Despite the challenges we spoke of in the previous slides, there is no escaping from the Mobility tsunami is and will continue to affect most enterprises, across all industries….from Healthcare to Finance, from Government to Retail. Look at the staggering numbers!! ….almost three-quarters of users saying that they are already using their mobile devices for work purposes. And, IT doesn’t really have an option but to manage this trend!
……users will actually use their mobile devices in the way the strategy plans for them. In order to maximize mobile device usage let employees use the devices they are most comfortable with. Not only are they happier but the lowered CapEx to IT is an added benefit.
Let’s talk about what kind of day-to-day challenges workers are facing:
<click> For starters, take Mark: Mark works as an Account Director at a software company and obviously uses his personal smartphone for work purposes and unfortunately loses it at a bar while entertaining customers one night. He calls his 24-hour IT Hotline who say they can easily wipe out his phone. But wait, he also has his daughter’s Birthday party pictures from last month …..that’s a PROBLEM!!
<click> Then there is Frank: Frank heads Compliance for a Pharma company. Frank is concerned about potential Apps that are malicious and will be at risk of putting his company out of e.g. HIPAA compliance
<click> Finally, Ann: Ann is the IT Director at a large bank that has just allowed the BYOD policy in all their North American offices. Ann is overwhelmed with staff bringing in their favorite devices and forming a beeline outside the IT department to provision their devices to the corporate network. Ann and her team cannot keep up, and wishes there was an automatic way to do this …
SO what is happening at the highest level?
While on one hand employees need the freedom to work on ANY device, from ANYwhere to be productive and happy, on the other hand IT needs to ensure they are still in CONTROL, all devices and apps are in compliance and corporate data is secure at all times ….AND all this without any adverse impact to the performance, scalability, and availability of the end-to-end mobility infrastructure.
An optimum balance is called for ….
When you look at Mobility, broadly speaking it can cover three perspectives – internal IT – and how they enable the business with new mobile channels such device, app or content strategies – it could touch employees – which is most likely if IT are leading with increasing efficiencies which ultimate should be aimed at employee productivity – again, devices, apps or content approaches.
Perhaps your approach is to grow the business with new revenue streams via a mobile channel that touch your customer base?
Increasingly all are relevant and touch into each other and some stage…
<<Segue to next slide>> This is driving our own solution strategy at CA….
— The management of Devices, apps and content
— All of these disciplines are underpinned by a foundation of security, specifically identity & access mgmt, multifactor/advanced authentication
— Mobile Service Management – is also overarching – the continuous discipline of service delivery.
—
.. We are constantly developing our portfolio and vision to help support your entire mobility strategies, or essentially discrete elements where you have a specific business need or requirement…..almost on ramps if you like…it all depends on the lens you are looking through and immediate business objectives/initiatives
At some stage device management (or not) will be discussed and I’d like to spend a few minutes discussing how we can assist you in what for some organizations is the first step on the ladder to a fully fledged mobility strategy…
Multi platform
Consistant look and feel end-user self service portal
BYOD / IT onboarding
Selective wipe of corporate only data
Pre configured Apps delivered upon enrollment
Multi Language
Multi-tenancy in the SaaS solution creates opportunity for our partners. MSP’s can provide MDM services across different enterprises. I certainly can envision a partner building a strong presences in delivering MDM to small to medium businesses that are leveraging mobility.
Included in the offering is tenant specific branding of the solution with customized app certificates and profiles as well as the ability to share common resources across customers in order to leverage economies of scale.
What is the the business issue we are trying to solve?
Think of the Dropbox ‘problem’ – users are emailing presentations and corporate documents to their dropbox and similar repositories, so they can access the content they need to do their job effectively on any device, anywhere
Consumerization of IT has made File Sync and Share a must have capability for an organization.
Its more than file syncing though – its about content collaboration also.
Its about solving the business issues of:
Ensuring Data Loss Prevention content level security at rest, in use and in motion
keeping files synchronized across multiple personal and enterprise devices (including PCs)
Sharing large files with colleagues, partners and customers – securely
Who is a leader in DLP?
