There is one key way that mobile devices are affecting enterprise identity and access management strategies, Brink notes. "As enterprises reevaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, solution providers are responding by developing innovative options for authentication that leverage what is arguably the most personal, indispensable and ubiquitous of all modern devices: smartphones and tablets," he says.
The most common mobile options for end-user authentication in the enterprise that Aberdeen sees in its IT security research are one-time passwords, digital certificates and out-of-band authentication.
ID Management StrategiesOrganizations whose employees are using tablets and smartphones in the workplace are making identity management a key part of their security efforts in this shifting environment.
Automatic Data Processing Inc. (ADP), a Roseland, N.J., provider of human resources, payroll, tax and benefits administration services, supports mobile platforms including the Apple iPhone and iPad and RIM BlackBerry.
ADP employees use the devices for a variety of purposes, including access to email and applications such as backoffice automated workflow, human resources and purchasing, says Roland Cloutier, vice president and CSO. Recently ADP began deploying business applications such as Salesforce.com customer relationship management (CRM) software on mobile devices.
The firm controls and manages smartphones and tablets, including the identity of users, via a mobile device management (MDM) application that is loaded on all the devices registered for access to the company's data and applications. Cloutier says the company doesn't actually connect mobile users directly to the network, but provides access to data through mobile gateways.
"We not only make people register their devices but we make them download the [MDM] agent and [provide written consent] that we can control some basic device protection capabilities" of the products, Cloutier says. "So for example we have e-discovery evidence-gathering capabilities of the device, and they agree to hand over the device for any legal matters." The company also has the ability to remotely wipe devices in the event they are lost or stolen and has used this capability on several occasions.
ADP users must be authenticated before they can get access to corporate information, and who gets to access specific types of data and applications depends on the individual's role in the company and the type of device being used, Cloutier says.
"We created authentication requirements based on the type of data" and who needs access to the information, Cloutier says. While the advent of mobile devices in the workplace did not result in ADP having to change its overall identity management procedures, it did force the company to take a closer look at its risk review data access processes.
Risk assessments could no longer assume non-transportation outside a corporate-protected device and control requirements, and data flow approval had to take into consideration mobility and the maximum level of control function available on any given platform, Cloutier says.
Sign up for Computerworld eNewsletters.