transforming the mobile device from a security liability into a
TRANSCRIPT
MOBILITYE-BOOK 1
MOBILITYTRANSFORMING
THE MOBILE DEVICEFROM A SECURITY LIABILITY INTO A BUSINESS ASSET
E-BOOK
INTRODUCTION
THREE TECHNOLOGIES THAT SECURELY
UNLEASH MOBILE AND BYOD
THREE TECHNOLOGY PILLARS THAT
SUPPORT MOBILE AND BYOD
THE CRITICAL ROLE OF STANDARDS
FOR A SECURE BYOD ARCHITECTURE
SUMMARY
04
06
07
12
14
TABLE OFCONTENTS
MOBILITYE-BOOK 3
MOBILITY IS ABUSINESS
MOBILITYE-BOOK 4
INTRODUCTION
Using personally owned mobile devices for work is a fast-moving trend. IDC estimates that 55
percent of all phones used in business will be employee-owned by 2015, with other thought
leaders stating that 81 percent of employees today use their mobile devices for work. Meeting
these statistics, it’s estimated that by 2017, two in three organizations will adopt a bring your
own device (BYOD) policy.
These above-mentioned trends are no surprise. Organizations realize that a highly mobile employee is likely to be highly productive. There’s a tangible value in allowing employees to get work done during their commutes.
However popular, the BYOD trend is not all roses. The inherent nature of employee-owned
devices used within the workplace is a legitimate concern for IT. Where IT can implement
tight control over company-owned devices, they’re unable to do so with those that are
employee-owned. Furthermore, employees demand ease and convenience. If they experience
IT interfering with their ability to get work done, they will seek work-around options. For every
functionality denied by IT, there’s a ‘shadow IT’ third-party application that employees can
sign up for with a credit card—and subsequently expense. This is why it’s critical to find a
way to support employee-owned devices with methods that secure organizational data and
transactions and uninhibit getting work done.
of employees use theirmovile devices for work
of organizations will adopta BYOD policy by 2017
MOBILITYE-BOOK 5
THREETECHNOLOGIESTHAT SECURELY
UNLEASH MOBILE AND BYOD
MOBILITYE-BOOK 6
To support employee-owned devices, you must secure sensitive business data
accessed and stored on mobile devices while enabling employees to easily do their
job. An architecture capable of supporting mobile must therefore provide:
� Application and data security—protecting the sensitive business information
accessed by and stored on mobile devices.
� User enablement—ensuring that employees can perform the duties of their role
when and where they wish to, fundamentally allowing them to get things done.
By utilizing the following three technology pillars, you can provide application and data
security as well as support user enablement.
� Mobile-based authentication—leveraging the capabilities of smartphones to
provide secure and easy sign-on.
� SSO across web and native applications—giving employees a seamless user
experience for both web and native mobile applications.
� Application Programming Interfaces (APIs)—granting access for business data
only to authorized applications and users.
THREE TECHNOLOGIES THAT SECURELY UNLEASH MOBILE AND BYOD
APIs
Single Sign-on
Mobile-based Authentication
MOBILITYE-BOOK 7
THREE TECHNOLOGY PILLARS THAT
SUPPORT MOBILEAND BYOD
MOBILITYE-BOOK 8
There’s a trend moving away from authentication schemes relying on ‘what you know’, such
as a password, to ‘what you have’, such as a key fob or fingerprint. With passwords being such
a major culprit in hacking schemes, ‘what you have’ authentication factors are fast becoming
much more relevant.
Due to their features, smartphones can provide a useful ‘what you have’ authentication
factor. They can be used for second-factor authentication, or can replace ‘what you know’
factors (passwords) completely as a single-factor authentication device.
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD
MOBILE-BASED AUTHENTICATION
WHAT MAKES SMARTPHONES GREAT FOR
AUTHENTICATIONEffectively, a smartphone is a powerful portable computer that can enable robust
authentication models by leveraging the following features:
� Connected. Mobile phones are on the network and can therefore respond to many
different prompts or challenges.
� Computative. Modern phones have computational and storage abilities, so they
can support cryptographic operations.
� Storage. Smartphones allow the storage of identifiers, secrets and credentials used
in authentication schemes.
� User Interface (UI). Smartphones have a user interface that can be used to involve
the owner in authentication factors when relevant, such as entering a local pin,
swiping the screen or, in the future, using their fingerprint.
� Inexpensive. Compared to tokens or other authentication devices, smartphones
are much more cost effective and easily remembered by their owners.
USING MOBILE PHONES FOR AUTHENTICATIONDifferent mobile-based authentication schemes leverage features in different
combinations. For instance, PingID™ is a mobile-based authentication scheme that
authenticates users by sending a challenge to an application installed on the user’s
previously registered device through Google Cloud Messaging for Android™ or Apple®
Push Notification Services. Upon receipt, the user simply swipes their screen
to answer the challenge.
Utilizing a smartphone for authentication is more dyanmic, cheaper and
lower-mainentance than FOBs.
