Q&A: Addressing BYOD with Identity-Based Security
Bring-your-own-device policies can give security administrators fits. If only identity information could be used to enforce policies about authentication, access control, audit, and data loss protection. Now it can. To learn about identity-based security, we spoke with Darren Platt, CTO of Symplified, which offers a scalable identity and access management solution.
Enterprise Strategies: How has IT been coping with the bring-your-own-device (BYOD) trend?
Darren Platt: Different organizations are taking very different approaches to BYOD security -- generally depending on the level of security and assurance required by their business functions. For example, organizations that conduct high-value financial transactions often have more stringent policies about whether specific applications can be accessed from an employee's personal device -- whether it’s a mobile device or a PC -- than an organization that is simply using Web technology for collaboration.
One of the ways IT organizations are mitigating the risk associated with BYOD is by deploying an application security capability that allows them to enforce policies that dictate which specific applications are allowed to be accessed via personal/mobile devices. For example, they can allow employees to access a publicly available Web application while they are at work but prevent employees from accessing that same application from their mobile device.
Another method used to mitigate the BYOD risk is enforcing policies that require a second factor of authentication -- or strong authentication -- when a user attempts to access a sensitive application from a mobile device.
What are the major risks for enterprises (and IT specifically) with BYOD?
One of the biggest BYOD risks is "successive compromise," where a mobile device breach is used as a launching point for deeper attacks into the enterprise. For example, if an attacker was to compromise an end user's mobile device and unlock it, he would likely find credentials for services that user interacts with. Using these credentials, the attacker would be able to penetrate further into the network, rinse, and repeat.
What is identity-based security for mobile devices? How is it similar to, and different from, existing mobile security approaches?
When identity information is combined with and used to enforce policies for authentication, access control, audit, and data loss protection, these security capabilities become more powerful -- enabling greater business agility.
For example, consider an organization that tries to enforce access control policies on mobile devices without using identity information. In this scenario, they could only base policy enforcement decisions on whether a user is logging in from a given network or is using a certain type of device.
Now, consider how much more effective and granular security becomes when it’s possible to enforce a policy that says: "If the user is a member of the marketing department, based in New York office, and logging in from somewhere in North America, grant them access to salesforce.com on their mobile device." This is identity-based security.
What are the advantages of an identity-based approach?
In many ways, identity-based security is about extending traditional enterprise security capabilities found on legacy platforms to mobile devices. For a long time, we've had the ability to centrally enforce policies that control which network resources can be accessed from specified endpoints (terminals or workstations). What we're seeing now is a huge expansion of the number of endpoints on the network -- such as personal/mobile devices -- that need to come under the same access management umbrella.
IT has been frustrated by the variety of mobile devices. Does identity-based security work across multiple devices seamlessly?
Yes. A big part of identity-based security is that it is agnostic to the underlying hardware device. It can be used to enforce access control policy across a variety of access points - including smartphones, tablets, and PCs.
How does Symplified address BYOD security?
Symplified provides all of the functionality necessary to control and audit access to cloud and Web resources on any mobile device, including BYOD. Symplified uses a proven proxy architecture that works without agents or custom code. There is no software to install and manage on the mobile device. BYOD users tap and click a URL and enter their username/password to access the applications and data that they are allowed to use. Companies select applications they want to secure from the Symplified Trust Fabric App Store, set-up security policies, and link to the user identity repositories they want to use for enforcing rules. Symplified’s identity-based architecture delivers the right applications to the right users on any computing device, including BYOD -- with centralized management and auditing.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).