Simpler and smarter cloud security with MobileIron Authenticator

Webinar transcript - View the full webinar


Thanks, everyone and welcome to this webinar today where we will talk about how you can provide simple and smart security for your enterprise cloud. Over the next 25 minutes or so, I'll go over the MobileIron Access portfolio. And what we're really excited to talk about today is the newest capability, which is MobileIron Authenticator, a multifactor authentication application. Organizations today are undergoing a major transition from an IT infrastructure perspective. What was traditionally dominated by desktops and an on-premises data center is today being replaced by modern endpoints and mobile endpoints, and the data center is being replaced with services moving to cloud infrastructure. As a result of this transition from desktop data centers to the mobile cloud world, organizations no longer have the safety net of the enterprise on-premises perimeter where they enforce security controls to protect data that was always within IT control. In today's world, data resides in a variety of modern endpoints and a variety of cloud services and infrastructure that is often outside of the organization's controls. And the biggest question that most organizations have today is, "How do you secure data in this environment where it is outside of IT control?" And when you look at some of the statistics from the research that's been conducted by a variety of analysts, it's clear that organizations are in a no-win situation. 85% of businesses recognize that they face a mobile security threat. Unfortunately, 32% of them have admitted that even though there is the threat that they're aware of, there is little that they can do and they have intentionally sacrificed mobile security to improve business performance. And this is primarily because customers are often applying yesterday's solutions to today's technology and these solutions don't allow them to move at the speed of the transition to the mobile cloud world.

And the risk that all organizations are exposed to as a result of not having the right tools is that they're exposed to data breaches and each breach, on average, can cost an organization up to $3.6 million. That is by no means a small amount. And when you see-- when you look at a detailed investigation of the data breaches that occurred in 2017, it's kind of funny to see that the top cause for these data breaches, even in 2017, was something as simple as stolen passwords. And this is, again, primarily because customers are using the simple, rudimentary, basic approach to securing their cloud services, is where they just require a user to provide a username/password. And once that's provided and validated, the user has seamless access or unrestricted access to all business data across mobile devices and so on. The risk here really is that if that user's credentials were compromised, which is really easy to do in today's world, a malicious user with those credentials could have unrestricted access to business information and hence the data breach. So we talk about passwords, there's actually three different challenges of passwords that kind of-- that is specific to the world that we operate in today, which is increasingly dynamic. The first challenge is the fact the passwords are not secure. Also, they're not user-friendly when users or employees are starting to use these on mobile devices. And lost pieces of passwords aren’t intelligent, cannot establish a baseline of the environment that the user's operating in. And we'll go to each of these a little bit more over the next couple of slides.

So let's talk about the passwords, the problem with passwords not being secure anymore. Now, one of the things with passwords being hacked and different dictionaries, and brute force attack methods, and so on, what organizations have required employees to do is have increasingly complex passwords, right? Now, as a result of employees required increasingly complex passwords, it's hard for them to remember them. And the first thing they do is write them on Post-it notes and leave them on their computer. That is one of the problems. The other part is employees are increasingly on unsecure wireless networks. They're at airports, they're at coffee shops, trying to access business information. Those wireless networks could potentially be breached and users could lose their credentials that way. Users also fall victim to phishing emails as a result of which they could still inadvertently end up giving up their user credentials, corporate credentials and that could allow malicious users to use that against them. Now, this problem, right, the problem of passwords being unsecure has been solved by the industry a long time ago, right. That's when multifactor authentication originated where you augment or you require the user to provide multiple factors of authentication, the first factor being something they know, which is the password, and the second factor being something they physically have on themselves, which, in this case, would be a hard token that users would carry with them. The hard token generates a unique six-digit pin code that's time-based and the users have to keep entering that pin every time they try to access a business service. There are multiple varieties of multifactorial authentication but this is the most common one, where you have the first factor being something they use the most, typically a password, and something they have on their person. Now, these solutions work very well from a security perspective, but there are challenges associated with it. Challenges are the logistics and costs involved of managing hardware tokens.

