W H I T E P A P E R
Mobile SSO & the Rise of Mobile Authentication
M O B I L E S S O & T H E R I S E O F M O B I L E A U T H E N T I C AT I O N
Top Four Considerations In Defining Your Mobile Identity Strategy
O V E R V I E W
Cloud and mobile adoption continue to drive Identity & Access Management (IAM)
-as-a-Service (IDaaS), a new category within the larger, traditionally on-premises IAM
security market. As businesses move from on-premises computing to the cloud, and
from desktops to mobile devices to better connect their global network of employees,
partners, customers and vendors, information needs to move securely between peo-
ple, applications and devices in accordance with policy.
Mobile applications themselves are an increasingly important tool for driving business
outcomes. Subsequently, the focus is shifting to managing the user behind the device
and application. New security models are emerging that put the user at the center of
security design. Nearly every security service, including identity and access manage-
ment, is being re-architected for this new paradigm.
As the number of apps and services increase for the average user, managing app ac-
cess represents a significant security and convenience issue. Two major issues emerge
with the increasing reliance upon the hundreds of available cloud services. First, it is
cumbersome for users to constantly re-enter their credentials, particularly in email
and strong password format. This inconvenience may wear particularly on mobile us-
ers who will seek alternatives likely to be less secure.
Second, and more importantly, it is a security and governance issue for IT and the or-
ganization. A recent cloud report identified that 15% of corporate users have had their
account credentials compromised 1, thereby increasing the risk of unauthorized access
and highlighting the need for additional authentication factors. Ultimately, business
leaders need to maintain the full picture of what is being accessed by who and when,
and periodically audit for compliance concerns.
FIGURE 1. FOUR CONSIDERATIONS IN EXECUTING A MOBILE IDENTITY STRATEGY
BUSINESS REQUIREMENTS
IDENTITY REQUIREMENTS
ARCHITECTURE REQUIREMENTS
ROADMAP REQUIREMENTS
1 . F O R E C A S T Y O U R B U S I N E S S A P P L I C AT I O N
R E Q U I R E M E N T S F O R T H E N E X T 3 Y E A R S
As SaaS (Software as a Service) adoption grows, business applications are moving
outside the enterprise domain and being provided by third-parties in the cloud, i.e.
SaaS providers. For example, new cloud-based services in areas such as human capital
management, office productivity, service management, project management, content
management, marketing automation, sales force automation, customer relationship
management and expense reporting have entered mainstream adoption.
Enterprises continue to capitalize on mobile devices to optimize the business by pro-
visioning applications aimed at improving employee productivity and customer sat-
isfaction. The harsh reality is that anywhere from 50% to 80% of cloud based appli-
cations used within the average enterprise are still provisioned without IT awareness,
i.e. placed into service by end users, or “shadow IT.” Thus, it’s important to benchmark
your current reality, and evaluate approaches to deliver enterprise-grade security as
you plan for the future.
Mobile smartphones and tablets continue to change the way we do business, allow-
ing people to access their enterprise cloud applications from almost anywhere. Sub-
sequently, many SaaS providers are developing mobile-specific websites and native
applications to optimize their customers’ experience. These devices are often outside
the enterprise’s physical and logical control, therefore it is crucial that mobile strate-
gies assess the risk associated with the current mobile identity, authentication, and ac-
cess management environment, and actions being pursued by the industry to address
these mobile security scenarios.
Recommendations
• Assess your organization’s current cloud application use, and whether these
apps should be rolled into your IT service catalog which defines the approved
apps available to users. Having these apps within the broader IT portfolio of
supported services will ensure the business manages these resources program-
matically, and can centralize policies and audit functions. Leveraging solutions
from vendors like Netskope and Skyhigh Networks can jump start this process
from a cloud app discovery perspective.
• Inventory your users’ mobile device platforms (Android, iOS, Windows Phone)
and evaluate the mobile authentication technologies that support these sys-
tems. Given BYOD (Bring Your Own Device) trends, over 80% of organizations
are making changes to their policies and IT infrastructure to support the prolif-
eration of personal devices2.