*Gartner, Inc., "Magic Quadrant for Content-Aware Data Loss Prevention,” January 3, 2013.
.. We are constantly developing our portfolio and vision to help support your entire mobility strategies, or essentially discrete elements where you have a specific business need or requirement…..almost on ramps if you like…it all depends on the lens you are looking through and immediate business objectives/initiatives
Business benefits of an app strategy, internal or external:
INTERNAL – think:
Business process re-engineering
Atomization
Simplify complex processes
Increase engagement with complex processes
Improve Compliance
Simpler processes will be complied with
Mobile Apps enforce the MO for mission critical data
Security, compliance and risk management benefits
EXTERNAL – business goals would be:
Accelerating Innovation
Driving New Revenue channels
Reaching customers everywhere, anytime
.. That is constantly being developed to help support your entire mobility strategies or discrete elements where you have a specific business need or requirement…..
TODO: Keep same idea but reordered details of app dev in line with lifecycle we define later
Let’s build up a complete solution by looking at a simple problem from humble beginnings:
Imagine a healthcare environment. Suppose we have multiple back-end systems, each of which have different interfaces to access their data and to transact with the application: a database that contains information on drug side effects, which uses SQL as the interface to the data; a Clinical records system that has evolved over the past 15 years and is today a .net application back-end but is still accessed through a client/server front-end; and a Patient records system, which, because it is also used by internet-based patient self-service applications, has evolved to be a web-based application accessed through Web Services style interfaces.
The healthcare enterprise would like to implement a tablet app for doctors and clinicians to manage patient prescriptions. The app would enable them to query the patient’s prescription history, to check whether current prescriptions cause side effect contra-indications with new proposed prescriptions, and to enter new prescriptions.
This app needs to interact with all 3 back-end applications to provide these functions, however to interact with 3 styles of API is complex, error prone, and bandwidth intensive.
Additionally being a sensitive app, it is of regulatory importance to ensure that data security and confidentiality is maintained, which requires that access to data is controlled both at the server and at the tablet. This in turn requires we know which devices are being used to access data, and which users are accessing data, with policy controls enforced based on this. Finally we need to handle “lost device” scenarios and remove confidential data and the prescribing applications in the event that a clinician loses their device, or simply when they choose to upgrade their device and transfer their work to a new device.
How to handle this challenge?
Only CA can provide a “one stop shop” for the integrated security and service management tools that are required. Let’s see how…
First we need to integrate the different back-end APIs such that it is easier to interact with the different back-end data and applications.
A Layer 7 Mobile Access Gateway from CA Technologies can integrate the different back-end datasources and republish those as one simple set of RESTful APIs that are simple to consume from the mobile platform. The gateway handles all data mapping, translation, and marshalling between the back-end systems, exposing simple transactions for prescription history, side effect conflict search, and new prescription entry in a way that is simpler for the app designer to use. This enables the app designer to focus on the user experience aspects of the app rather than the data and back-end transaction logic integration, making the app easier to architect and develop. This will result in faster time to market and improved security since no unnecessary back-end functions will be exposed externally and systems that are simpler to build tend to be inherently more secure following the maxim “complexity” is the enemy of security.
As examples, the prescription history transaction would need to integrate back-end calls to the SQL clinician and patient records systems. The “side effect conflict check” transaction would access the patient records system and the SQL database of drug side effects. The “new prescription” transaction would update both the patient and clinician records systems.
Access to the republished API is protected by the Layer 7 gateway. Layer 7 can accept an OAuth token as proof of authenticated identity, i.e. proof that the identity described by the token has been authenticated by a trusted service. This means we need a source of tokens….
1) Enter AuthMinder (or CloudMinder): AuthMinder provides cryptographically strong, two factor authentication that is built for the mobile. When the clinician wants to use the Prescription management app, first they authenticate using AuthMinder on their mobile device. The tablet or mobile device becomes one factor in the authentication scheme, greatly improving the security of access to the confidential patient prescription data.
