Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 4
By Tanu Sood on Jan 28, 2013
IDM as a Business Enabler
By: Mike Nelsey
In this series we have reflected on the evolution of life and work practices that have brought about a demand for business to deliver services to its target audience – employees, partners or true consumers – in a new way that has led to a change in where our security boundaries are situated. With this comes a significant improvement in customer satisfaction, a reduction in cost of delivery and consequentially an opportunity for business to drive up retention rates with services that fit people’s lives; suit the new fluid business environments.
This is no longer about enormous developments of unwieldy proprietary environments, it’s about delivery of solutions using COTS and blending this to streamline process, improve security and change delivery modes for information. And, fundamentally, beyond the speed of business change.
Organizations cannot retain a reliance on consumers’, employees’ and partners’ apathy-cum-acceptance of average or satisfactory service in the belief that they therefore have a sustainable business model. Whether we are talking about Public or Commercial Sector organizations, those to whom we deliver a service feel more empowered to make a choice. Our competitors, with better service delivery will help them in this.
So, removing the barriers, acknowledging that too much process or too much security can be worse than too little, and doing so by focusing on identities as the core target for delivery is the way forward.
One of our consultants jovially referred to it as “Breaking down the office walls” and that is not a bad place to start.
I remember when a mobile phone simply made and received calls, cost the price of a small house and was only used by the very privileged! Since then mobile technology has made significant advances, advanced technology available in ever smaller and cheaper packages. They are now used by the masses, an integral part of modern life and probably here to stay – well at least until the next leap to embedding devices inside people. When leaving the house it would appear that checking you have your mobile device is as important as checking you have your keys to secure your house and your wallet for the items you wish to purchase.
A smart mobile device not only allows us to make and receive voice calls but extends the scope of communication by allowing us to send and receive information. This information could be of a personal and or business nature. Users are now pushing to use their own mobile devices to access business information as this limits the number of mobile devices they have to manage. It also gives them the user experience that they prefer and a degree of freedom of expression. As a result this means mobile business users or consumers of information require access anytime, anywhere on any device. This is forcing companies to rapidly adopt a BYOD policy to protect their information.
Allowing users to access to information anytime, anywhere on any device does have business advantages as users can execute tasks outside of the traditional office hours. However, the company still needs to maintain a level of security and audit data. Users who are using their own mobile devices have neither a vested interest in nor detailed knowledge of strong security and thus may inadvertently weaken the traditional security boundaries and thus compromise the integrity of the information the company holds.
What is the solution? How do you allow users to BYOD while still maintaining an adequate level of security and give the users good experience?
Let’s consider an example.
A customer raises a support call from an office located in Australia. The supplier’s support desk is based in the UK and closed when the ticket is raised; however a reply is still required. The support system sends a notification to the support engineer’s personal mobile phone informing them that a ticket has been raised. The engineer has the company support application installed on their mobile device – an application which is protected by Oracle Mobile Application. Before the engineer is allowed to access the information they are forced to authenticate, one of the options being to use their social network credentials for convenience. Since they have only authenticated with their social credentials the access policy on the support application only allows the engineer to view the status of the support ticket and a brief synopsis.
Based on the limited information provided, the engineer deems that an urgent reply is required and therefore loads the cloud-based company roster applications on their mobile device to determine which engineer is on call for this customer. This application is also protected by Oracle Mobile Application. Because the engineer has previously authenticated, they are provided with Single Sign-On between the two applications as defined in the security policy. Having determined the on-call personnel, the engineer now needs to send an email to them using the company email application. This is also protected by Oracle Mobile Application. Because email has a higher security value the security policy does now allow the engineer to use their social credentials to authenticate. Therefore they are forced to re-authenticate using their company issued credentials.
Are all mobile devices permitted to access the company resources? Suppose the engineer gets a great bonus this month and buys a new mobile device which is not supported by the companies BYOD policy. Integrating Oracle Identity Management with Oracle Adaptive Access Management provides device finger printing. This allows unrecognized or unapproved mobile devices to be blocked from accessing company resources.
In summary; the modern office working hours are very flexible, gone are the days of users accessing information simply while they are in the office using the company network and or mainframe style devices. All organizations are going through the same evolution, and thus they demand of us the same flexibility that their employees demand of them. Employees expect choice and flexibility in working hours and working methods – providing this does have a cost, but it helps to attract and retain the best in talent and thus is a trade-off which can be justified. As businesses expand over multiple continents, users need access to information 24 hours a day, 365 days per year in disparate locations.
In the same way, consumers expect to be able to engage whenever it suits them. We need to be able to respond rapidly to changing market requirements – scaling up rapidly, using the cloud, deploying new functionality – whilst at all times retaining appropriate security levels and providing an exceptional customer experience. Those who support this by adopting social media and cloud-based identity and access models will gain competitive advantage and be able to reach consumers like never before.
Business must embrace the change in both the organizational and consumer spheres and deploy the correct technology or they will suffer in the “always plugged-in world”.
This brings the last of the series to a close,
Despite the noise we’re creating, this is not a revolutionary-big bang approach. An old friend always talks about sprucing up a house by tidying up the doors and windows. Service improvement is just this. Small visible steps based upon a thought through strategy delivering against a roadmap that has business buy in and takes account of where we are and where we want to be. With the focus on our target populations. Identity and access management delivering for your organization.
For more information on any of the topics we have discussed in this blog series or to request a copy of the ‘Who Moved My Security Boundary?’ brochure please email firstname.lastname@example.org or to view an electronic copy please click here.
About the Author:
Mike Nelsey, Managing Director, aurionPro SENA
Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.