Alongside the mobile trend are new security challenges, a direct result of organizations' inability to enforce tight control over employees' personal devices. Download "Effective Identity and Access Management in a Mobile World" to learn about a new, cost-effective and easy solution enabling employees to access corporate data and apps quickly and easily, without the need to interfere with users' already personalized mobile devices.
2. Contents
Introduction
Mobile Identity and Access Management
Mobile Challenges
The Multi-Factor Solution for Personal Mobile Devices
The Good Vault Solution
About Good Technology
3
3
4
5
5
8
Effective Identity and Access Management in a Mobile World | good.com 2
A Good Technology Whitepaper
3. Introduction
Few developments have created more IT disruption in the past five years than the explosion of mobile devices
in the workplace. Organization after organization has reaped the benefits of mobile devices for employee
productivity, collaboration, and customer communication and satisfaction. Hand in hand with the mobile
explosion has been the trend of employees bringing their own devices to work, called Bring Your Own Device
or BYOD, which has enhanced employee satisfaction, productivity, and competitive advantage in companies
looking to hire the best of the younger generation or fulfill the needs of traveling executives. Most often the
personal device in question is a mobile device, such as an Apple®
iPhone®
, iPad®
, or Android™
phone or tablet.
The challenge for IT has been to balance the obvious business benefits of mobile personalized devices
with the need to protect the organization from the confidential data theft, malware, and the other risks they
create. The perimeters and doors of IT networks risk being blown wide open as users add devices filled with
personal game, music, and other software, and connect to mobile consumer cloud services such as Gmail
and Dropbox. The security risks of consumer software and services are well known, as are the challenges of
managing and regulating the devices that use them.
Organizations must do their best to manage employee mobile devices using mobile device management tools.
But an essential part of a mobile management and security strategy is not only securing the mobile device,
which is increasingly challenging, but managing and securing its access to applications and confidential
organizational information.
Mobile Identity and Access Management
One of the key components of most organizations’ information security strategy is robust identity and access
management (IAM)—the technology and practices used to positively identify users accessing sensitive
applications and confidential information and to control their access and use privileges over time. IAM systems
are used in large organizations to manage access and privileges for hundreds or thousands of users over their
entire identity lifecycle, from the day they join the organization, through all their moves up or down the ranks,
to the day they leave. They are essential tools for ensuring that organizational information security policy is
adhered to and confidential information does not make it into the hands of the wrong people.
Most large organizations already have IAM systems in place. In fact, escalating security threats and widely
publicized data breaches have driven the adoption of IAM Systems to unprecedented levels. In a June, 2012
Security Markets Analysis (Market Analysis: Worldwide Identity and Access management 2012-2016 Forecast:
Growth Driven by Security, Cloud, and Compliance), IDC predicted that the worldwide identity and access
management systems market, which reached $3.7 billion in 2010 and $4.2 billion in 2011, would grow by more
than half to $6.6 billion in 2016.
The need and growth have been particularly pronounced in highly regulated, security sensitive markets such
as government, healthcare, and financial services. Many of these sectors have embraced the benefits of
mobile technologies and are looking for ways to integrate them tightly with their existing IAM systems and
processes so they can remain secure and compliant. Bulletproof user authentication is particularly critical for
devices that move outside the organization, across the country and around the world, where they can easily be
lost, hacked, or stolen. It’s also important for devices that mix personal with organizational software and data.
Effective Identity and Access Management in a Mobile World | good.com 3
A Good Technology Whitepaper
4. Effective Identity and Access Management in a Mobile World | good.com 4
According to IDC (Market Analysis:Worldwide Mobile Enterprise Security Software 2012 - 2016 Forecast and
Analysis), mobile identity and access management is expected to grow by 27.6 percent between 2010 and
2016. Particularly important is multi-factor authentication that moves beyond user passwords, which are often
mismanaged by users and easily guessed and hacked by experts, to more secure tools such as smart cards
and token devices, or anything else the user has or is (such as biometrics solutions).
Goode Intelligence, an analyst firm that specializes in mobile and information security, predicts that by 2014,
64 percent of multi-factor authentication sales will be mobile-based. In 2012 that number was already over 20
percent.
Mobile Challenges
The combination of BYOD and mobile device growth presents brand new challenges for user identity and
access management in an organization. Until recently IT owned all the devices and software accessing
confidential information and could impose tight limitations and controls on them. IT can no longer exercise
such tight control over personal devices. And with the use of personal devices, the ever growing corporate
perimeter has grown larger and more diffuse, defying attempts at management and control.
