W H I T E P A P E R

Mobile SSO & the Rise of Mobile Authentication

M O B I L E S S O & T H E R I S E O F M O B I L E A U T H E N T I C AT I O N

Top Four Considerations In Defining Your Mobile Identity Strategy

O V E R V I E W

Cloud and mobile adoption continue to drive Identity & Access Management (IAM)

-as-a-Service (IDaaS), a new category within the larger, traditionally on-premises IAM

security market. As businesses move from on-premises computing to the cloud, and

from desktops to mobile devices to better connect their global network of employees,

partners, customers and vendors, information needs to move securely between peo-

ple, applications and devices in accordance with policy.

Mobile applications themselves are an increasingly important tool for driving business

outcomes. Subsequently, the focus is shifting to managing the user behind the device

and application. New security models are emerging that put the user at the center of

security design. Nearly every security service, including identity and access manage-

ment, is being re-architected for this new paradigm.

As the number of apps and services increase for the average user, managing app ac-

cess represents a significant security and convenience issue. Two major issues emerge

with the increasing reliance upon the hundreds of available cloud services. First, it is

cumbersome for users to constantly re-enter their credentials, particularly in email

and strong password format. This inconvenience may wear particularly on mobile us-

ers who will seek alternatives likely to be less secure.

Second, and more importantly, it is a security and governance issue for IT and the or-

ganization. A recent cloud report identified that 15% of corporate users have had their

account credentials compromised 1, thereby increasing the risk of unauthorized access

and highlighting the need for additional authentication factors. Ultimately, business

leaders need to maintain the full picture of what is being accessed by who and when,

and periodically audit for compliance concerns.

FIGURE 1. FOUR CONSIDERATIONS IN EXECUTING A MOBILE IDENTITY STRATEGY

BUSINESS REQUIREMENTS

IDENTITY REQUIREMENTS

ARCHITECTURE REQUIREMENTS

ROADMAP REQUIREMENTS

1 . F O R E C A S T Y O U R B U S I N E S S A P P L I C AT I O N

R E Q U I R E M E N T S F O R T H E N E X T 3 Y E A R S

As SaaS (Software as a Service) adoption grows, business applications are moving

outside the enterprise domain and being provided by third-parties in the cloud, i.e.

SaaS providers. For example, new cloud-based services in areas such as human capital

management, office productivity, service management, project management, content

management, marketing automation, sales force automation, customer relationship

management and expense reporting have entered mainstream adoption.

Enterprises continue to capitalize on mobile devices to optimize the business by pro-

visioning applications aimed at improving employee productivity and customer sat-

isfaction. The harsh reality is that anywhere from 50% to 80% of cloud based appli-

cations used within the average enterprise are still provisioned without IT awareness,

i.e. placed into service by end users, or “shadow IT.” Thus, it’s important to benchmark

your current reality, and evaluate approaches to deliver enterprise-grade security as

you plan for the future.

Mobile smartphones and tablets continue to change the way we do business, allow-

ing people to access their enterprise cloud applications from almost anywhere. Sub-

sequently, many SaaS providers are developing mobile-specific websites and native

applications to optimize their customers’ experience. These devices are often outside

the enterprise’s physical and logical control, therefore it is crucial that mobile strate-

gies assess the risk associated with the current mobile identity, authentication, and ac-

cess management environment, and actions being pursued by the industry to address

these mobile security scenarios.

Recommendations

• Assess your organization’s current cloud application use, and whether these

apps should be rolled into your IT service catalog which defines the approved

apps available to users. Having these apps within the broader IT portfolio of

supported services will ensure the business manages these resources program-

matically, and can centralize policies and audit functions. Leveraging solutions

from vendors like Netskope and Skyhigh Networks can jump start this process

from a cloud app discovery perspective.

• Inventory your users’ mobile device platforms (Android, iOS, Windows Phone)

and evaluate the mobile authentication technologies that support these sys-

tems. Given BYOD (Bring Your Own Device) trends, over 80% of organizations

are making changes to their policies and IT infrastructure to support the prolif-

eration of personal devices2.

