In looking at the overall pieces in play for Enterprise security architecture in Mobile app deployments there are three high level categories of security concern.
- Mobile Security - this is net new for the enterprise. Mobile apps need to deal with proprietary, byzantine systems and their access control models. Unlike traditional enterprise desktops where enterprise security teams can configure systems the way they would like, the smartphones and tablets of today are akin to buying a car with the hood welded shut. On top of that the security teams must deal with new use cases around lost and stolen, remote wipe and an overall collision course of security and privacy. Finally, the continued lengthening of the access control chain to meet the latest extension of distributed systems means more federation, namespaces, token types and protocols
- API Security - where Mobile security is a revolution, API Security is more of an evolution, much of the core of API security is iterative improvements on Web services security. The gateway vendors and other Web services security tools and technologies all have important roles to play here.
- Enterprise Security - the changes here are more evolutionary in nature as well. The enterprise stack must develop and deploy APIs to communicate with mobile, factor in new data security requriements and security protocols, but the main challenges are more integration in this space than anything else.
So the above three areas lead us to the following Venn of Mobile security
Understanding the main relationships is fundamental to building out an Enterprise Mobile Security architecture. From an Enterprise point of view, tools like MDM (Mobile Device Management) give the enterprise a way to provision devices and handle mobile-specific use cases like Lost Stolen and Remote Wipe. From this view, provisioning an iPhone is similar to provisioning a laptop, something any enterprise security team has extensive experience with.
However, as Ping Identity's Paul Madsen asks - if my CEO and I both have an iPhone is the device really the right level of granularity for security policy? So to close this gap, Mobile Access Management (MAM) has stepped into address some of the key bits around application access control.These may be packaged up and deployed together or separate with an API Gateway to broker these security protocols, perform inside/outside token exchanges and other services.
MDM, MAM and API Gateways all address pieces of the problem, but the enterprise still lacks a cohesive view. Should it support SAML, oAuth, OpenID Connect or other? 499 of the Fortune 500 uses Active Directory for their users, what is the equivalent in Mobile? Where should the PEPs integrate to? Where and how should token exchanges be supported? How do the three different security protocols - proprietary Mobile client, Web services/App communications, and back end enterprise- interact? How do I test it all?
These are some of the core questions that enterprises deal with today, Ken van Wyk and I will explore these in detail in both a security architecture view and a hands on developer view at the Mobile AppSec Triathlon in San Jose this November (come join us!). We are in the opening part of the game, some possible variations of the Mobile end game are starting to emerge. Until then, one thing is for sure - provisioning identity, enforcing access control decisions in each layer from Mobile to API to Enterprise and making the layers work together cohesively is critical. To meet this challence means Identity is at the center of each stage.