X

Cloud Security Perspectives and Insights

Subscribe to the Oracle Security Newsletter

The Technology Stack of Mobile Device Enablement - Simieo Solutions

Greg Jensen
Sr Principal Director - Security - Cloud Business Group

Introduction
Mobile computing has proven to be a game changer, revolutionizing the way we work, communicate and connect. Arguably, this revolution can trace its roots back to the ‘Personal Computer’, which freed individuals and organizations from the centralized mainframe operating model and we haven’t looked back since then. But what’s remarkable about mobile computing is the unprecedented pace of change and innovation it has brought about. Mobile devices are penetrating and transforming businesses today far faster than any previous generations of computing technologies ,including laptops and desktops.


Current landscape
Today, "going mobile" means a lot more than just modifying the content to fit a browser on a small screen size. Infrastructures can no longer afford to limit remote or mobile access to browser-based functionality. Users need access to more applications and data, from a wider variety of mobile and wireless devices.
Mobile device capabilities have reached new heights, which in turn has spurred demand for rich mobile applications that require access to private enterprise data in order to deliver functionality. These applications have become indispensable tools for end users. They are being inextricably woven into day-to-day business operations in an effort to improve productivity. In spite of the complexity, these devices are becoming a critical component of the computing environment because of their versatility.


Enter BYOD
Perhaps the single biggest driver of the mobile revolution has been the widespread adoption of “Bring Your Own Device” or “BYOD.” BYOD is the policy of permitting – or even encouraging – employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace, and to use those devices to access privileged company information and applications. Seemingly overnight, BYOD has supplanted the traditional policy of permitting only “corporate-liable” or “CL” devices, those that are owned and issued by the company.


The Benefits of BYOD
BYOD fosters business process efficiency by allowing employees to complete their tasks at any time and from anywhere – whether they are sales representatives, technical analysts in the field, customer-facing employees, manufacturing reps and the like. Every one of these employees needs access to data, which can enable them to make the right decisions, answer queries, come up with proposals, close deals and execute other vital tasks.
The benefits of BYOD include:

Improved workplace flexibility and productivity with secure "anytime, anywhere" access for employees. It promotes employee satisfaction. It also increases effective employee work hours in small increments per week, which in turn translates to a greater throughput from the workforce.

Increased sales revenues from quick, reliable access to business-generating applications on employee-owned devices.

  • Competitive appeal for market leadership and recruiting. Adopting innovative technology solutions such as mobility is valued by organizations for maintaining competitive positioning in their respective marketplaces. 
  • Reduced costs for acquiring, distributing and replacing corporate-liable (CL) devices.
  • Reduce complexity and costs from internally maintaining the mobility infrastructure.
  • Decreased help desk support with a reduction in the number of inbound calls for CL devices.
  • This is definitely not an exhaustive list, but it covers the common factors fueling BYOD adoption.


Imminent Challenges and Risks
It's not too difficult to lose a smart phone or tablet, resulting in confidential data being exposed to non trusted entities. Thus, accessing and storing corporate data on private devices presents unique security challenges to the enterprise.The IT security team and the CIO office are now dealing with questions such as:

Do our enterprise applications qualify as “secure” and “cloud ready”?

  • How do we manage security of the enterprise applications in a scenario where a plethora of mobile devices connect to them for accessing sensitive data?
  • How can my company enable social trust as a means of connecting to customers and employees?
  • What about securing the digital and intellectual property which has been exposed as a result of the BYOD scheme?
  • Some of the inevitable challenges for organizations adopting BYOD include:
  • Handling the deluge of BYOD demand (tablets, smart phones, smart watches and more)
  • Adapting to costs and risk that are no longer "per user" but rather "per device"
  • Avoiding the risk of revolt when applying corporate lock-downs and restrictions on devices owned by the employee
  • Addressing the increased threats associated with mobile
  • Obtaining increased budget to address the risk of mobile
  • Configuration management to reduce vulnerability exposure
  • Adopting configuration management to reduce vulnerability exposure
  • Managing what apps are allowed
  • Determining how to track and manage a personal device the same way as a CL device without violating personal privacy
  • Using mobile as an "enabling" component to the business instead of a roadblock

There are four primary areas that are putting consumers and enterprises at risk on mobile platforms:

  • Access based attacks – Privileged users who have access to more data than they should, or are using legitimate access to steal confidential data, and share or use it in ways that negatively affect the organization.
  • Device Loss – The loss of a corporate or personal device that contains confidential data on the device, or within secondary memory, due to loss or theft of the device.
  • Rogue malicious apps – Applications that have been compromised by attackers and posted on various app stores that contain hidden payloads that steal data, initiate connections, commit outbound toll-fraud or are used as a launching point for attacks inside a trusted corporate network.
  • SMS Attacks – Unwanted inbound SMS messages from attackers that trick users to take actions that can lead to installation of code or to increased carrier based charges.


