Identity management is critical in mobile devices but considerations need to be given to the user experience and data security.
Saying that you can "think of the new influx of wireless devices in the network as a type of denial-of-service", Gartner's Trent Henry was presenting on 'identity and security considerations for mobility'.
Henry said that IT managers need to consider whether their risk profile is high, medium or low, and develop a mobile strategy based upon that. He said: “Look at what type of devices they are using and what app stores they use, also look at device ownership, does your organisation provide them or what does the user bring to the table? You need the ability to wipe, control and encrypt devices.
“What are the risks to your environment and what controls can you do to reduce risk? What we are looking at is light data footprint. If there is no data on the device, you don't have to touch it.
“Think about credential theft, sniffing and think about controls. Think about health checks and authentication environments. Think about identity and access management (IAM). If there is no resident data footprint, you can use your existing IAM infrastructure to deal with the device and the users on it, in an application itself you can offer access to one-time passwords (OTP) and the public key infrastructure (PKI) to bind a user to a device and offer assurance to the user.”
Henry admitted that there may be a need for stronger credentials for connectivity and mobile device management, and maybe OTP apps so users can do what is required, but the implications around the user experience and full-time connectivity could be an issue.
He also said that when it comes to authentication and identity, there needs to be an understanding of who the user is and what credentials are required. If the risk profile is high, you will need a hardware OTP or smartcard; for a medium risk it is a software OTP; and for a low risk environment, a user name and password may suffice.
Concluding, he recommended not launching into a product selection or architecture for security, and think about what you need to do and whether it is network or end-user facing, and data management and use cases.
“Think about security about information protection so it doesn't get bolted on at the end, you may get away with a simple web application but in mobile, there is a lot of competing forces for the user, so you will want to strengthen your protection,” he said.
“Think about risk and the sense of data used in your organisation and data outside repositories; it is no longer just SharePoint, data is now coming from mobile with far fewer controls than you are used to. Think about the authenticator and implications for authorisation and take time to think ahead of time and whether to do a wrapper or use a software development kit (SDK) – this can answer hard questions for a developer.”