The challenge is to extend IAM systems to these devices safely and securely, ensuring that each and
every personal mobile device user is always strongly authenticated and that his or her access to and use of
corporate applications and information are strictly compliant with organizational information security policies.
Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption support is also important for mobile email
security. S/MIME is used widely by government and other security sensitive organizations to secure email with
robust encryption and verify senders.
It’s clear that roving users of personal mobile devices need an extra level of authentication beyond most
deskbound workers using IT supplied equipment well inside the corporate perimeter. Passwords can be useful
inside the perimeter but they have numerous well-known vulnerabilities that become even more pronounced
out on the road. It’s difficult to prevent users from making poor password choices that are easy to remember
but just as easy and convenient for hackers or device thieves to guess, or to prevent users from using the
same password for multiple personal and business accounts or writing passwords down in places that are
easy to access. Poor password choices make organizations vulnerable to man-in-the middle and other attacks
that can be used to steal confidential information. Clearly, effective password management is often a major
headache for most organizations.
Many organizations have turned to one-time password tokens as a solution for multi-factor authentication,
adding something the user possesses to the requirement of a strong, one-time PIN or password. However,
even though tokens are more effective than traditional user passwords, their management has proven to
be expensive and resource intensive. They’re often inconvenient for users and are frequently lost. They
sometimes lose their synchronization with the centralized identity management system they’re supposed to
authenticate with and a number of sophisticated threats and hacks have been developed over the years to
overcome their security advantages.
Many enterprises have deployed smart cards to provide strong multi-factor authentication, but smart cards
require smart card readers, which can be cumbersome for mobile users on the road and interfere with the
quick and easy use of mobile devices required to reap their full benefits.
A Good Technology Whitepaper
5. Effective Identity and Access Management in a Mobile World | good.com 5
The Multi-Factor Solution for Personal Mobile Devices
What is needed is a strong mobile multi-factor authentication solution that integrates tightly with existing
enterprise smart card management and IAM solutions, meets all the stringent needs of security and privacy
regulations such as HSPD-12, FIPS, FFIEC, PCI, HITEC, and HIPAA, but is also portable, lightweight,
compact, and convenient enough for users to carry and log into corporate applications quickly and easily
from the road. Ideally the authentication mechanism should be attached to the mobile device and no more
inconvenient to carry home, on the road, to an Internet enabled café, the airport, and across the globe than the
mobile device itself. It should also be as user-friendly as possible so users don’t feel it interferes with the quick
and easy use of their chosen, often personalized mobile devices.
Finally, any multi-factor authentication solution should be easy and cost effective for IT to configure and
manage, allowing the use of an organization’s existing standard CAC/PIV smart cards. As a mobile
authentication solution it should integrate tightly with current enterprise card management and identity and
access management platforms, while providing the flexibility to keep pace with evolving IAM standards as
newer, improved technologies become available.
The Good Vault Solution
Good Technology™
’s Good Vault™
is one of the first and most comprehensive solutions on the market
for extending enterprise identity and access management to mobile and personal devices. Good Vault
provides robust mobile multi-factor authentication and secure email for the most security sensitive and
regulated organizations. It perfectly balances the needs of IT managers for security and regulatory
compliance, with those of executives, and other mobile users, for rapid, easy adoption.
Good Vault supports all legacy smart cards as well as Micro SD options for storing user credentials
and keys and integrates tightly with Good Technology’s award winning Good for Enterprise™
corporate
messaging application. Perhaps most important of all, however, is that Good Vault has been carefully
designed to provide airtight security and compliance without compromising the mobile user experience or
the compact mobile form factor of typical smart phones.
Good Vault employs strong two-factor authentication, requiring each and every user to provide something
he or she has—a Secure Element (SE) on a smart or Micro SD card—with something he knows—a
personal identification number (PIN). Smart Cards and secure Micro SD cards provide this secure
element in highly secure crypto chips, adding hardware protection and tamper resistance to Good for
Enterprise’s existing authentication platform.
Good Vault works with slim Smart Card and Micro SD reader sleeves that fit directly over smart phones,
server side software used by IT for administration and credential issuance and management, and an
easy-to-install and configure Good Vault user application for mobile device users.