Identity and Access Management to the Rescue
Luckily, corporations facing these risks and challenges don’t have to go it alone. The field of Identity and Access Management (IAM) has evolved just as rapidly with solutions designed to address key aspects of BYOD adoption:

  • Mobile Device Management (MDM)
  • Mobile Identity Management (MIM)
  • Mobile Application Management (MAM)

IAM solution providers, including our company, Simeio Solutions, have seen tremendous growth in these areas, with new tools, technologies, methodologies and best practices designed to help organizations adopt BYOD securely and effectively.

The need of the hour is seamless and secure digital connectivity for cloud and mobile integration in order for BYOD to prosper.
Here is where a product like Oracle Mobile and Social Access Management comes into the picture. Oracle Mobile and Social Access Management is a solution which enables an organization to secure mobile access to their enterprise applications. It includes a server which acts as a “secure wall” between external mobile client applications and the enterprise applications and data stores (which the mobile applications eventually access) by leveraging the existing back end identity infra services in order to regulate the interaction between both entities.

Oracle Mobile and Social Access Management Offerings


The Oracle Mobile and Social Access Management solution includes features in each of the following key areas: MDM, MIM and MAM.


Mobile Device Management


  • Device Enrollment – Oracle Mobile and Social Service components enforce device registration as a prerequisite to granting access to sensitive enterprise applications/data. A “Client Registration Handle” is used to process first-time device registration post user authentication via the Mobile and Social server.
  • Device Fingerprinting – Mobile and Social Access Server leverages the service from Oracle Adaptive Access Manager (OAAM) in order to deliver functionality such as Device Fingerprinting. OAAM provides capabilities such as One Time Password (OTP) and Knowledge Based Authentication (KBA) based on policies and risk assessments.
  • Device Blacklisting – Oracle Mobile and Social Access Services address the inherent risk of smart phone thefts. It provides capabilities to blacklist/block insecure devices and/or wipe out sensitive security information on the device as per threat levels.

Mobile Identity Management

  • Mobile User Authentication – Oracle Mobile and Social Services facilitate delegation of mobile user authentication to existing and trusted components such as Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM for strong authentication)
  • Mobile User Authorization – Oracle Entitlements Server (OES), a fine grained authorization server, is leveraged to provide authorization services for mobile users based on its policy driven decision engine in order to enforce appropriate access for mobile users to backend enterprise applications.
  • Social Identity support – Oracle Mobile and Social Services facilitates the usage of social internet identities such as Facebook, Twitter, Google, LinkedIn, etc., for signing on users to less sensitive applications. Many of these providers are based on open standards such as OpenID and OAuth, and this in turn can be leveraged to provide rich user experiences.


Leveraging Social Identities


Mobile Application Management

  • Mobile Apps Single Sign-On (SSO) – A mobile user can run many mobile applications on the same device without having to authenticate to each application individually. The out-of-the-box software development kit (SDK) shipped as a part of Oracle Mobile and Social can be used to build and configure Mobile SSO agents which can be used as a centralized point from where authentication and SSO can be managed.
  • SSO functionality is also available to web based applications in addition to inter-application SSO.
  • Application Registration – In order to strengthen mobile application security, Oracle Mobile and Social services ensure application registration before allowing access to sensitive data housed within enterprise applications.

Oracle Mobile and Social Access: The Big Picture


Conclusion
Mobile computing is here to stay. Along with its many luxuries, its penetration has introduced new complexities and challenges to organizations. They cannot afford to fall back on user awareness and user agreements to provide security. The question is no longer about allowing or denying mobile access. The question for today is about effective management.
This post is just the first in a 4-part blog series. In our next post, we’ll have in-depth coverage of Mobile Device Management (MDM).

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.

Recent Content