The Merger of Identity and Mobile Device Management

At Centrify we believe the converging forces of cloud and mobile are beginning to merge the identity and access management (“IAM”) market with the mobile device management (“MDM”) market. Irrespective of whether or not they become a single market or will still be considered distinct markets, the fact is there is a growing intersection between the two, and the winning solutions in identity will be mobile-centric and the emerging winners in MDM will become identity-centric. In this blog post I am going to discuss what’s causing these markets to converge and why I think Centrify is on the forefront of this convergence.

But first let’s level set and get definitions of IAM and MDM. According to Gartner, who now has a handy online glossary for IT terms, IAM is defined as

“the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.”

While MDM is defined as providing the following functions

“software distribution, policy management, inventory management, security management and service management for smartphones and media tablets.”

So why do I think there is a growing intersection between IAM and MDM? I see a number of factors.

#1 Mobile devices are increasingly becoming the de facto client for users’ access. This is not only true for enterprise applications but also consumer apps as well — when Facebook went public Mark Zuckerberg said his company’s number one priority is its mobile app. So in an enterprise setting if IAM is about making sure the right people have access to the right resources, and mobile devices are where people are doing the access from, then it is incumbent from a compliance and security perspective to ensure that the underlying device is also secure (e.g. requires a PIN, is not jailbroken, can be remotely wiped if lost, etc.) and being used by the right person; i.e., the device needs to be trusted just like the user needs to be trusted. [Interesting to note that in the PC era Microsoft created Active Directory to manage both users and computers, as Microsoft knew that both PCs and users need to be trusted and authenticated for higher security.] Whether the IAM solution provides the MDM capabilities to trust the user’s device or the IAM solution tightly integrates with a MDM solution to get that capability, the fact is there increasingly needs to be assurances that the user and their device are both trusted.

#2 Given the problem we have with passwords, mobile devices are also becoming the de facto “something you have” for multi-factor authentication (“MFA”). A password is “something you know,” but can be lost or stolen especially as the more apps you have access to grows. Therefore increasingly customers are looking for another factor such as “something you have” to ensure that it truly is the right person accessing the right resource. This is known as multi-factor authentication, a key and very large segment of the IAM market. We are seeing that traditional tokens and fobs and smartcards that users utilize are being replaced by mobile devices. This means that increasingly either the mobile device receives the additional “unlock” code for an app (acts as the token) or the mobile device becomes the equivalent of a smartcard with a PKI certificate issued to it. Mobile certificate management in fact is a key capability of MDM per Gartner, and ironically certificate services have been historically integrated into identity platforms such Active Directory. So expect more overlap in MDM and IAM given multi-factor authentication requirements.

#3 Location is now part of the new definition of identity. It may appear to be the right person accessing a resource, but increasingly enterprises want to block access if access is coming from the wrong geographic location (hence I suggest Gartner updates its IAM definition to include “from the right location”). MDM vendors are adding “geo-fencing” policies to their capabilities, and again this type of capability needs to be either part of IAM and/or integrated with it.

#4 Provisioning a user’s access to a cloud service also requires provisioning the rich mobile app for that cloud service to the user’s device. Increasingly end users are demanding rich mobile apps as the means to access key resources which themselves are increasingly cloud services. As Mark Zuckerberg said, “building Facebook’s mobile app on HTML5, which was slow and clunky, was ‘the biggest strategic mistake we’ve ever made.'” A MDM solution that simply pushes a mobile app to a user is not enough as you also need to provision the user for the corresponding backend cloud service. Similarly an IAM solution that only provisions a user in the cloud service but ignores giving the user the corresponding app on their device is also a half solution to the end users who will expect both to happen simultaneously.

I think Centrify is on the forefront of this increasing intersection between mobility and identity. Let me give you a few examples.

  • Much like Active Directory provides both user authentication and computer authentication, Centrify extends AD by allowing mobile devices to “domain join” and become trusted via a PKI certificate. In addition, our solution lets IT apply mobile device-specific group policies to ensure the underlying device is secure (e.g. ensure that a PIN is required to unlock the phone, etc.) and allows IT to remotely wipe a lost or stolen device. We can do this while at the same enabling “zero sign-on” authentication from the mobile device to cloud-based services. Below are screenshots showing the policies applied on my cell phone and our rich mobile app that allows for secure zero sign-on to my SaaS and other apps.

Mobile Group Policies and Mobile App

  • Centrify also integrates location services into our solution. For example, from the MyCentrify portal I can self-service locate my device. And if I lost my phone I could self-service wipe or lock it. Pretty cool huh!

Locate a device with the MyCentrify Portal

  • Finally, not only with Centrify for SaaS you can have IT set up roles to control who can access what SaaS apps, but you can specify which mobile apps are associated with a given role. Set up a user for Box.net means not only will they see Box.net from their MyCentrify portal as shown below (to get SaaS SSO) …

Apps in the MyCentrify Portal

… but it also sets up Box.net mobile app to ready on their mobile device as shown below

Box.net on Mobile Device

That’s way cool as well!

Hopefully this blog post gives you a feel for how Centrify is on the forefront of this growing intersection and merger of capabilities across identity and mobility.