CIS13: Managing Mobility with Identity Standards
•
0 likes•379 views
Paul Madsen, Senior Technical Architect, Ping Identity Whether you manage the device (not a good idea), the applications on it or the business data those applications download and store—knowing who the employee is is fundamental. Let’s talk about how identity standards like SAML, SCIM, OAuth and OpenID Connect can work together to get your identities from where you keep them to where they're needed.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to CIS13: Managing Mobility with Identity Standards
Similar to CIS13: Managing Mobility with Identity Standards (20)
More from CloudIDSummit
More from CloudIDSummit (20)
Recently uploaded
Recently uploaded (20)
CIS13: Managing Mobility with Identity Standards
- 1. Disclaimer Chances of me being misguided or even outright wrong with following statements are higher than average (my average, not Ashish's). 1
- 2. BYOD is (merely) an ownership model, doesn’t significantly change the fundamentals. 2
- 3. no Is device choice constrained? enterprise Who owns device yes BYOD employee COPE CYOD mass resigna@ons of IT personnel
- 4. IT'S NOT ABOUT THE DEVICE
- 7. Premise • Depending on context, IT will impose differen@ated controls – Use camera – Take screenshot – Wifi – Email account to use • MDM, MAM, & MIM differ in the granularity of the context they account for
- 8. Contexts • Who is the user? – controls based on employee iden@ty & roles, e.g. IT admin vs Sales Director • What are they doing? – controls based on what applica@on the employee is using, eg viewing a spreadsheet • Why are they doing it? – controls based on whether the employee is ac@ng in a business or personal persona, eg viewing financial projec@ons vs hockey team stats • Where are they doing it? – controls based on geoloca@on, e.g. in office vs on business trip – controls based on device, e.g. on iPad vs Blackberry • When are they doing it? – controls based on @me etc, e.g. office hours vs weekend or last @me user signed in
- 9. MDM • In MDM, the context is the device, ie policy looks like – "If you are using this device, then you cannot use public wifi' • Coarse granularity implies that the enterprise imposed limita@ons will impact non business use of device
- 10. personal Device usage enterprise Device owner enterprise None of your business employee Your business
- 11. MAM • In MAM, the context is the applica@on being used, ie policy looks like – "If you are using the enterprise Box applica@on, you cannot store data on the device' • Medium granularity implies that there will need to be mul@ple versions of some applica@ons, those that the user wants for both personas
- 12. All apps Those that are MAM- enabled Those enabled to work with your preferred MAM Those your employees want to use Sweet spot
- 13. MIM • In MIM, the context is determined by the informa@on – enterprise data carries with itself the policy, ie looks like – "When viewing/edi@ng this spreadsheet, you cannot use the screenshot func@on' • A single applica@on could work with both personal & enterprise data (if MIM enabled)
- 15. 15 Pick any one
- 16. Privacy? the right to be let alone—the most comprehensive of rights and the right most valued by civilized men Louis Dembitz Brandeis
- 17. 17
- 18. Separa@on 18
- 19. Dual Persona in MDM Dual Persona in MAM Dual Persona in MIM
- 20. Dual persona is by defini@on an iden1ty concept. 20
- 21. 21
- 23. Extremely over simplified mobile security model 1. Ensure that user/app can access only appropriate apps/data 2. Protect data in transit 3. Protect data on device 4. When necessary, turn off access
- 24. Mechanisms? 1. Ensure that user/ app can access only appropriate apps/data 2. Protect data in transit 3. Protect data on device 4. When necessary, turn off access • Server-based access control as per groups/roles • Inter-app controls (eg Managed Open In etc) • Stop issuing tokens • Revoke any extant tokens • Wipe data (or keys) • Hardware level encryption • Application level encryption • SSL or VPN etc • Secure SDKs, custom URL schemes
- 25. EMM in a nutshell Business Applica@on Business Data EMM server endpoints Agent Configuration Credentials Policy Directives Business Data
- 26. Generic lifecycle 0. Provision accounts 1. Install app (OPT?) 2. Ini@al user authen@ca@on 3. Bind to Server 4. Download policy & addi@onal creden@als 5. Use creden@als to access applica@ons 6. Ongoing management SCIM SAML OAuth OIDC
- 27. Iden@ty standards & EMM 27 EMM Apps Apps Apps Directory SCIM SCIM SAML OpenID Connect OAuth
- 28. SCIM • Simple Cloud Iden@ty Management (or System Cross Domain Iden@ty Management) • RESTful protocol for user provisioning, ie create, read, updates, deletes • Emerged from large SaaS providers & ISVs • Under IETF standardiza@on 28
- 29. Iden@ty standards & EMM 29 EMM Apps Apps Apps Directory SCIM SCIM
- 30. SAML • Security Asser@on Markup Language • XMl-‐based framework for making security & iden@ty informa@on portable across domains • Architypical applica@on is for Web SSO • Default SSO protocol for B2B, SaaS • Google, Salesforce, WebEx, etc 30
- 31. OAuth • Open framework for authoriza@on & authen@ca@on for REST APIs • Emerged from consumer web, transi@oning into cloud & enterprise • Notable for its mobile op@miza@ons (rela@ve to precedents) • IETF standardized • Important plagorm for other standards, UMA etc 31
- 32. Iden@ty standards & EMM 32 EMM Apps Apps Apps Directory SAML OAuth
- 33. Enterprise EMM provider Browser EMM Agent 1 2 3 4 1) EMM Agent loads EMM provider authn page 2) EMM provider does SAML SSO to enterprise 3) After SAML SSO, EMM provider issues OAuth access token to agent 4) EMM Agent uses access token to pull policy etc down 5) EMM provider returns policies etc5 Leverage EMM provisioned creds
- 34. OpenID Connect • Profiles/extends OAuth for iden@ty use cases • Under standardiza@on in OIDF • Defines new – Id_token – standardized token format for iden@ty, enables Web SSO – UserInfo endpoint – standardized API for airibute sharing 34
- 35. Iden@ty standards & EMM 35 EMM Apps Apps Apps Directory OpenID Connect
- 36. Device Na@ve SSO? Browser Resource Server App client Resource Server App client EMM Agent EMM Server Authoriza@on Server 2 Policy & Tokens 1 3 API API 4
- 37. Wrapping up • Separa@on (whatever the mechanism & the UX) between work & personal usages promises balance of security, privacy, enablement etc • Dual persona is by its nature an iden@ty concept • Iden@ty standards have a role to play in enabling dual persona • Lets keep conversa@on going 37