2 . D E F I N E Y O U R T R U S T R E Q U I R E M E N T S F O R
M O B I L E U S E R S
The level of trust required for an enterprise user versus that of an individual consumer
can be dramatically different. Trust between a user and the services provisioned by the
enterprise will be influenced by factors such as the user’s authentication privileges, the
context in which that user is accessing these services such as time and location, and
the platform itself, as well as its capabilities.
Additionally, as the federation of identities and centralization of authentication become
more common to support Single Sign-On (SSO), risk is aggregated to a singular point
serving multiple services. It becomes critical that additional credentialing or multi-factor
authentication (MFA) technologies be implemented alongside your federation services
to support the levels of assurance (LOA) required to meet trust requirements. An iden-
tity management solution must establish trust between the mobile user and the cloud
application and maintain the credentialing services required.
Recommendations
• Take action today to secure mobile user access to your organization’s cloud
apps. OneLogin Mobile is available on Android, iOS and Windows Phone, and
downloadable from the corresponding platform stores. The mobile application
offers secure web SSO via single portal to thousands of enterprise cloud apps.
• Evaluate vendors that provide a broad catalog of cloud applications with out-of-
box connectors. OneLogin for example has been a proponent of open stan-
dards, offering free SAML (Security Assertion Markup Language) toolkits begin-
ning in 2011.
• Evaluate vendors that provide trusted data centers, certified by industry experts
against standards for security, privacy and data protection. Certifications include
ISO 27001, SOC 2, TRUSTe, Skyhigh Enterprise Ready and SafeHarbor.
• Require application developers and cloud vendors to support open standards,
such as:
° OASIS’s SAML standard for authentication.
° OAuth standard for a delegating authorization.
° OpenID Foundation’s NAPPS working group efforts to enable SSO for
native applications installed on mobile devices.
° FIDO (Fast IDentity Online) Alliance work on 2-factor authentication standards.
° IETF’s SCIM (System for Cross Domain Identity Management) standard for
provisioning and managing identities across domains.
• Implement bi-directional directory integrations that provide real-time synchro-
nization to close gaps and RACE conditions between user stores. While most
enterprises have existing on-premises authentication services such as Active
Directory, these systems don’t extend to the cloud well, if at all.
3 . D E F I N E Y O U R M O B I L E I D E N T I T Y A N D A C C E S S
M A N A G E M E N T A R C H I T E C T U R E
In order to minimize an organization’s liability should any data be compromised as a
result of mobile access, new mobile and cloud security architectures are placing user
identity and authentication at the center of the trust model. Many factors play a role in
defining mobile trust, including:
Federation factors
• Legacy on-premises systems such as Active Directory often represent the sin-
gle source of truth for enterprise IT today (e.g. single domains like acme.com).
However over their life they’ve become heavily customized, difficult to maintain
and inflexible to meet today’s cloud initiatives. Organizations must now factor
in the reality of cross-domain access from outside the network perimeter, and
whether their legacy IAM solution is innovating at a pace to keep up with indus-
try change.
• Outsourcing business applications and other digital services to various SaaS
vendors has resulted in the proliferation of multiple user stores and subsequent-
ly multiple user data models. Managing user credentials and various access
privileges for these services suggests federation capabilities must be added to
rationalize this complexity. Federation technologies are becoming more central
to IAM architectures, and are best situated in the cloud.
FIGURE 2. FEDERATED SERVICES FOR MOBILE ACCESS TO CLOUD APPS
• The acceptance of BYOD within the enterprise introduces several important
considerations:
° BYOD is personal, and unknowns introduce risk IT has wrestled with the
ever morphing mobile security frameworks which don’t always address the
fact that businesses don’t own these devices. How can IT best manage risk
given the traditional system management paradigm doesn’t apply. Locking
down resources specific to users’ personal phones is not practical.
° Consumer behaviors don’t necessarily translate to the enterprise While
leveraging social media logins is an inexpensive form of SSO for some
websites, most social logins do not provide sufficient trust to meet en-
terprise requirements (e.g. lack password strength or refresh rates, where
phones remain logged in for extended periods of time).