So let's case the case of an organization that has even 500 employees across the globe or in a variety of remote locations. For the IT administrator to manage the token distribution, replacing tokens, helping users that might have forgotten their token, or broken their token, and so on, there is logistical challenges to it and there's a cost associated with it. Then there's the user experience piece of it. The user has to remember to carry a token with them at all times every time they try to log into the VPN or log into a service, they would have to remove it, type it in, make sure they type it in before it changes. There's complexities involved to it. So, given this, right? This is the traditional way of doing it. I'm happy to announce MobileIron Authenticator, which is a modern approach to solving the multifactor authentication requirements. With MobileIron Authenticator, what we're providing organizations with is a mobile application using which user can verify the authentication requests, instantly approve their log-ins via push notifications on their secured smartphone that is registered to MobileIron UVM, and then apply contextual policies that allow for the deployment of adaptive policy enforcement. Now, let's take a quick look at how Authenticator is different from the multitude of modern multifactoral authentication solutions available on the market. I'm going to show you a quick demo video. And what I will go through is how a user would enroll their device for multifactoral authentication. And what you will notice is that the authenticator app is pushed to the device automatically through MobileIron's unified endpoint management system. The user is only required to launch the app to activate and enroll, which is seamless, which is a fantastic user experience. They don't have to-- IT doesn't have to send them a 10-step guide. No QR code scans and all of that. It's just absolutely hassle-free. And finally, once they're enrolled, any time a user is trying to access a business service on a different unregistered or unknown device, they will get push notifications on their secure UEM device, UEM secure device, and they can manage it from there. So let's take a look at this video.

The app is pushed down, the user launches the app, and they hit allow for notifications and activate it and set up. Super simple. Next, they try to log in and they get the notification on the device that says, "Are you the one trying to log in to Salesforce from this specific device?" If that is the case, the user says, "Yes." They get access. If it isn't the user, the user would decline it, and IT gets a notification that says, "Hey, there might be someone potentially trying to access this user's account. You need to pay a little more attention." And if this starts to be a pattern, you know there is something malicious. Someone is trying to attempt to hack into your systems. So that's how multifactor authentication is-- how MobileIron's using a UEM, or unified endpoint management system, to simplify multifactor authentication and make it incredibly usable for employees. The next piece that we're going to talk about, so right now, we've spoken primarily about multifactor authentication and how it helps organizations with preventing data breaches via the use of compromised credentials and how it provides a fantastic user experience to drive the adoption of security services. But all of this is in the context when a user is using an unmanaged device. Now, what happens, or how do you make sure that you aren't unnecessarily prompting the user's own multifactor authentication when they're coming here from a known device? You don't require them to enter their password on a device that is managed and known. And the reason why we want to remove passwords from the flow is because passwords are just incredibly frustrating for users, right? One is with their increased complexity, two is they're having to enter them on mobile devices that are very hard to type in, and especially when you're on the go and trying to get work done quickly. There's also the increased number of cloud services which then requires the user to remember unique username/password combinations for each of these cloud services, and then the 60-day and 90-day reset. Passwords are reset every 60 to 90 days, users often forget what their latest password is, type in the wrong ones, and get locked out of their accounts. They have to open help desk tickets to try and get back into their services. All of that results in a bad user experience and lost user productivity. So the question then is how do you make sure that when a user is on a trusted device, using a trusted application, is completely validated, is compliant, how do you provide them with the easiest experience and a seamless login experience? And that's what I'm going to show you right now, is how you can solve the UX problem with passwords when users are on compliant devices.

