A Case for Securing BYOD by Extending Identity Management

September 15, 2014
| |
5 min read

BYOD Challenges

Mobile device adoption has exploded, and organizations are scrambling to implement bring-your-own-device (BYOD) policies in order to maintain company security. The sheer number of devices employees can use, and the ways in which they use them daily, has left IT and security organizations with little choice but to allow workers to access such access enterprise resources, requiring appropriate controls and risk measures.

The diagram below explains the challenges for both users and enterprises in today’s fast-changing technology landscape:

The challenges listed below further explain organizations’ reluctance to increase the adoption of BYOD and allow necessary access to enterprise resources for employees through various mobile devices:

1. Complexity and difficultly of managing the right mobile applications as per the role-based access granted

Organizations are deploying cloud-based enterprise marketplaces to provide mobile-device users with access to enterprise applications. Accessibility is subject to the control requirement of the corporate policies as well as the role-based access control (RBAC) framework. It is difficult and time-consuming for an administrator to first decide which applications will be approved, and then manage the corporate access policy, RBAC, permissions/approvals, etc. associated with that application. It is also necessary to reflect changes in user roles in previously installed enterprise apps, and wiping out the apps and access of users who are terminated or leave the company.

2. Complexity and difficultly of finding the required mobile applications to match device OS versions, variants and device models

Organizations are building multiplatform mobile enterprise applications, enabling access to enterprise data by connecting to business services and back-end IT systems. These multiplatform mobile applications are made available to employees, contractors, business partners and customers through an enterprise marketplace, similar to Google Play and Apple’s App Store. The enterprise marketplace hosts multiple versions of these applications to match the device, platform, version, etc. This has increased complexity for mobile users, who must pick the correct application version for their device.

3. Chances of installing fake third-party applications with a similar look, name and feel

While BYOD has improved ease of use and contributed heavily to the consumerization of IT, it has also increased the complexity — and the risk of downloading and running — malicious or fake mobile applications.

The mobile application market is growing rapidly, and millions of mobile applications are available free via Google Play and the App Store. Given that many of these applications (e.g., PDF readers) are made available by third-party vendors and run by enterprise users, it becomes challenging for users to pick the genuine app. This has increased the chances of users installing a rogue application on their mobile devices and thereby compromising their security.

4. Frequent change in mobile devices, causing delay and complexity in setting up the enterprise application workspace

There is a vast number of devices available to mobile users, and the life span of these devices is much shorter than that of a laptop or desktop. Just as users settle on one device model, a more attractive and feature-rich model becomes available. The initial setup and migration of these applications from one device to another has become challenging and time-consuming. For enterprise users, it adds to the challenge of setting up the mobile workspace with the right set of applications. Organizations need options to overcome these challenges and make their employees productive by reducing the initial effort of setup.

How Can Enterprises Overcome These Challenges?

Traditionally, identity management (IdM) solutions are capable of managing user access to enterprise applications. IdM solutions with embedded RBAC capabilities further automate access changes to these applications with the user role changes in the human resource management system (HRMS).

However, with the advent of BYOD, users started using native client applications on their mobile device, and IdM capabilities have not been extended to these applications.

Mobile device management (MDM) tools do have these capabilities, however. Many MDM solutions also have the capability to recommend and/or distribute mobile applications compatible with users’ various devices. However, without user roles, MDM tools are incapable of distributing the correct application necessary to carry out the enterprise duties efficiently with anytime, anywhere access.

The approach discussed here leverages the combined capabilities of IdM and MDM tools to automate the distribution of applications to users’ mobile devices as per their role and preferred device. This approach extends the RBAC capability of the IdM tool and the application distribution capability of the MDM tool to overcome the challenges discussed previously. The overall solution can include a provision to address changes in user roles in the events of a promotion, transfer, etc.

In a nutshell, there are two parts of the overall solution: first, to provision the user role of the IdM tool to the MDM tool; and second, to distribute the matching applications from the MDM tool to the user’s mobile device.

The diagram below further illustrates the overall flow of the IdM and MDM solutions:

  1. HR changes the user role in the HRMS or IdM solution because of the user promotion, transfer, etc.
  2. The HRMS communicates the user role feed to the IdM tool.
  3. The IdM tool provisions the user role to the MDM tool.
  4. The MDM tool uses its enterprise marketplace to push/notify user devices with the matching applications

With the integration of the IdM and MDM tools, the organization can:

  • Auto-provision the mobile apps based on user role
  • Auto-remove the mobile apps upon change in user role
  • Auto-remove the mobile apps upon user departure/termination
  • Auto-provision the application compatible with device, OS, version, etc.
  • Auto-provision the correct version of a third-party app approved for an assigned role.
  • Auto-provision genuine third-party applications against similar fake applications posted by blacklisted vendors.

By implementing this approach, enterprises can:

  • Extend the benefits of the RBAC framework to mobile devices
  • Avoid the risk of downloading rogue/malicious applications
  • Increase user productivity by automating provisioning of the mobile workspace
  • Avoid the risk of redundant mobile applications installed on users’ mobile devices from previous roles

Conclusion

With the advent of BYOD, organizations are left with no choice but to enable and empower their employees with secure and convenient access to enterprise resources. Enterprises are flooded with mobile applications, and it is increasingly important for BYOD users to have the necessary applications available to perform their duties effectively. It is a must for organizations to extend RBAC solutions to mobile devices to keep the enterprise safe and secure.

Users are keen to explore emerging mobile technology even before they fully learn the finer points of the device in question. Having said this, it becomes extremely important to enable users with an on-demand virtual workspace that keeps the enterprise experience the same, irrespective of the device they use to access enterprise applications.

Mahendra Chopra
Senior Security Architect

As a senior security architect at CIO Innovations lab IBM, Mahendra is helping with the advance security solutions to address the challenges emerged from BYO...
read more