Enterprise communications networks achieve security by identifying authorized users, authorized devices (e.g. computers, printers, and phones) with hardware identifiers (e.g. Ethernet MAC addresses), and authorized routers with known locations through which the devices may connect, and modulating access and usage based on the content/time of activity and the user, device identifier (deviceId), assumed device-type, and router which is engaging in that activity. Usually this modulation takes the form of assigning devices IP addresses based on the router, and controlling the routing of traffic using rules about assigned IP addresses. Physical access control to the devices (e.g. locks on office doors) is therefore an important component of enterprise security.
However, increasingly, users need access to both enterprise as well as cloud services from outside the enterprise network (usually via mobile devices), both of which challenge the traditional enterprise IP based security model. Authentication in these cases involves more frequent password challenges with more aggressive password change policies as well as various forms of “two factor authentication” technology which generally takes the form of delivering a temporary unique code to the user on another channel (voice call, SMS, or securID card) and having them enter that in addition to their passwords. Both increased password challenges and increases second factor challenges inconvenience the user and interrupt flow. Passwords are subject to various forms of attack including phishing, password guessing, cross-site-scripting, and various man-in-the-middle attacks. The SMS and voice-call second factor challenge have vulnerabilities due to various call and SMS forwarding services. SecurId requires the user to remember to carry another physical device that may be stolen when not in use without being noticed by the user until the next challenge. None of these techniques provide network based location information that is often a useful security heuristic.
Cloud services (such as SalesForce) can achieve increased security by configurations that allow authorized access from particular enterprise networks from enterprise single-sign-on services or VPNs, but that means increased network latency for mobile users who have to route traffic into and then out of the enterprise network to access these services.
What is needed is a way for enterprise and cloud services to authenticate and secure sessions with mobile devices that works as well as direct access using on premises network hardware. What is helpful is that modern mobile devices typically carry SIM cards, which allow cryptographically secure challenge-response communications that verify possession of physical SIM which are used by the carriers to authenticate mobile devices to mobile networks for access and billing purposes.