There is a lot of talk in the media these days about Bring Your Own Device (BYOD) and Company Owned Personally Enabled (COPE) devices. As this trend continues to grow in Sweden, Scandinavia, and beyond, more and more organizations are being confronted by the issue. With one in three employees using their own devices at work without permission, it is a problem that organizations can’t avoid. As Andreas has told me before, those who try are ending up with a rash of “shadow IT,” resulting in lost data and exposure of valuable assets. When you read all this news though, no one really offers any solutions. Some think Mobile Device Management (MDM) is the cure all. As PwC rightly points out though, MDM does “not address the more strategic considerations necessary to create a BYOD infrastructure, however, and should be considered tactical in nature when not a part of a comprehensive strategy.” An important part of any BYOD solution is API security.
As I explained in a whitepaper available on Twobo’s site (in Swedish as well as English), overcoming the challenges associated with BYOD requires the focus to be on who the end user is not on who owns the device. Out from identity flows usage policies, device security, enterprise security practices and API security. For API providers, this user-centered emphasis requires them to determine the end user’s identity and then decide what they are allowed to do with the requested resources. To do this, providers must address these questions:
- Which client app is the end user operating?
- How can the user prove who they are in a secure and trustworthy fashion?
- How can end users authenticate elsewhere (at their employer’s Active Directory or w/ Google, e.g.) and propagate that identity to the API?
- Has the device been enrolled in the company’s MDM system?
- How can information about the requested resource, the user, and the device be combined with behavioral patterns to make a risk-based access control decision before returning the data?
Answering these questions allows API providers to confidently expose their data to end users regardless of device ownership. Doing so, however, is only possible by focusing on digital identity. Some may naively say that OAuth is the solution for all this. While this emerging technology has a role to play, calling it the solution is like saying that you can get to Stockholm by going east. While this might be true if you’re in Gutenberg rather than Helsinki, many more details are needed to successfully make the journey. Answers to these questions requires API providers to leverage other technologies such as Web SSO, authentication, transaction-based authorization, and even automated user account provisioning, in some cases. Together with OAuth and MDM, these technologies can be combined into secure APIs that can be consumed from any device, regardless of ownership, like one bakes ingredients together into a cake.
On February 21, together w/ StjärnaFyrkant, Ping Identity and others, we’ll be talking more about BYOD and how APIs play an important part in overcoming the associated challenges. You can find more information about location, time, agenda, etc. (in Swedish) on Twobo’s blog. Attendance is free, so RSVP today while there’s still room. Also, we are working w/ Andreas and Dopter to arrange some API-related events where we’ll discuss these things in more details as well. More from Andreas on that soon, I’m sure. Till then, please register for the BYOD conference, and feel free to contact me w/ comments or questions.