2) If authentication is successful AuthMinder returns an OAuth token proving the authentication result.
3) The Prescription management app now sends this token to the Layer 7 Gateway when it accesses the republished APIs offered by the gateway. The gateway trusts the token and extracts the Identity the token was issued to. The Mobile Access Gateway can now apply an Identity-based policy to the API access, confident in the knowledge that the token could only have been issued to the clinician.
SiteMinder protects access to the web-based patient records system. As mentioned before this is accessed by patients via their web browser for various self-service tasks.
As with the Layer 7 Mobile Access Gateway, SiteMinder can also trust OAuth tokens issued by a trusted service, which also means we need a source of tokens for it to trust…
1) Enter AuthMinder (or CloudMinder): AuthMinder provides cryptographically strong, two factor authentication that is built for multi-channel web application access. When the patient wants to access the web-based patient records system, first they authenticate using AuthMinder / CloudMinder on their mobile device or PC.
2) AuthMinder / CloudMinder returns an OAuth token proving the Identity of the patient and proving they have authenticated.
3) SiteMinder now grants access the patient records self-service application, regardless of whether mobile or PC channel is used to access the web application.
2) If authentication is successful AuthMinder returns an OAuth token proving the authentication result.
3) The Prescription management app now sends this token to the Layer 7 Gateway when it accesses the republished APIs offered by the gateway. The gateway trusts the token and extracts the Identity the token was issued to. The Mobile Access Gateway can now apply an Identity-based policy to the API access, confident in the knowledge that the token could only have been issued to the clinician.
4) When
We have already solved a number of difficult problems: from enabling the Prescription app to be developed easily to securing access to the app and the back-end data.
Now we need to focus on the actual devices the clinicians will use.
It would be very common for an enterprise to target the iPad for this kind of app. The Clinicians will want to use their own personally owned iPads. This will save the clinic significant capital expenditure, but care must be taken to ensure that we know which devices are in use; who owns them; the right apps are deployed; and that the clinical data can be removed when required.
CA Mobile Device Management solves these problems.
Firstly it provides an Enterprise App Store, enabling the clinic to distribute the Prescription app to the clinicians’ mobile devices; and only those devices. The Enterprise App Store is private to the clinic so there is no need to publish the Prescription app via a public app store. CA MDM ensures that the app is only published to the users who are intended to use the app. It does this by allowing the app distribution to be controlled according to the ActiveDirectory / LDAP group structure. Additionally CA MDM pushes the AuthMinder strong authentication app that is required to secure access to the application.
Next we must ensure the devices have a secure configuration. Features such as device storage encryption, the prevention of backup and synchronisation of data to the clinicians’ home PCs, setting a passcode lock etc. All of these features can be centrally configured and enforced via MDM Configuration Policies.
Finally when the clinician stops using the device for work purposes we must remove the Prescription app, all the data it created (if any) on the mobile device, and any corporate email access which was provisioned to the device when it was first enrolled under management. CA MDM automates this procedure, ensuring that compliance with patient privacy regulation is maintained by ensuring that stray data is not left on devices when they are no longer required for work use. In addition, in the event that a device is lost or stolen, CA MDM can remotely wipe the device, restoring it to a “factory reset” state.
One of our clinicians seeks an expert opinion from a consultant. They email certain patient data to the consultant, who, for our purposes, is identified in red.
CA-MDM has an Exchange and Lotus Notes plugin that references the MDM server to verify if the mobile device sending the email is under management and is in a compliant state, i.e. it has the latest Configuration Policy applied, the device is not jailbroken etc.
Eventually the clinician’s iPad (in red) will no longer be used for Prescribing and patient record access. When this time comes the device is un-enrolled the CA-MDM Server.
This process selectively removes:
The Prescribing app
The AuthMinder strong authentication client and identity data
The corporate email configuration
The device Configuration Profile
The device (in green) is returned to the clinician with all their personal data intact, but with all corporate data, apps, and configuration removed.