It’s Tuesday at 9:13 a.m.—do you know how many cloud apps and services are being used within your organization? I’ll give you a hint: it’s way more than you think. A recent survey by cloud service monitor company Skyhigh found that it is significantly higher than most suspect. As Nancy Gohring explained the findings, “On average [Skyhigh] customers use 545 cloud services. That’s a far cry from the 40 or 50 apps that most CIOs…think their employees use.”
These cloud services with their native apps represent the frontier of the consumerization of IT where employees, emboldened by their ability to dispatch apps and services at will, are en masse changing the landscape of enterprise technology. However, this shift in acquisition of technology by the end user has not let IT off the hook for managing and securing the corporate network and its associative data.
Progressive organizations that want to encourage, rather than hinder, the spirit of consumerization need to cover certain bases to make sure that users are enabled in a secure and managed fashion without limiting the user experience. One aspect of security that should remain firmly in the domain of IT management is user authentication and authorization.
As the number of apps and services increases for the average user, managing app access represents a significant security and convenience issue. There are two major issues caused by this overwhelming use and reliance upon apps that access the plethora of available cloud services. First, it is a pain for users to have to constantly re-enter user credentials. This inconvenience will wear on the users and they will look for less than secure shortcuts to avoid this. Second, and most importantly, it is a governance and security issue for not only IT, but organizations as a whole. Organizations need to maintain a full picture of what is being accessed by who and when.
Many users approach cloud applications in one-off manner. They are often forced to create a user name and password for each service. Oftentimes these usernames and passwords are too simple, get lost, and are forgotten. They are also not centrally managed. Organizations with little awareness of the vast number of services being used by their employees have no idea what data is coming and going. They are also unable to mitigate any security threats for a given service. Lastly, when a user departs an organization it becomes a challenge to revoke access to the myriad services they had access to.
It is precisely these issues that a group of experts in the security industry has come together to attempt to solve. I had the chance to speak with one of these leaders, Paul Madsen of Ping Identity, who will participate in the working group that has formed within the OpenID Foundation. Called the NativeApps Group, or NApps for short, the group is working on developing a Native Single Sign On (SSO) protocol for mobile apps.
As Madsen related, the end goal of NApps is a standardized protocol that would allow a Token Agent on a mobile device to seamlessly manage authentication and authorization across all applications on that device. What Native SSO will mean to organizations is that there will be an interoperable ecosystem of different apps and back-end services, all built by different vendors, that will be able to communicate and leverage the same security protocol for authorization and authentication.
A mobile app that wanted to leverage the NApps Native SSO standard would be designed to interact with the Token Agent on the device and routinely check for the appropriate token to approve or deny access to app functionality. If no agent is present, the app would automatically switch back to the service’s current proprietary capability.
What would the Native SSO user experience be like? The example that Madsen used was that upon accessing your first enterprise app each day, the Native SSO Token, branded with your enterprise look and feel, would open. Users would log in to the Token Agent with their Active Directory credentials. This authentication will happen at the enterprise and not some other third party. The credentials would follow the same strength and expiration policy as set up by the IT department. After users entered their username and password they would be passed securely to the enterprise identity server. After validation the identity server would pass back security tokens to the TA; these would be valid for a given period of time, say twenty-four hours. Once in possession of these tokens, the TA would use them to obtain the necessary security tokens for the business applications, and provide the user seamless access to mobile application services such as Box, Dropbox, Concur, Evernote, or on-prem applications.
This experience differs from current Single Sign On (SSO) standards or deployments in two regards. First, the apps for which SSO is enabled are native applications rather than browser-based. Second, NApps is looking to define an open standard and resultant ecosystem of interoperable implementation. This has a huge advantage in that it doesn’t lock an organization into a single vendor’s paradigm.
So, how soon before something like this is available for enterprise consumption? Madsen told me that NApps is currently kicking off in the OpenID Foundation. They hope to have a draft specification late this year, which a variety of vendors will likely implement against. Madsen hopes to see a ratified standard to follow six to nine months later.
Some of the biggest hurdles that face the emergence of this much-needed service in the enterprise are competing interests by vendors and app developers. Without the availability of a native SSO service, mobile app vendors have little incentive to integrate into this model. This will change, however, as NApps is currently supported by such cloud leaders as Salesforce and Box. Enterprises, with greater control over their own apps, will be able to implement this sort of solution on a much faster basis once it becomes available.
The proliferation of apps and services within any single organization is a security issue that should not be taken lightly. Organizations that have a holistic understanding of information access and flow will be in a position to avoid opportunistic and careless data breaches. Those who fail to position themselves in the modern world of consumerized services in the enterprise will continue to have their risk profile increase.