Access Management In A Cloudy, Mobile World

Access Management In A Cloudy, Mobile World

Lately, I’ve noticed that user access management is a recurring topic of discussion with customers and partners. Two major trends transforming industries today – mobile and cloud – are acting as catalysts for a renewed focus on this critical area of security.

As mobile devices proliferate at a staggering pace, enterprises see a rich new channel through which to reach customers. Enterprises are also realizing that a much larger set of employees want to use mobile devices – which can enhance individual productivity as well as generate business value.

We’re in the BYOD era, where secure access to enterprise resources is key for all mobile deployments. Secure mobile access has some unique requirements:

  1. Since mobile devices are shared more often it’s important to authenticate both the user and the device before granting access.
  2. To mitigate the threat of man-in-the-middle attacks, emphasis must be placed on strong session management capabilities.
  3. The risk of granting access to the user based on their context (time, network, location, device characteristics, role etc) needs to be determined so appropriate counter measures can be taken. This risk calculation can help select the appropriate authentication scheme(s), identify corresponding authorization policies to enforce, and provide the user with information on security best practices. Additionally, threat protection from access requests needs to identified and countered to protect against mobile-borne attacks.

In the past few years, organizations have had growing economic incentives to source their technology services from cloud based providers – from software, to platforms, to infrastructure.

Cloud deployments help organizations improve time to value for delivering new services or content, while also avoiding capital expenses. As an organization employs cloud-based solutions, or launches its own cloud offerings, secure access needs to be a Top Security consideration.

To improve user experience, a robust single sign-on solution that enables secure federation of identities across domains becomes critical. Some organizations are beginning to employ third-party identity providers (i.e. Google, Facebook, LinkedIn) to authenticate the user. However, first consider if the identity provider has been compromised.

A cloud access management solution needs be able to assess the risk of a specific access attempt based on security events related to the user. In cloud environments a flexible policy management and enforcement infrastructure (for authorizing access) grows in significance in order to adapt to dynamic interactions with cloud services for cost management and compliance.

Over a year ago, IBM leadership began a concentrated effort to address these new requirements in the IBM Security Access Manager (ISAM) solution for cloud and mobile, which now enables context-aware access control to help organizations assess the risk of each interaction and adapt accordingly.

The risk of an interaction may motivate the use of different forms of authentication schemes or provide the user with differentiated authorization to data or services. To compute the risk the user’s device and the application can be taken into consideration. Expect to hear more about the needs of a mobile enterprise with cloud ambitions in 2013!

By Vijay Dheap, Product Manager and Master Inventor, IBM Security Systems

Vijay currently leads Mobile Security Solutions for IBM.  He started off his career as a researcher in the field of Pervasive Computing, and then evolved his technical expertise as a developer on IBM’s mobile portal product.  He transitioned to an analyst role gaining experience formulating IBM’s technical and business strategy for emerging technologies such as Web 2.0, Big Data and Mobile as a member of IBM’s Emerging Technologies Team.  He joined IBM’s newly formed Security Division as a Product/Solution Manager.  He has significant international experience having led several customer engagements on four continents.  Vijay earned his Master’s in Computer Engineering from University of Waterloo, Canada and his International MBA from Duke Fuqua School of Business.

Louis
Manufacturers’ Top Demands For Quality Software Competing on product quality has never been more urgent as rising raw material and component costs continue to squeeze manufacturers’ margins. At the same time, unpredictable supply chains make ...
Cloudtweaks Comic Ai
How AI Is Important for Businesses Shifting to Remote Work The Coronavirus Pandemic has taught us that organizations must have remote work choices. It is no longer possible to work in a digital environment. The ...
Sofia Jaramillo
Augmented Reality in Architecture Augmented reality (AR) is a growing field of study and application in the world of architecture. This useful tool can help us visualize architectural designs by superimposing them onto real-world scenes ...
JK Chelladurai
Usage-Based Pricing We are now in an era where many businesses are flipping their business model and shifting from subscription-based pricing to usage-based models, to better cater to the modern ‘pay-as-you-consume’ buyer. So what exactly ...
Dana Gardner
Low-code Development Has Entered a Maturity Spurt Closing the gap between the applications and services a company needs -- and the ones they can actually produce -- has long been a missing keystone for attaining ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.