2 . D E F I N E Y O U R T R U S T R E Q U I R E M E N T S F O R

M O B I L E U S E R S

The level of trust required for an enterprise user versus that of an individual consumer

can be dramatically different. Trust between a user and the services provisioned by the

enterprise will be influenced by factors such as the user’s authentication privileges, the

context in which that user is accessing these services such as time and location, and

the platform itself, as well as its capabilities.

Additionally, as the federation of identities and centralization of authentication become

more common to support Single Sign-On (SSO), risk is aggregated to a singular point

serving multiple services. It becomes critical that additional credentialing or multi-factor

authentication (MFA) technologies be implemented alongside your federation services

to support the levels of assurance (LOA) required to meet trust requirements. An iden-

tity management solution must establish trust between the mobile user and the cloud

application and maintain the credentialing services required.

Recommendations

• Take action today to secure mobile user access to your organization’s cloud

apps. OneLogin Mobile is available on Android, iOS and Windows Phone, and

downloadable from the corresponding platform stores. The mobile application

offers secure web SSO via single portal to thousands of enterprise cloud apps.

• Evaluate vendors that provide a broad catalog of cloud applications with out-of-

box connectors. OneLogin for example has been a proponent of open stan-

dards, offering free SAML (Security Assertion Markup Language) toolkits begin-

ning in 2011.

• Evaluate vendors that provide trusted data centers, certified by industry experts

against standards for security, privacy and data protection. Certifications include

ISO 27001, SOC 2, TRUSTe, Skyhigh Enterprise Ready and SafeHarbor.

• Require application developers and cloud vendors to support open standards,

such as:

° OASIS’s SAML standard for authentication.

° OAuth standard for a delegating authorization.

° OpenID Foundation’s NAPPS working group efforts to enable SSO for

native applications installed on mobile devices.

° FIDO (Fast IDentity Online) Alliance work on 2-factor authentication standards.

° IETF’s SCIM (System for Cross Domain Identity Management) standard for

provisioning and managing identities across domains.

• Implement bi-directional directory integrations that provide real-time synchro-

nization to close gaps and RACE conditions between user stores. While most

enterprises have existing on-premises authentication services such as Active

Directory, these systems don’t extend to the cloud well, if at all.

3 . D E F I N E Y O U R M O B I L E I D E N T I T Y A N D A C C E S S

M A N A G E M E N T A R C H I T E C T U R E

In order to minimize an organization’s liability should any data be compromised as a

result of mobile access, new mobile and cloud security architectures are placing user

identity and authentication at the center of the trust model. Many factors play a role in

defining mobile trust, including:

Federation factors

• Legacy on-premises systems such as Active Directory often represent the sin-

gle source of truth for enterprise IT today (e.g. single domains like acme.com).

However over their life they’ve become heavily customized, difficult to maintain

and inflexible to meet today’s cloud initiatives. Organizations must now factor

in the reality of cross-domain access from outside the network perimeter, and

whether their legacy IAM solution is innovating at a pace to keep up with indus-

try change.

• Outsourcing business applications and other digital services to various SaaS

vendors has resulted in the proliferation of multiple user stores and subsequent-

ly multiple user data models. Managing user credentials and various access

privileges for these services suggests federation capabilities must be added to

rationalize this complexity. Federation technologies are becoming more central

to IAM architectures, and are best situated in the cloud.

FIGURE 2. FEDERATED SERVICES FOR MOBILE ACCESS TO CLOUD APPS

• The acceptance of BYOD within the enterprise introduces several important

considerations:

° BYOD is personal, and unknowns introduce risk IT has wrestled with the

ever morphing mobile security frameworks which don’t always address the

fact that businesses don’t own these devices. How can IT best manage risk

given the traditional system management paradigm doesn’t apply. Locking

down resources specific to users’ personal phones is not practical.

° Consumer behaviors don’t necessarily translate to the enterprise While

leveraging social media logins is an inexpensive form of SSO for some

websites, most social logins do not provide sufficient trust to meet en-

terprise requirements (e.g. lack password strength or refresh rates, where

phones remain logged in for extended periods of time).

