James Thew - Fotolia
In a world of hackers and malicious actors, mobile identity management has quickly become a crucial part of any security strategy.
IT administrators are always looking for security measures that enhance effectiveness, lower costs and are easy to understand and administer, but that don't get in the way of the users who must apply them on a day-to-day basis. Mobile security is one area where even a single, simple mistake can be disastrous, so IT should take the utmost care when evaluating and selecting identity management systems.
The 'triple A' of mobile security
Most organization-wide mobile security strategies can fall under the acronym AAA: authentication, authorization and accounting.
Authentication determines and verifies identity for both parties to a given communication, and is ideally two-factor, requiring the user to enter "something they have plus something they know."
Authorization defines the set of allowed functions and activities for a given authenticated user; for example, what apps they can use, what files they can access and what activities are expressly prohibited for them.
Accounting is the record-keeping of what happened and when, producing logs suitable for admins to analyze authorized access and detect attempts at unauthorized access.
AAA is a great model for security -- just add encryption of sensitive information while at rest -- on a server or client device or in transit across a network. With this model, IT should be able to easily address most security requirements.
The next step for mobile security
Mobility introduces a much broader set of opportunities, possibilities and potential security challenges. This is where access and identity management (ID management) takes over. Mobile identity management systems also enable the specification of authentication and authorization for a given user, location, device, period of time, time of day and more.
Wireless LAN vendors, network equipment vendors and a number of third-party providers all offer ID management systems. The field is relatively new and continues to evolve. Early adopters should therefore take caution and consider the scope and range of any ID management system, and evaluate how the provisioned services, capabilities and implementations fit with current and planned network strategies and operations.
How mobile identity management systems work
The essence of ID management involves authenticating a given user with a given device and assorted credentials, and then specifying what privileges they may have.
For example, an Apple iPad user in the engineering department from 8 a.m. to 5 p.m. each weekday might have access to a given set of network resources, and, at other times, a different set of privileges or even no access whatsoever. That same user, with an unauthorized iPhone, might have no access, although an ID management system can enable multiple devices per user.
Users might be logged out after their period of access expires, if they physically move to a location where they have no access or after a given period of connectivity expires.
Many identity management systems feature self-service onboarding and provisioning, which enable already-authorized users to register new devices and change passwords. Also key is integration with existing directory services such as Lightweight Directory Access Protocol and Microsoft Active Directory.
Much of the information IT needs to authenticate a user is already present in these access repositories. Having a single point of residence for this data eliminates redundancy, out-of-sync conditions and related post-installation problems. It's also possible for admins to define and specify varying degrees of granular control, from individual users to groups. IT might define groups according to organizational role (corporate management, engineering, marketing, customers, guests and contractors, etc.), or by employees working together on a specific project.
Users can even have more than one identity with different privileges to each, although in that case, auditing and management workloads could increase. Regardless, management and reporting functionality and detailed logs are a requirement of any effective ID management system, along with alerts of any unusual activity.
Additional functionalities to consider include:
Certificate management: Identity management systems provide an ideal location for IT to ensure that only the right users have access to the corporate network.
Unified and federated access: This involves the sharing of credentials with other entities, often referred to as single sign-on (SSO). SSO can make logging in much easier, but IT must take care to guard against inadvertent errors that could compromise user credentials.
Cloud implementations: IT can provision many identity management systems as cloud-based services and make installation, growth and scaling easier. Such an approach converts what might otherwise be a capital expense into an operating expense.
Extensibility: Finally, it's important to consider that security is and likely always will remain an evolving set of challenges and responses. It's therefore vital that mobile identity management be extensible, with the ability to add new protocols and perhaps entirely new strategies over time, without having to overhaul an operational system.
Identity and access management should be the backbone of any contemporary policy-based security implementation, providing IT an easy-to-use framework with the features and flexibility to live and grow with over the long haul.
Find answers to your mobile ID management questions
Beat authentication blues with cloud ID management
How ID management systems combat cyberthreats