Step 3: Control Access Based on Identity.
The rapid proliferation of apps within the enterprise, mobile or otherwise, plus the concerns Olden voiced about reinforcing the security of SSO mechanisms, make it doubly important that organizations do a better job mapping data and application access to job functions, Lambert says.
"Core to this principle is role-based identity management," Lambert adds.
She recommends that in addition to SSO, organizations build their identity and access management (IAM) practices around products that support multiple authentication types, active directory federation and role mapping to appropriate applications and data stores. Also critical are mechanisms for "active" identity management to automatically grant and rescind access as people come and go and their roles change within the organization.
Industry watchers have noted that the combination of mobility and cloud have surged to become a big driver of IAM in 2012.
"The problem is, how do I manage user identification both in my own network and in my cloud without having to duplicate efforts?" says Pierluigi Stella, CTO of Network Box USA. "How can I be assured that the iPad being used to access the company's data in the LAN and in the cloud is legitimate, used by the actual and legitimate user, and all this without having to manage identities in three different places?"
He agrees with Lambert that role-based access control will play a big part in answering those tough questions.
Step 4: Control Access Based on Policy
As an offshoot to step three, organizations should institute access management that manages not only based on who you are, but also what you are accessing data from. This should provide an additional layer of security and control.
"Policies must provide 'contextually aware' mobile information access," Lambert says.
She suggests that policy and automation work be focused around location, device type, network, authentication requirements and event-driven access disablement.
"These policies should then be applied down to the specific application or file to allow or restrict access," Lambert says.
According to Corey Nachreiner, senior network security strategist at WatchGuard Technologies, context is king when it comes to access control.
"If you see a TFTP connection sending an AutoCAD document to an IP address in China, it has very different connotation than if you see an authenticated user you know, with a C-level role, uploading that same AutoCAD document," he says. "In both cases, a sensitive AutoCAD document is leaving your network, but one of those scenarios is probably company approved."
Step 5: Bring It All Together
It isn't until the previous steps have been taken that enterprises are ready for a more pervasive application and data delivery mechanism for any device, Lambert says.
That's where the app store comes in.
"What's left is balancing IT control with an end-user experience built around convenience through an enterprise app store," she says, recommending app availability based on role, app request workflows and self-service subscriptions. The app store should also be able to offer native app delivery for mobile devices in use and "follow-me" access for information across devices.
Sounds good in theory, but, according to Gartner analysts, it may take a while for enterprises to realize those kinds of goals.
"The technology industry has long talked about scenarios in which any service or function is available on any device, at any time and anywhere," wrote LeHong and Fenn. "The technologies and trends that are part of this scenario include BYOD, hosted virtual desktops, HTML5, the various forms of cloud computing, silicon anode batteries and media tablets."
Among those, Gartner considers HTML5, silicon anode batteries and hosted virtual desktops to be keystones; the first two are still at the peak of the hype cycle, and hosted virtual desktops are just now sliding into the "trough of disappointment." If its prediction holds true, that means it may take up to five years for these lynchpin technologies to bear fruit within the enterprise.
With many enterprises new to NaaS, service providers can differentiate themselves from competitors by prioritizing superior customer service and experiences.
Unlocking the full potential of telecom in the SaaS era relies on comprehensive strategies and a constant commitment to evolving security practices.
Eliminating complexity by standardizing with a platform approach is the way to put the brakes on the complexity cycle.
