I think most of us have heard the expression “Internet of Things” (IoT). To me that expression represents a world of an increasing number of smart devices (i.e. “Things”) talking to an increasing number of cloud-based (i.e. “Internet”) resources and services, and in the middle of this interconnected world are users who are leveraging some of these devices to interact with some of these services.
I believe in this “IoT” world that identity is super important, be it authenticating device-to-device, device-to-cloud, or cloud-to-cloud communication, as well as granularly controlling which users and which devices can access what. An “IoT” world also means a de-perimeterized world, and the value of security solutions that protect the perimeter become devalued as the perimeter dissolves. This makes identity even more important from a security perspective as that becomes the one thing that IT security can in theory control when the organization no longer owns the end user device (e.g. BYOD phone) and/or the backend resource (e.g. a SaaS app).
And within an “IoT” world the concept of identity itself is transforming. For example, before “IoT” identity vis a vis the enterprise was about how to best manage your users’ IDs and passwords and grant them access to systems and applications. Now identity is also about needing to know a user’s location (e.g. don’t allow access if the user’s location is outside where he normally accesses apps from) and their devices (e.g. only allow access for this user from these specific trusted devices that are associated with this user).
To me, if you as a vendor are going to do identity right in an “IoT” world, you are going to need to not only address the “Internet” (e.g. cloud or SaaS apps) but you will also need to address the “Things” (i.e. devices) that are being used to actually connect to those resources. Doing “Internet” means as a vendor you need to offer a cloud-based service yourself, and doing “Things” will often require a bunch of software that runs on a bunch of operating systems be it Android, iOS, Mac, Windows or Linux.
So where “cloud identity” vendors fall short in my eyes is that they are just about delivering a cloud service that facilitates single sign-on (SSO) to SaaS and other cloud apps, but ignore the mobile device that acts as the access point and are not able to apply rules or policies to control access. Doing that is going to require software on the device. Similarly traditional “mobile management” vendors fall short by just focusing on managing the physical devices but don’t help facilitate and secure access from that device, especially in a world where content is increasingly not stored on the device itself but in the cloud.
Hence I think the “IoT” trend signals that Cloud and Mobile Management vis a vis Identity are going to need to merge for an optimal solution. But what are some concrete examples of why Cloud and Mobile Management should go hand-in-hand from an identity perspective? Here are four that come to mind:
#1 Mobile devices need to be trusted to facilitate access. Mobile devices are increasingly becoming the de facto client for user’s access. This is not only true for enterprise applications but also consumer apps as well — when Facebook went public Mark Zuckerberg said his company’s number one priority is its mobile app. So in an enterprise setting if identity is about making sure the right people have access to the right resources, and mobile devices are where people are doing the access from, then it is incumbent from a compliance and security perspective to ensure that the underlying device is also secure (e.g. requires a PIN, is not jailbroken, can be remotely wiped if lost, etc.) and being used by the right person. i.e. the device needs to be trusted just like the user needs to be trusted. In addition given the form factor of a mobile device, it is better to provide a certificate to that device to enable “Zero Sign-On” vs. having an end user fat finger in password after password.
#2 Given the problem we have with passwords, mobile devices are also becoming the de facto “something you have” for multi-factor authentication (“MFA”). A password is “something you know,” but can be lost or stolen especially as the more apps you have access to grows. Therefore increasingly customers are looking for another factor such as “something you have” to ensure that it truly is the right person accessing the right resource. This is known as multi-factor authentication, a key and very large segment of the identity market. We are seeing that traditional tokens and fobs and smartcards that users utilize are being replaced by mobile devices. This means that increasingly either the mobile device receives the additional “unlock” code for an app (acts as the token) or the mobile device becomes the equivalent of a smartcard with a PKI certificate issued to it. Mobile certificate management in fact is a key capability of MDM per Gartner, and ironically certificate services have been historically integrated into identity platforms such Active Directory.
#3 Location is now part of the new definition of identity. It may appear to be the right person accessing a resource, but increasingly enterprises want to block access if access is coming from the wrong geographic location (hence I suggest Gartner updates its Identity and Access definition to include “from the right location”). MDM vendors are adding “geo-fencing” policies to their capabilities, and again this type of capability needs to be either part of Identity Management and/or integrated with it.
#4 Provisioning a user’s access to a cloud service also requires provisioning the rich mobile app for that cloud service to the user’s device. Increasingly end users are demanding rich mobile apps as the means to access key resources which themselves are increasingly cloud services. As Mark Zuckerberg said, “building Facebook’s mobile app on HTML5, which was slow and clunky, was ‘the biggest strategic mistake we’ve ever made.’” A MDM solution that simply pushes a mobile app to a user is not enough as you also need to provision the user for the corresponding backend cloud service. Similarly an Identity solution that only provisions a user in the cloud service but ignores giving the user the corresponding app on their device is also a half solution to the end users who will expect both to happen simultaneously.
So what does this all mean vis a vis Centrify? We think we are on the forefront of this merger between cloud and mobile management vis a vis identity. We provide SaaS single sign-on for thousands of apps but also do it from mobile devices that we can secure and ensure they are trusted. We facilitate “Zero Sign-on” from mobile devices and deliver multi-factor authentication leveraging users’ mobile devices. We can apply access policies based on the user’s device location and even allow end users to locate and wipe their own devices. And we provide a role-based mechanism to not only set up a user to access a set of SaaS apps but also provision the corresponding mobile apps to the user’s device. No other vendor can do this stuff, while also supporting 400+ flavors of UNIX, Linux, Mac and Windows operating systems.
And best of all, Centrify has released a major new release of our cloud offering that adds even more functionality in the area of cloud and mobile identity. In my next few blog posts I will go into more detail on these new features.