Good Vault’s smart card option supports all the major smart card standards such as CAC, PIV, PIV-1 and
CIV. The mobile reader, supplied by Precise Biometrics, Tactivo™
, is a slim casing that fits over the iPhone
4 or 4S, adding only about a half inch in length and .22 in thickness to the device and weighing a mere
1.5 ounces. The solution complies with Apple MFi certification. FCC, CE Marking, GSA FIPS-201, and
Unified Capabilities Product listing certifications are either under way or planned. The sleeve is carefully
designed so it does not block the iPhone camera, even when the smart card is placed in the reader. In all,
there are no compromises to the mobile form factor or user experience.
A Good Technology Whitepaper
6. Effective Identity and Access Management in a Mobile World | good.com 6
The MicroSD option also consists of small form factor
cards, similar to smart cards, with embedded PKI
cryptographic chips. It also uses a slim casing for
the iPhone 4 or 4s and contains a slot for inserting a
MicroSD card. It’s supplied by Device Fidelity through
HID Identity Assurance, formerly ActivIdentity and now
part of HID Global®
, and it uses HID’s ActiveID Credential
Management System to issue and manage the MicroSD
cards for either primary or derived credentials.
The MicroSD doesn’t necessarily replace a smart card
solution. It can either serve as an alternative option for
primary credentials or it can be used in parallel with smart
cards for derived credentials, with the smart card used as
the primary credential. In such a case, new authentication
and signature keys are used in the MicroSD, but the
same encryption key used in the smart card is used
by the MicroSD card so emails can be decrypted on
both mobile and desktop devices. PIV, PIV-1 and CIV
formats are all supported with both primary and derived
credentials on the MicroSD card.
Both hardware options also store PKI credentials for
S/MIME email signing and encryption to ensure nobody
on the communications link between the sender and
recipient can read an email.
Good Vault is a Good Dynamics®
-enabled solution.
Good Dynamics is Good Technology’s secure application
development platform, providing a secure container for
safe access from anywhere in the world without the need
for a VPN client installed on the mobile device. It includes
policy management capabilities for enforcing rich and
granular enterprise policies at the application level and
prevents data loss with encryption of data both in transit
and at rest.
While Good Vault supports two hardware solutions today,
it is intended to be hardware agnostic. Good Vault is the
first product to be delivered through the Good Trust™
security platform that extends critical identity and access
management capabilities like strong authentication,
single sign-on, and identity federation to mobile devices
and applications. Good Trust will support a wide array of
authentication mechanisms, including new technologies
such as biometrics, as they become available. Because
Good Vault is a Good Dynamics-enabled solution, it can
leverage Good Trust’s robust APIs to be extensible to
these new technologies too.
A Good Technology Whitepaper
The Smart Card option for
authentication includes a slim
device casing and a slot for
inserting an identification card.
The MicroSD option also
includes a slim device casing
that can carry a mini-card with
stored credentials.
7. Effective Identity and Access Management in a Mobile World | good.com 7
Good Vault:
strong authentication to
GFE today, extensible
to Good Dynamics-
enabled apps.
With Good Vault, you get the best of all worlds. C-Level executives like the CISO or CIO take advantage
of Secure Element technology for strong authentication and email security to protect corporate data,
prevent data loss, and meet regulatory compliance requirements. IT managers can harness their existing
infrastructure for PKI credentials, extending the same controls they have on the desktop to mobile users,
and lowering their overall costs for identity access and management. They can also promise unmatched
convenience and portability to drive quick adoption. And since the solution maintains the sleek design and
usability of the phone, the mobile workforce remains productive without sacrificing security.
For mobile organizations looking to comply with the most stringent regulations and security standards,
an authentication solution that harnesses a Secure Element perfectly balances the flexibility and freedom
users require with the IT security controls needed to protect sensitive applications and data. A solution
that maintains the mobile device form factor and user experience simplifies user adoption. Hardware-
based multi-factor authentication ensures that credentials cannot be tampered with and tight integration
with current and evolving enterprise IAM platforms allows organizations to provide robust, cost effective
mobile security today as well as tomorrow. Good Vault provides such a solution, keeping enterprises safe,
secure, and compliant in the changing and evolving IT environment of mobility and consumerization.
For more on Good Technology’s Good for Enterprise, visit here.
For more on Good Technology’s Good Dynamics, visit here.
For more information on Good Vault, visit here.
For more information on Good Trust, visit here.
A Good Technology Whitepaper
Strong Two-factor Authentication that
• Meets stringent security standards and
compliance regulations
• Preserves existing identity and access
management investments
• Can evolve to other authentication
mechanisms as they are available