In my last blog post, I wrote about how IT needs a new model, one that secures the proliferation of mobile devices, solves the password challenge, and allows you to regain, as IT, some of the access control and visibility that you had enjoyed when you managed everything inside the firewall. The formula for this is to start to get away from using passwords as the primary security mechanism for apps, and the easiest way to do that is through single sign on (SSO).
Single sign on actually presents a token that is ephemeral, where it only counts for a single session, is only good for accessing a single application, and is not something that can be re-used. Federated single sign-on is a great way to mitigate the transmission and use of passwords as much as possible. Forcing people to use a single user identity is an important step so that they aren’t sharing administrative access to systems, devices, or applications. This still happens and is still very common even amongst SaaS applications. Often a partner portal or another supply chain application, whatever it might be, is issuing shared accounts to their downstream clients. There’s got to be a way to force people, even if they’re using a shared account, to identify as themselves when they go to access these accounts. We at Centrify are big proponents of single sign on and of individual accountability.
At the same time you need to secure the mobile device by being able to join it to Active Directory, associate it with an end user to be able to apply policy to that device to ensure it’s not jail broken, to set-up the pin code policy, and ensure that the device itself has got good security posture. You also need to set-up Wi-Fi VPN exchange, put a PKI certificate on the device so that it can be used as an identifying factor for the user, which gives them a zero sign on experience without having to enter any username or password even under Active Directory. When users go to access their SaaS applications from a web client, or if the rich mobile client includes a SDK, then they get zero sign-on for that as well. And once you do that, you now have a mobile device that you can trust, you know is associated with the end user, and you can use that as an identifying factor for the user.
In fact, you can go beyond that and add additional factors of authentication, whether that be, and I’ll write about this in my next blog post, being able to send a one-time passcode to the user, or be able to interact with the user through a voice phone call. You can now use that device as both a factor for identification, and you can also use it as context for the user so that you can decide whether or not they have access to the application based on their location, trustworthiness of their device, time of day, attributes about the user, and/or the application or device. That becomes a much stronger way to solve the problem than simply allowing any client to access any SaaS application just because they know a username and password. And do this all through a common dashboard and set of tools – the proverbial pane of glass.
This formula for SaaS management and mobile management, helping to solve each other’s problem, is what we are refer to as the Centrify User Suite which uniquely unifies SaaS management and mobile management.
So at a minimum, when you bring together SaaS management and mobile management, you’ve got a great value proposition, and you’ve got an unparalleled set of synergistic features that help solve the challenges related to passwords as well as the challenges related to mobile device management, both of which I’ll write about in my next blog post.
Until then, what do you think?