Planning Considerations for BYOD and Consumerization of IT (Part 3)

by [Published on 10 Sept. 2014 / Last Updated on 10 Sept. 2014]

In this article we’ll finish our coverage of the BYOD solution requirements and the meaning and intent behind them.

If you would like to read the other parts in this article series please go to :

Introduction

In the first part of this series on planning considerations for security BYOD and consumerization of IT, we looked at the Bring Your Own Device (BYOD) problem domain and discussed key aspects of planning and design. We finished up the article by looking at the structure of a planning frame work that you can use to guide your planning decisions. In Part 2, we discussed a collection of solution requirements that cuts across all secure BYOD deployments. This encompasses the technical capabilities that are required in all BYOD solutions. In this, Part 3, we’ll finish our coverage of the BYOD solution requirements and the meaning and intent behind them.

Simplify identity management for BYOD users and admins

Identity management has been around for a long time – ever since we started creating separate accounts for different individuals to use when accessing computers and networks. If you’re old enough, you might remember the early days of computing when you simply fired up MS-DOS, ran your application, and started working. There was no logging in and the computer had no idea who you were, or whether the person using the program was the same one who used it yesterday.

That worked (although not always particularly well) when personal computers were primarily operated in a standalone mode and not connected to other computers. Then networking appeared on the scene and it was possible to access not only the files on your own hard drive but also those residing on other computers. This ability to share resources was good – and bad. The owners of those resources didn’t necessarily want to “share and share alike.” That is, they didn’t want to share every file with every other network user. They needed access controls.

The simplest and earliest method of controlling access was to place passwords on the files. That way, only those people who knew the passwords would be able to open them. And that worked, as long as there were only a few people and only a few files involved. Things got complicated, though, if you were working with many different resources, each of which had to have different passwords. Users had to keep up with dozens or potentially hundreds or thousands of passwords, along with the location of each file on the network (i.e., what computer it was stored on and its path). That was a nightmare; I know, because I worked in that situation. And from the perspective of the resource owner, you had no record of who was accessing the files.

There had to be a better way – and there was. By assigning each user an account with a user name that identified him/her on the computer and on the network, you could implement identity-based access controls. This allowed a resource owner to assign permissions defining which user accounts could access the resource. Now the user only had to remember one password – the account logon password – instead of one for each resource, and the resource owner had a way of knowing who was accessing the file. Things were getting better.

At first, in the peer-to-peer networks of the olden days, these accounts had to be created on each computer. But the network operating system and directory services solved that problem. First with Novell Netware and then with Windows NT server’s directory services and later with Windows 2000 and Active Directory, user accounts could be created and maintained in a centralized manner by a network administrator, and the modern concept of identity management was born.

We rocked along there for a long time with network admins using their new-found power to exert tight identity-based controls over their networks, and all was good. Then a new trend reared its head and threw a monkey wrench into the works: BYOD.

The challenge of managing identities in a BYOD environment

We’ve been talking about identity in terms of people. In the past, most of our headaches revolved around managing users. Yes, we also managed computers, and Active Directory provides for both computer and user accounts and lets us control both through Group Policy, but the computers were much less of a problem because they were company-owned. IT had control over them from the beginning. They were usually somewhat standardized in terms of both hardware and software.

With BYOD, we now must manage both the users and a plethora of different devices that they use, and many of those devices don’t belong to the company; they were bought and paid for by the user. Some organizations are still focused on the user and allow authorized users to access the corporate network from whatever devices they want, without registering, tracking or identifying those devices. These orgs are basically at the same point, in regard to devices, that we were at in regard to users in the early days of computing.

Unknown devices, even when used by known authorized users, can pose a security risk to the network. An effective BYOD solution requires visibility into this “mobile infrastructure” to enable IT to protect the company’s digital assets while at the same time enabling users to work more efficiently and conveniently. This can be accomplished by implementing, in conjunction with user identity management, a device identity management strategy. That means registration of BYOD devices and storage of device/owner information in a central repository as well as security controls that may require installation of agent software on users’ devices to enable remote wipe, remote app deployment, two-factor authentication and so forth.

The solution isn’t as simple as it sounds, though. BYOD usually means a wide variety of device brands and models, along with different operating system platforms. Your identity management solutions must be supported across this diversity of devices.

