Meet the Challenge of Consumerization by Managing Applications Instead of Clients
#mobile Managing access to resources instead of from devices is the key to a sustainable access management strategy.
CSO Online recently reported on the results of a study conducted by Unisys with respect to mobile devices and IT readiness. The article – and report – are full to the brim with interesting statistics regarding not just usage of mobile devices within the enterprise but attitudes of employees toward the necessity of those devices to perform their daily tasks.
It also focuses on IT and its awareness –and readiness - to handle the steady influx of mobile devices. If you were going to guess that “security” came up high on the list of concerns, well, you’d be absolutely right.
If we were to dig into the specific security concerns IT has regarding the consumerization of IT we would almost certainly find that a plurality of the issues correctly focus on access to resources: applications and data. It is the data and applications around which we must focus security policies if we are to effectively manage the explosion of consumer devices in the enterprise. And exploding it is, according the Unisys study – as well as most other sources with respect to consumerization.
And yet most of our policies focus on controlling access from users, devices and locations instead of controlling access to application and data resources. The difference may appear subtle on the surface, but when applied to operational implementation and long-term management, such a change in perspective proves to be the proverbial magic wand that makes it possible to adapt as rapidly as required to the constantly evolving client device landscape.
With the diversity of client devices and locations from which employees may be using them, it should quickly become evident that managing a traditional device-application mapping for access management will be unsustainable. A new methodology for managing access must be developed and it must be flexible; able to rapidly adapt to new devices as soon as they appear in the enterprise. We need to focus on managing access to resources instead of from devices.
WHY TO INSTEAD of FROM MAKES A DIFFERENCE
When the focus of access policies is on from it becomes necessary to map multiple clients to multiple applications. For every client you identify there must be a way to indicate which applications and resources that client can access.
That makes supporting a new device a lengthy process as policies governing access from that device must be created. That’s nearly opposite of the way we think about access management. When we talk about new devices and their impact to access management and security in general, we talk about it in terms of access to specific applications and services.
Being able to view and manage access policies in an application-centric perspective means you’re managing access to applications, which is how we tend to think about application access. We don’t start from the perspective of a mobile device and ask, “From this device and location, what applications can be accessed?” We tend to start from the application point of view and ask, “What devices and locations have access to this application?” The answer to the latter tends to be a smaller subset than the former, which places a much lower burden on operations to codify the results.
By enabling access management policies to be viewed from the point of the application, we also lay the foundation for enabling those policies to be service-enabled. That will make it possible to manage application access, not device access, in a services-oriented fashion. As we continue to move toward IT as a Service, a.k.a the dynamic data center, this point of view makes it easier to architect services that can be enabled for application owner, i.e. business stakeholder, self-service. It separates applications from devices in such a way as to promote application multi-tenancy and allows each application to have its own device and location specific policies applied, without potentially interfering with access to other applications. If we manage by device, we either need to create a greater number of policies in order to enable the kind of self-service we hope to eventually realize because we don’t want the managers of application A to have the ability to muck around with policies governing access to application B. But if we manage on a device or user-centric basis, that’s exactly the kind of environment we end up creating.
We need to manage access to applications such that the impact of new devices appearing on our radars is minimized. By managing based on application rather than device or even user, we enable policies to leverage a default deny model in which only approved devices are granted access to that application or a default allow in which only specified devices are denied access. When the default access policy matches organizational policy, it reduces the impact of new devices because policies are less likely to require modification for each and every new device that appears. A to application model better aligns IT with the business and ultimately provides the basis for self-service application access management by isolating policies at the applications – which are specific to business units – instead of devices – which are non-specific.
It’s a subtle difference, but one that in the future will make a significant impact on the ability of IT to provide IT as a Service.