• With more than 50% of cloud apps accessed via mobile devices3, the smaller

mobile form factor and associated user experience specific to authentication is

ripe for improvement.

Recommendations

• Federate user stores to the cloud, which reflects the most appropriate point in

the new mobile-SaaS application model.

• Leverage users’ mobile devices as a secondary factor for authentication to de-

liver time-based one-time passwords (OTP).

• Evaluate mobile security options beyond just mobile device management. New

architectures suggest we shift focus from the device and put the user at the

center of the security model. Thus, security practices should be prioritized to

actually secure user access to cloud apps, and move beyond managing the

mobile system configurations.

4 . P L A N F O R T H E N E X T- G E N E R AT I O N O F U S E R

A U T H E N T I C AT I O N

Despite users and lines of business demanding access to mobile apps today, you won’t

likely have time to develop a comprehensive architecture before being pressured to

deliver. The best approach is to craft a lightweight architecture with the future vision in

mind. It’s important to have a 3-year planning horizon as you begin rearchitecting your

next-gen IT service delivery model.

Recommendations

• Understand the mobile ecosystem, and the role each partner plays in security.

The ecosystem is like a chain; security is only as good as the weakest link.

• Require your service providers to support open standards as mandatory accep-

tance criteria. Many enterprises are actively implementing cloud vendor on-

boarding certification (CVOC) programs to help accelerate provisioning of new

cloud-based apps and services by screening out vendors that don’t support

open standards.

• Educate yourself on emerging architectures and standards such as NAPPS, and

monitor their developments. NAPPS is a game changer in the maturation of

Mobile SSO, both from an end-user experience perspective and a cloud service

provider’s infrastructure perspective.

• Engage with your peers, and learn from their experiences such that the indus-

try moves in the right direction. Organizations like IdentityFirst.org represent a

community of identity and access management professionals who are engaged

in shaping the future of IAM solutions and practices.

• Engage with your vendors to understand their vision for identity and authenti-

cation, as well as their roadmaps to address security, compliance, and gover-

nance risk. As appropriate, request periodic discussions on product direction to

build your long term strategies and project plans.

C O N C L U S I O N

The industry is working to address security, compliance and governance challenges

associated with cloud and mobile adoption in the enterprise. The industry has

acknowledged that new security models must take user identity into consideration,

and that federating directories in the cloud, centralizing authentication services and

aggregating analytics reporting will be factors in a mobile security strategy. Whether

you plan to pursue a hybrid model (a mix of on-premises and cloud), or a cloud-only

IAM architecture, securing user access to your enterprise’s SaaS or cloud apps from

mobile devices will be required.

Contact OneLogin at: sales@onelogin.com.

R E F E R E N C E S

1. Netskope Cloud Report, January 2015

2. IDG Enterprise Consumerization of IT in the Enterprise Study 2014

3. Netskope Cloud Report, October 2014

A B O U T O N E L O G I N

OneLogin is the innovator in enterprise identity management and

provides the industry’s fastest, easiest and most secure solution for

managing internal and external users across all devices and applications.

The only Challenger in Gartner’s IDaaS MQ, considered a “Major Player”

in IAM by IDC, and Ranked #1 in Network World Magazine’s review of

SSO tools, OneLogin’s cloud identity management platform provides

secure single sign-on, multi-factor authentication, integration with

common directory infrastructures such as Active Directory and LDAP,

user provisioning and more. OneLogin is SAML-enabled and pre-

integrated with thousands of applications commonly used by today’s

enterprises, including Microsoft Office 365, Asure Software, BMC

Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC

Syncplicity, EchoSign, Google Apps, Jive, Innotas, LotusLive, NetSuite,

Oracle CRM On-Demand, Parature, Salesforce.com, SuccessFactors,

WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin,

Inc. is backed by CRV and The Social+Capital Partnership.

G E T O N E L O G I N — F R E E F O R E V E R

onelogin.com/signup/