But that’s not all. Managing user identities is not as easy as it once was, either. BYOD and the consumerization of IT are driven in large part by users’ desire/need to be connected to social networks such as Facebook, Twitter and Google+. Social media is no longer just a “play time” activity, though; it’s increasingly important for business purposes. Users may log onto these and other web sites under a variety of identities. So now, instead of just a corporate user account in Active Directory, we find ourselves in the middle of an identity crisis wherein we all have multiple identities. It’s enough to drive a security admin a little crazy.

Your plan should take this into consideration and your design should strive to simplified identity management both for BYOD users and for the admins who must keep track of all these users and devices.

Managing access: a multi-faceted approach

Yesterday’s identity management (IdM) solutions have grown more sophisticated and morphed into today’s identity and access management (IAM) systems. In a BYOD world it’s no longer enough to simply verify the identity of the user who’s attempting to access corporate resources; now your management system needs to be “smart” enough to go further, and to also look at the device with which the user is attempting access (known/unknown or trusted/untrusted status), the location from which the user is attempting access (connected directly to the internal network, connected to the internal network over a virtual private network, or remotely from an external network) and what resource(s) the user is attempting to access. The time of attempted access may also be relevant in determining whether the activity is routine or unusual (and thus suspicious).

That means the IAM solution is able to track user access to detect and analyze patterns and alert to any anomalies, in much the same way credit card companies track customers’ credit card purchases and alert to the possibility of fraud when out-of-the-ordinary expenditures occur.

Single sign-on: a step toward simplification

Simplifying the identity management process for the user begins with eliminating the need to maintain separate credentials for different identities when accessing different resources. We’ve already been through a similar transition once before, when we moved from different passwords to access different files to an identity-based access system. That was when most of what users needed to access was on the internal network.

Today users depend on information and interaction using many different external resources. They may need to log onto vendors’ sites, social sites, government sites, financial sites, partners’ sites, etc. Once again, they’re in a situation where they have to memorize a whole slew of passwords. What’s needed is a way to consolidate logon to all those sites into one set of credentials that the user can easily remember. That’s where single sign-on (SSO) comes in.

A true single sign-on world would support one standardized “official” identity verified by a highly trusted authority – a digital equivalent of the driver’s license or passport – and that identity could be used for every network resource or web site a user ever needed to access. Microsoft was trying to head in that direction when they released Windows CardSpace with Windows Vista, although it was more of a personal identity management system than a single sign-on solution. For better or worse, CardSpace never caught on and faded away into the dustbin of computing history.

Microsoft’s perspective on identity and access management

Microsoft has been trying for a long time to simplify identity management for users and admins. In the early 2000s, they released Microsoft Identity Integration Service (MIIS), which turned into Identity Lifecycle Manager, which subsequently morphed into Forefront Identity Manager. Active Directory Federated Services (ADFS) represents the single sign-on “piece” of Microsoft’s IAM solution. Microsoft UAG (Unified Access Gateway) was intended to extend SSO to external users. In 2013, Microsoft announced that UAG would be removed from price lists on July 1, 2014, but indicated an intent to remain committed to IAM and to ship a new release of FIM in 2015.

In keeping with Microsoft’s “all in with the cloud” strategy, the next version of FIM is expected to support hybrid scenarios with Windows Azure AD and related cloud services along with on-premises resources.

On the programming side, in 2012 Microsoft released a “Single Sign-on Roadmap” for Windows developers and updated it in June 2014, the objective of which is to help developers create applications through which users can access Microsoft Cloud services with corporate Active Directory credentials, utilizing a security token service supported by Azure Active Directory.

At TechEd 2014 North America, Microsoft demonstrated the company’s current recognition of the importance of the BYOD/cloud environment in the context of its “reimagining” of itself as a “devices and services” company with its Enterprise Mobility Suite that introduced Azure AD Premium for Hybrid Identity Management. EMS is a service that also includes Windows Intune and Azure Rights Management.

Summary

In this, Part 3 of our series on Planning Considerations for Securing BYOD and Consumerization of IT, we delved more deeply into the concept of simplifying identity management for BYOD users and administrators. In Part 4, we’ll move forward to discuss the need for your BYOD strategy to support modern authentication mechanisms.

If you would like to read the other parts in this article series please go to :

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.