MOBILITYE-BOOK 9
Nothing slows down and frustrates employees more than having to call the help desk to get a
password reset. With SSO, you can maximize productivity by minimizing the number of explicit
credentials (passwords) needed to access applications. SSO improves security for the enterprise as
well as significantly improves the productivity and overall work enjoyment of employees. So, how does
this tie in to BYOD and mobile phones?
Mobile SSO enables users to sign on once to a secure SSO application on their mobile device and have
instant access to all of their enterprise applications.
Another reason for SSO for mobile devices is that user credentials are typically stored on the device
itself. Therefore, when a device is stolen, the credentials stored on it are stolen. With 27 percent of
adults experiencing a lost or stolen device, it’s crucial to keep corporate credentials off of devices.
With SSO and mobile-based authentication, sign-on credentials are not stored on the device, and
authentication and authorization is done via standardized mechanisms (standards). (See the
standards section for detailed information on their role in SSO.)
SSO solutions, such as PingOne®, provide standards-based SSO for mobile.
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD
SINGLE SIGN-ON (SSO)
When a device is stolen, the credentials stored on it are stolen. That’s a problem when 27% of adults’ mobile devices have been
lost or stolen. This can be avoided with SSO.
MOBILITYE-BOOK 10
The primary way that native mobile applications gain access to corporate data is
through application programming interfaces (APIs). By securing APIs, you can be
confident that the user is allowed access to the application data, no matter where
they are or what application or device they’re using.
Securing APIs using a standards-based approach is critical to scalability and
development productivity. Many organizations build authentication into each
mobile application, which creates significant overhead for developers and generally
isn’t as secure.
THREE TECHNOLOGY PILLARS THAT SUPPORT MOBILE AND BYOD
APPLICATION PROGRAMMINGINTERFACES (API)
The best practice for mobile security is to utilize the standardized OAuth 2.0
protocol, which uses access tokens on API calls. By validating the token, the API is
able to determine which employee is requesting access to the native application,
and then determine authorization based on that employee’s access rights. (See the
standards section for more information on their role in API security.)
Modern access management solutions, like PingAccess® and PingFederate®,
provide both web and API access management with both proxy- and agent-based
implementation options.
THE CRITICAL ROLE OF STANDARDS
FOR A SECURE BYOD ARCHITECTURE
MOBILITYE-BOOK 12
Standards are the critical role-players in mobile security (and identity security). They
support mobile-based authentication, SSO from any device and any location and simple API
authorization by enabling secure, encrypted authentication, authorization and access across
web and mobile platforms.
Support of standards brings security to any device, browser or client that is accessing
information from applications. Additionally, support reduces the integration efforts between
multiple organizations when sharing applications or information.
Standards, such as SAML, OAuth 2.0, OpenID Connect, and standard models such as FIDO
and NAPPS, have been and are independently reviewed and developed by leading security
professionals to provide the strongest levels of security. All Ping Identity products and
solutions are built on standards.
THE CRITICAL ROLE OF STANDARDSFOR A SECURE BYOD ARCHITECTURE
Security Assertion Markup Language (SAML) is the standard that powers web SSO and
allows businesses to safely share identity information across domains for authentication
and authorization.
OAuth 2.0 is the industry standard for controlling access to APIs using secure access tokens
instead of usernames and passwords.
OpenID® Connect (Connect) is a new standard that provides a best-of-breed approach to
both web SSO and API access, building on SAML and OAuth.
The FIDO™ (Fast Identity Online) Alliance is defining an alternative mobile-based
authentication model—one that can leverage the emerging biometric capabilities of devices.
The OpenID Foundation’s Native Applications (NAPPS) working group is defining an
architecture that will enable the SSO experience across native applications and, critically, for
mobile web apps as well.
SUMMARY
14
Ping Identity is the leader in Identity Defined Security for the borderless enterprise, allowing employees, customers and partners access to the applications they need. Protecting over one billion identities worldwide, the company ensures the right people access the right things, securely and seamlessly. More than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens, trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com.
Copyright ©2016 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, their respective product marks, the Ping Identity trademark logo, and IDENTIFY are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 7/16 | 3053
E-BOOK MOBILITY
Leading organizations are embracing the mobile and BYOD phenomenon and
intelligently securing corporate data and applications while empowering their
mobile employees to be more productive than ever. The pillars below have
been found to be critical success factors to getting the most out of your mobile
initiatives:
� Mobile-based authentication—leveraging the capabilities of smartphones to
provide secure and easy sign-on, such as provided by PingID.
� SSO across web and native applications—giving employees a seamless user
experience for both web and native mobile applications, such as provided by
PingOne.
� Application Programming Interfaces (APIs)—granting access for business
data only to authorized applications and users, such as provided by
PingAccess and PingFederate.
Using these standards-based technology pillars, you can unlock the potential of
BYOD. Visit pingidentity.com to find out more about how Ping Identity solutions can
help you transform mobile into a business asset.
SUMMARY