Managing Multiple Identities and Ensuring Data Security in the BYOD Era

The mushrooming of mobile devices each with its own platform has also led to the problem of managing multiple identities employees maintain on such devices and use to access enterprise apps and data

The world is moving away from the concept of workstations tethered to employee desks running apps loaded by the IT team that are constantly being monitored, maintained and upgraded by the IT team based on a common IT strategy for the organisation. While this may not be completely true in case of organisations that stick to mundane tasks and dont really feel the need to upgrade, the urbane employee working in one of the hip organisations would swear by it. Also, compounding the need for a BYOD or let’s say diverse mobile device culture is the gradual phase out of old IT infrastructure that has to be replaced by the new technologies in vogue. For instance, most of the newer apps are moving to the cloud and provide the ease of access via mobile devices. You are no longer tied to the inhouse IT infrastructure in the old server room. This has led to to a constant clamour amongst employees to use the devices and platforms they’re most comfortable with, to access those apps. Partially because of the consumerisation of IT that has upped the affordability, as much as the increasing consumption of apps over the Internet. It is also cosy convenience for enterprises as they have a flexible workforce that works from anywhere.

Managing the show on the other side is the IT admin. While the scenario is not so scary, he no longer has the comfort of managing a uniform set of hardware and softaware. And while browser-based access to apps deployed on the cloud might appear more secure, managing identities used to access those apps could be quite a challenge. For instance, employees accessing common storage apps such as Dropbox, Skype, etc could be on different platforms: iOS, Android, BlackBerry or Windows. They would require different apps for accessing these services and create different identities in the process. The situation gets further complicated when a single employee has multiple platforms to access an application. Now how does an IT admin keep track of the authenticity of a particular ID? A typical user accesses on an average 10 different applications during the course of a normal workday. Naturally, nobody wants to remember separate login credentials for each application he accesses. So, a likely casualty coming out of this practice is the need to get corporate credentials reset several times a year because the employee simply forgets them!

Authentication via social media?

Could this be the panacea to managing multiple identities? Most websites already accept your social media credentials for allowing access to their services. This way they can keep track of your activities on their site from a marketing perspective and it also rids employees of having to remember multiple login credentials for the different websites that provide services to organisations. But there are counter arguments to this approach as well. For one, most employees might be uncomfortable to share personal details/accounts for official work. Secondly, where’s the guarantee that employees dont have multiple accounts on such sites which might cause a conflict in identity in future.

Most major social media sites provide widgets and APIs that enable the use of the login credentials the user has for their site as a way of authenticating to another. This is convenient for the consumer as it allows them to register for a service more easily and then, of course, when they return at a later date, they are far more likely to remember credentials of their favourite social media site. For an IT admin, there will be additional questions on verifying the veracity of social identities, how to set up and manage them and how to authenticate the actual user behind the identity. I dont see any reason to feel scared here unless the same ID is used to carry out financial transactions, raise invoices, etc. Using social identities is more beneficial in the long run as the account is likely to have been active for some time, has also a history of activity from the genuine user and it is arguably far better to be using social identities than ones created on the fly.

Data falling prey to cyber criminals

What are the tasks done through mobile devices by majority of employees? Checking email, taking notes, reviewing and editing documents, share content with partners, colleagues and customers. This means that personally owned devices are used by employees regularly to check, download, upload and share important content on corporate systems. In case an employee has fallen prey to a cybercriminal then that content can be accessed through malware on a mobile device, by guessing a password that is supposedly simpler, getting access to a lost device, or by gaining access to a user’s login credentials that are used on multiple systems. Consequently, most IT managers may not accept the status quo of simply letting users dictate their own login credentials and access methods. Instead, to protect corporate systems and content, the IT team has to formulate and implement more robust identity and access management systems that are tailored to the sensitivity of the information and systems being accessed, the access rights of users, etc.

Regulatory compliance issues

Another important reason for organizations to take back more control over identity and access management is the large proportion of corporate content that exists in repositories like Dropbox, on mobile devices themselves, or in user-generated archives like .pst files. When organizations face regulatory audits, they must have access to all of their relevant content, and must access this content in a relatively short amount of time. If users have established their own credentials and stored this content in repositories to which IT, legal or others do not have access, this puts the entire organization at risk of not being able to access critical content on time. Moreover, it prevents the organization from enforcing its content retention rules — content can easily be created and then saved or deleted in violation of corporate policies.

Mobile app containerization

This is a new trend in MDM that aims at mobile ‘application’ level security mechanism as opposed to ‘device’ level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. App Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the official business applications. So, while Mobile Device Management (MDM) empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc, App Containerisation aims to divide the personal space from professional one. However, such a policy is frought with concerns over employee privacy intrusion—why should an organisation access storage that contains my personal photos? Next come employee personal data sustainability concerns—what if the organization wipes out all of my personal data in order to reduce risk for some of the corporate apps?

So, App Containerization should focus on combining the best of both worlds. Through this technique personal and containerized apps can coexist on the mobile device, but each application’s data stays within the confines of its own ‘container’. And while the user might access personal data over the Internet through any means, communication to corporate servers or other ‘containerized’ applications are completely ‘secure’. It enables secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other. Further, employees can switch between personal and corporate applications seamlessly, without risk of compromising company information.

In summary, we can think of more challenges and likely solutions to managing identities and ensuring data security in this BYOD conundrum, but the truth is nobody knows for sure how it is going to mature in future, what platforms are going to settle down eventually and whether employees are going to even pursue BYOD aggressively. So, there can never be a one size fits all kind of solution and each organisation has to carefully evaluate all options before formulating a BYOD strategy.