• With more than 50% of cloud apps accessed via mobile devices3, the smaller
mobile form factor and associated user experience specific to authentication is
ripe for improvement.
Recommendations
• Federate user stores to the cloud, which reflects the most appropriate point in
the new mobile-SaaS application model.
• Leverage users’ mobile devices as a secondary factor for authentication to de-
liver time-based one-time passwords (OTP).
• Evaluate mobile security options beyond just mobile device management. New
architectures suggest we shift focus from the device and put the user at the
center of the security model. Thus, security practices should be prioritized to
actually secure user access to cloud apps, and move beyond managing the
mobile system configurations.
4 . P L A N F O R T H E N E X T- G E N E R AT I O N O F U S E R
A U T H E N T I C AT I O N
Despite users and lines of business demanding access to mobile apps today, you won’t
likely have time to develop a comprehensive architecture before being pressured to
deliver. The best approach is to craft a lightweight architecture with the future vision in
mind. It’s important to have a 3-year planning horizon as you begin rearchitecting your
next-gen IT service delivery model.
Recommendations
• Understand the mobile ecosystem, and the role each partner plays in security.
The ecosystem is like a chain; security is only as good as the weakest link.
• Require your service providers to support open standards as mandatory accep-
tance criteria. Many enterprises are actively implementing cloud vendor on-
boarding certification (CVOC) programs to help accelerate provisioning of new
cloud-based apps and services by screening out vendors that don’t support
open standards.
• Educate yourself on emerging architectures and standards such as NAPPS, and
monitor their developments. NAPPS is a game changer in the maturation of
Mobile SSO, both from an end-user experience perspective and a cloud service
provider’s infrastructure perspective.
• Engage with your peers, and learn from their experiences such that the indus-
try moves in the right direction. Organizations like IdentityFirst.org represent a
community of identity and access management professionals who are engaged
in shaping the future of IAM solutions and practices.
• Engage with your vendors to understand their vision for identity and authenti-
cation, as well as their roadmaps to address security, compliance, and gover-
nance risk. As appropriate, request periodic discussions on product direction to
build your long term strategies and project plans.
C O N C L U S I O N
The industry is working to address security, compliance and governance challenges
associated with cloud and mobile adoption in the enterprise. The industry has
acknowledged that new security models must take user identity into consideration,
and that federating directories in the cloud, centralizing authentication services and
aggregating analytics reporting will be factors in a mobile security strategy. Whether
you plan to pursue a hybrid model (a mix of on-premises and cloud), or a cloud-only
IAM architecture, securing user access to your enterprise’s SaaS or cloud apps from
mobile devices will be required.
Contact OneLogin at: [email protected].
R E F E R E N C E S
1. Netskope Cloud Report, January 2015
2. IDG Enterprise Consumerization of IT in the Enterprise Study 2014
3. Netskope Cloud Report, October 2014
A B O U T O N E L O G I N
OneLogin is the innovator in enterprise identity management and
provides the industry’s fastest, easiest and most secure solution for
managing internal and external users across all devices and applications.
The only Challenger in Gartner’s IDaaS MQ, considered a “Major Player”
in IAM by IDC, and Ranked #1 in Network World Magazine’s review of
SSO tools, OneLogin’s cloud identity management platform provides
secure single sign-on, multi-factor authentication, integration with
common directory infrastructures such as Active Directory and LDAP,
user provisioning and more. OneLogin is SAML-enabled and pre-
integrated with thousands of applications commonly used by today’s
enterprises, including Microsoft Office 365, Asure Software, BMC
Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC
Syncplicity, EchoSign, Google Apps, Jive, Innotas, LotusLive, NetSuite,
Oracle CRM On-Demand, Parature, Salesforce.com, SuccessFactors,
WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin,
Inc. is backed by CRV and The Social+Capital Partnership.
G E T O N E L O G I N — F R E E F O R E V E R
onelogin.com/signup/