BYOD - it's an identity thing


Published on

An identity-based model for dealing with BYOD

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Managing the device is misguided – CISO do not loose sleep over the loss of devices, but rather ……
  • Managing the device is misguided – CISO do not loose sleep over the loss of devices, but rather ……
  • BYOD - it's an identity thing

    1. 1. BYOD- its an Identity Thing BYOD Paul Madsen (@pmadsen) Senior Technical Architect Its anPing Identity thing identity
    2. 2. A little bit about me
    4. 4. B Y O DR B Y W D RI O N E ON U U VGG R I H C T E S
    5. 5. Context COIT BYODSocial keynoting Cloudforce App stores Personal Cloud
    6. 6. [reputable analyst firm] says [X%] of Fortune 500 will confront BYOD by [201Y]
    7. 7. So whyallow it?
    8. 8. SHadow ITHAPPENS
    9. 9. Employee productivity as a function of time mobileproductivity Traditional 9-5 Sun Mon Tue Wed Thur Fri Sat
    10. 10. Fundamental challenge A single device must support two masters
    11. 11. Err no….
    12. 12. Choices• Mobile Device Management (MDM) applies enterprise policy to the device as a whole – PIN, wipe, VPN etc• Mobile Application Management (MAM) focuses on the business apps ON the device – App store, security added onto binaries either through SDK or wrapping
    13. 13. Granularity
    14. 14. BYOD Balancing Act StandardsSecurity EnablementPrivacy
    15. 15. Balancing ActProductivity
    16. 16. Productivity vs time ideal reality Now what was my password again??productivity Whoa, I can still login! Well I guess I can play Angry Birds until IT sets me up hired fired time
    17. 17. GTD Requirements1. Initial GTD - Quickly get new employees up and running with the applications their role demands2. Ongoing GTD - Provide employees single sign on experience in day to day work3. Stop GTD - Reduce/remove permissions when necessary
    18. 18. Balancing ActPrivacy
    19. 19. Privacy the right to be let alone— the most comprehen sive of rights and the rightLouis Dembitz Brandeis most
    20. 20. Privacy Granularity of IT control
    21. 21. Partioning for privacy1. Divide the phone in half – one side for business applications & data, another for personal2. ITs mandate is to manage & secure the apps & data on the business side3. IT has no mandate (nor, hopefully, desire)
    22. 22. Balancing ActSecurity
    24. 24. Its the data
    25. 25. Protecting the data1. Ensure that user/app can access only appropriate data – Authorization based on role2. Protect data in transit – SSL IDM3. Protect data on device – PIN, Encryption4. Remove access to data when appropriate MAM – Wipe stored data (or keys) – Revoke access to fresh data MDM
    26. 26. MIM?
    27. 27. MDM – No screen captureMAM – No screen capture when in email appMIM – No screen capture for this document
    28. 28. Balancing ActStandards
    29. 29. Why standards?• Framework implies interplay between – Enterprise IdM – MAM architecture • MAM servers • MAM agent – Applications • On-prem • SaaS
    30. 30. Enterprise Components SaaS SaaS 1 2 MAMDevice MAM Browser SaaS1 SaaS2
    31. 31. Standards• SCIM (System for Cross-Domain Identity Management) to provision identities as necessary to MAM and SaaS providers• SAML (Security Assertion Markup Language) to bridge enterprise identity to MAM and SaaS providers• OAuth to authorize MAM agents, and SaaS native apps
    32. 32. Enterprise Components SCIM SaaS SaaS SCIM 1 SAMLMAM O SCIM O A SAML A U SAML O U T A T H U HDevice MAMT Browser H SaaS1 SaaS
    33. 33. Bob pursuing other venturesEnterpriseSCIM (delete) SaaS SaaS SCIM (delete) 1 MAM SCIM (delete) W I p eDevice MAM Browser SaaS1 SaaS wipe wipe
    34. 34. Bob loses phone in cabEnterpriseSCIM (status=0) SaaS SaaS SCIM (status=0) 1 MAM SCIM (status=0) L O C K =Device Y MAM Browser SaaS1 SaaS
    35. 35. Application Provider Enterprise Application Provider Application ProviderDevice Native app Native app Native Authz Native app app Native agent Native app app Native app
    36. 36. Wrapping up
    37. 37. R R E DE S a S Business T t T Personal a MAM App App TPolicy o kApps T o e k n e s Identity Identity Corp Identity n Identity sTokens
    38. 38. Thank you@paulmadsen
    39. 39. Summary1. Divide device & leave employee personal data alone2. Provision apps via MAM based on employee identity & roles into employee side3. Provision tokens to those apps via IdM based on employee identity & roles4. Apps use tokens on API calls to corresponding Cloud