On this screen, I'll show you another short demo of what the user experience would be like when they log in from Salesforce, in this case. What you will notice is the user launches Salesforce, the application they're trying to get to. They open it up. They will select the company's single sign-on policy. And then, without entering a username/password, gets seamless access to Salesforce. And this is very interesting because it's intuitive. The user goes to the application that they want to open. They're not required to go to a different, single-episode portal or log in through a browser or Safari, WebView, or any of that. It's directly through the application itself. So here I'm going to launch the video. The user launches Salesforce, selects company single sign-on, and boom, they're in. No username, no passwords. But we still know the user is who they say they are because [it said on that?] device. In addition, we also know that the device itself is secure and managed by MobileIron UEM. And we are absolutely aware that the application tool is managed by MobileIron. So not only have we taken one step of pain away from the user, but we've added security in exchange. So this is a great example of how we're adding security while improving the user experience. And the last piece that I'm going to talk about is this idea when we talk about the fact the passwords are not intelligent. Now, this is a growing problem for a lot of customers as they move to the mobile cloud world because when they use only passwords, and even passwords complemented with traditional multifactor authentication solutions, not MobileIron's modern Authenticator, but when you combine those, what happens is passwords cannot alone tell the organization if the device being used by the user is managed or not, if it's compliant or not. I could very easily enter my corporate credentials on a jailbroken device and still get access to my cloud services unless you have MobileIron Access deployed.

So we take a look at this example here. Well, we have two devices. One's a device where there will be an unmanaged app and the other device will be when the user is running a managed application. So I'll walk you through the example and you'll see how data could potentially leak in this scenario. Both devices are secured by MobileIron UEM. They have passcodes enforced. The user logs in-- enters their password to unlock the phone. Now, in this case, the user is going to attempt to download Salesforce. Now they can get the Salesforce application from two locations. Location one is the public app store, so this is Apple App Store or the Google Play Store. This is where the employees are most used to going to get applications. The second option is the Enterprise App Store, which is, in this case, would be Apps At Work, where they could go to Apps At Work and download all of the applications that are provided to them by their IT team. Now, the experience is the same. The user logs in, downloads the application, installs it. Now, in this case, if the organization is only using a username/password for authentication for the user, the user enters their credentials and gets access to their information. So now, they're in Salesforce, they've downloaded a report, and they want to annotate it. Next thing they're going to do is try to open that PDF report in a different application to annotate it. And what you will notice is on the unmanaged app, the app that was installed from the public app store, which was Apple or the Google Play Store, IT has no control over it. The user can share data from that application with any application on the device, with any device in the vicinity through Bluetooth or AirDrop or other NFC and so on. IT will lose that data. On the flip side, if there was a managed app, you'd see that it is completely controlled. There's only very limited ability for the user to share it. You can only share it with known and managed applications. So the question is how do you prevent that unmanaged app, the app that was improperly downloaded from the public app store, from ever connecting to the enterprise cloud services?

And this is where MobileIron Access's trust engine comes into play, where we provide the context and then combine that to provide the best user experience depending on the environment the user is in. It's either seamless single sign-on or MobileIron Authenticator. So that's how the MobileIron Access portfolio comes together. It is the platform for modern cloud security. It's backed by a very robust trust engine that can look at a variety of different signals to establish a baseline for the user's environment and then make the right authentication flow available to the user that's based on the risk of their environment. It could either be single sign-on, which is absolutely seamless and password-less for the user, and in the right-- or in the alternate scenario, it would be MobileIron Authenticator where we can still establish that the user is really who they say they are. The benefit of this, again, is the fact that you can deploy security that is incredibly simple for the user. It's user-centric, it's transparent, it's seamless, there's remediation workflow, it's absolutely seamless to the user. And at the same time, it's smart. So, rather than having to decide between user experience and security, you can get both. You get the best security and the best user experience. And that's how organizations go from a no-win to a win-win situation. They improve security hygiene across the organization by increasing user adoption of security best practices. Organizations also gain confidence in driving innovation by investing in mobile cloud technologies and continuing to expand that so business can move faster and they can go rapidly and compete. And at the same time, they optimize that security spend and meet compliance requirements and so on.

