials. The MicroSD doesn’t necessarily replace a smart card solution. It can either serve as an alternative option for primary credentials or it can be used in parallel with smart cards for derived credentials, with the smart card used as the primary credential. In such a case, new authentication and signature keys are used in the MicroSD, but the same encryption key used in the smart card is used by the MicroSD card so emails can be decrypted on both mobile and desktop devices. PIV, PIV-1 and CIV formats are all supported with both primary and derived credentials on the MicroSD card. Both hardware options also store PKI credentials for S/MIME email signing and encryption to ensure nobody on the communications link between the sender and recipient can read an email. Good Vault is a Good Dynamics® -enabled solution. Good Dynamics is Good Technology’s secure application development platform, providing a secure container for safe access from anywhere in the world without the need for a VPN client installed on the mobile device. It includes policy management capabilities for enforcing rich and granular enterprise policies at the application level and prevents data loss with encryption of data both in transit and at rest. While Good Vault supports two hardware solutions today, it is intended to be hardware agnostic. Good Vault is the first product to be delivered through the Good Trust™ security platform that extends critical identity and access management capabilities like strong authentication, single sign-on, and identity federation to mobile devices and applications. Good Trust will support a wide array of authentication mechanisms, including new technologies such as biometrics, as they become available. Because Good Vault is a Good Dynamics-enabled solution, it can leverage Good Trust’s robust APIs to be extensible to these new technologies too. A Good Technology Whitepaper The Smart Card option for authentication includes a slim device casing and a slot for inserting an identification card. The MicroSD option also includes a slim device casing that can carry a mini-card with stored credentials.
  7. 7. Effective Identity and Access Management in a Mobile World | good.com 7 Good Vault: strong authentication to GFE today, extensible to Good Dynamics- enabled apps. With Good Vault, you get the best of all worlds. C-Level executives like the CISO or CIO take advantage of Secure Element technology for strong authentication and email security to protect corporate data, prevent data loss, and meet regulatory compliance requirements. IT managers can harness their existing infrastructure for PKI credentials, extending the same controls they have on the desktop to mobile users, and lowering their overall costs for identity access and management. They can also promise unmatched convenience and portability to drive quick adoption. And since the solution maintains the sleek design and usability of the phone, the mobile workforce remains productive without sacrificing security. For mobile organizations looking to comply with the most stringent regulations and security standards, an authentication solution that harnesses a Secure Element perfectly balances the flexibility and freedom users require with the IT security controls needed to protect sensitive applications and data. A solution that maintains the mobile device form factor and user experience simplifies user adoption. Hardware- based multi-factor authentication ensures that credentials cannot be tampered with and tight integration with current and evolving enterprise IAM platforms allows organizations to provide robust, cost effective mobile security today as well as tomorrow. Good Vault provides such a solution, keeping enterprises safe, secure, and compliant in the changing and evolving IT environment of mobility and consumerization. For more on Good Technology’s Good for Enterprise, visit here. For more on Good Technology’s Good Dynamics, visit here. For more information on Good Vault, visit here. For more information on Good Trust, visit here. A Good Technology Whitepaper Strong Two-factor Authentication that • Meets stringent security standards and compliance regulations • Preserves existing identity and access management investments • Can evolve to other authentication mechanisms as they are available
  8. 8. F T L Y Effective Identity and Access Management in a Mobile World | good.com 8 About Good Technology Mobility is here, and business is changing. Your employees need to be productive on devices they bring from home. And you need to provision, monitor, and secure the mobile apps and services that allow them to collaborate anytime, anywhere. It’s how people work now. Good Technology is transforming how mobile work gets done, through secure app-to-app workflows that include integrated email, communications, document management, business intelligence, social business, wireless printing, and more. We also offer complete enterprise mobility management solutions, including device, app, data, and service management; as well as analytics and reporting. We complete our stack with professional services that include mobile deployment rollouts, BYO onboarding constructs, and platform transition consulting. Only Good offers a complete mobile solution that puts IT back in control. All of Good Technology’s secure solutions work to keep employees productive and corporate and personal data secure, and accessible. Established in 1996 and headquartered in Sunnyvale, California, Good Technology’s services are used by 4000+ major organizations worldwide, including 50 of the Fortune 100 as well as more than 4,000 enterprise customers in 90+ countries operating on over 200 carriers. Good Technology has partnerships with industry leaders including Apple, Google, LG, HTC, Microsoft, Nokia and leading systems integrators. Want to know more? Visit good.com. A Good Technology Whitepaper ©2013 Good Technology Corporation and its related entities. All use is subject to license terms posted at www.good.com/legal. All rights reserved. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD VAULT and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Good’s technology and products are protected by issued and pending U.S. and foreign patents. iPad and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries. Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. ©2013 Global Headquarters +1 408 212 7500 (main) +1 866 7 BE GOOD (sales) EMEA Headquarters +44 (0) 20 7845 5300 Asia/Pacific Headquarters +1 300 BE GOOD good.com