I'd also like to talk a little bit about Perkins Coie, which is a law firm based in Seattle, Washington. I'll take them as an example. They've been an early MobileIron customer and they've seen great benefits of deploying the solution. They're a global law firm with about 19 offices across the globe and one of the biggest challenges they had while they were deploying Office 365 and Salesforce internally is that their information security team was not comfortable making those services available on mobile endpoints because they didn't have the right solution to meet the security requirements. They had very limited access control and they weren't okay with it. Their employees, on the other hand, absolutely wanted all of these services to be available on their mobile devices because a lot of times when they were in client's offices, they were using the mobile devices and tablets to take notes and get work done and especially when they would travel back or take flights and stuff, they wanted that experience. They didn't want to have to have a laptop and require a VPN connection to get that. And that's when the MobileIron team introduced them to Access. They piloted it and were incredibly impressed by the capabilities available to them through Access and especially around Access controls. And fast forward to today, they've been able to roll our Office 365 and Salesforce and a couple of other cloud services to all of their employees, made them available on mobile devices and tablets in a manner that still meets all of their compliance requirements. They have the right security controls in place and the users are incredibly happy and incredibly productive.

So, with that, I'm going to conclude the session today, thank you for joining us. Thanks for spending time with us. If you have any questions, please put them in the Q&A window and we will answer them for you. We'll stay online for the next three minutes or so. Thank you. Right. So I see a couple of questions coming in. The first question is, what operating systems are supported? MobileIron Access works and can be used with iOS, Android, Mac OS, Windows 10, and there's some limited capabilities for Windows 7 platforms, too. So if you are still using legacy Windows platforms, we support the entire gamut of modern endpoints. The other question we see is, what cloud services are supported? So MobileIron Access is a standards-based solution, so it's completely built on industry standards, as a result of which most modern cloud services that use SAML as an authentication framework can be secure today with MobileIron. So this would include Office 365, Salesforce, Box, Dropbox, the list goes on. Now, in addition, if you have internal applications and internal services that you can add SAML to, you could still make the MobileIron Access capabilities available on them for security and control.

There's another question about what IP services are supported. Now, IP services, again, the most common ones that we see customers use are ADFS, Okta, PingID, OneLogin, SecureAuth, and we work across all of them. And even if you have a custom identity services, maybe built on open-source technologies, if it supports SAML and if it's standards-based, we will absolutely be able to integrate with it. There’s another question, “How does this compare to Ping Identity or similar solutions?” From a comparison perspective, I think, we integrate really well with existing identity solutions, and what we layer on top is the context around the endpoints, the application. And all of this comes from our UEM engine and then being able to use those signals and being able to correlate that with the identity information from PingID. And it just helps provide organizations-- it helps organizations deploy a more comprehensive mobile and cloud security solution. I see another question, "Is this strictly for mobile apps or can you do this on-premise and use it for non-cloud enterprise applications?" You absolutely can. Anything that supports modern authentication frameworks like SAML, WS Fed, and there are some other ones that we'll be adding in short order, you can absolutely use MobileIron Authenticator and access with all of those cloud services. There’s a question on if this is an add-on or is it-- so, again, MobileIron Access is a independent product that would require you to have a MobileIron Core or MobileIron cloud EEM or UEM license associated. Yeah, I see the same question come up again. So, yeah, MobileIron Access is primarily for devices that are under MobileIron UEM management, and then you can apply for devices that are not under MobileIron UEM management, or unified endpoint management, which will be Core or cloud. You would then use MobileIron Multifactor Authenticator, MFA, or MobileIron Authenticator to secure those devices and manage access or provide access-control for those devices. Okay, so that brings us to the end of the question and answers. Again, if you have any questions, feel free to email us at We will be sending out a copy of these slides and a recording by the end of the day. Thank you so much for joining us.