By Dr Chris Edwards, chief technical officer at Intercede
It is reasonable to assume that when you ask any IT manager what their biggest security headache is at present, managing and securing employee mobile devices will come pretty high up on the list.
The proliferation of smartphones and tablets, coupled with employees wanting to use these devices to access corporate networks, has multiplied the number of access points to organisations’ sensitive networks, applications and data, and forced companies to consider all manner of bring your own device (BYOD), choose your own device (CYOD) or company-issued, personally-enabled (COPE) policies.
Mobile, the Achilles heel of security
This has given rise to the view that smartphones and tablets are the Achilles’ heel to data security. In fact, mobile devices can, and should, play a key role in an organisation’s overall security.
By bringing employees’ devices within the corporate firewall, organisations can use their in-built security functions to turn smartphones into secure authentication devices for accessing premises and networks. But if this is going to succeed in the long term, there needs to be a fundamental shift in the way that we think about mobile devices.
The recurring problem for IT administrators is how to reconcile network security with the demand from employees (not to mention senior management,) for access through their personal devices. This dilemma has traditionally been answered in one of two ways: either by setting draconian limits on employees’ ability to access corporate systems on their own smartphones; or by implementing a mixture of security technologies and policies to control and monitor staff network access.
Finding a balanced solution
Neither of these options is particularly satisfactory. Ruthlessly restricting access on personal devices simply does not keep step with the way today’s employees expect to work; meanwhile, mobile security is still largely based on an increasingly vulnerable form of ID verification – usernames and passwords – which are still the standard for most ‘secure’ log-ins whether they are done from a desktop or the mobile device.
This is a problem across organisations. Passwords simply do not provide high enough levels of security. They can easily be cracked, lost or stolen; and in needing to be increasingly complex they are also getting harder to remember and more inconvenient for the user. So rather than asking how mobile access can be made secure, the real question for CIOs considering the organisation’s mobile policy, should be how to improve security across their organisation, rather than mobile in isolation.
Smart card tech to the rescue
One of the most effective and immediate steps that organisations can take to improve security is to implement two factor authentication which combines a physical token, such as a smart card, with a PIN or other code. This level of authentication, something you have combined with something you know, is widely accepted as the standard for secure access, and is exactly the same type of technology that has proved so successful with chip and PIN. This is where the smartphone can come into its own and, rather than being a source of vulnerability, can be part of the solution.
Placing a secure credential into a secure part of an employee’s phone, such as the SIM or Trusted Execution Environment, effectively turns the device into a smart card. Combined with a PIN, this gives a much higher level of security while crucially providing much-needed simplicity and convenience for the user.
By extension, it also ties the device into the organisation’s security and authentication systems, enabling admins to efficiently verify, monitor and control who is accessing networks and sensitive data and have trust in those devices.
By adopting such two-factor authentication, organisations immediately strengthen their network security. This system doesn’t require any additional equipment such as a smart card or physical token, making it easy to use and convenient for employees.
Making mobile defence simple
The benefits do not stop there. Mobile authentication helps to solve another serious security problem, which is the large number of business systems and applications that organisations use, each requiring the user to have a discrete digital identity or log-in. Not only does mobile authentication consolidate these identities onto a single device, it can also provide security for physical access (for example, to premises) as well as networks.
Security threats are constantly evolving, and countermeasures must keep pace with them. The days are gone when usernames and passwords could be considered adequate protection for sensitive information. If organisations are still trusting in passwords, they urgently need to review their security system. Pursuing mobile authentication has the additional benefit of solving that other intractable security headache of managing employee devices.
Of course, no single technology can honestly claim to protect us from every potential threat. Even so, in the fight against hacking and data theft, that once ‘vulnerable’ mobile device is one of most potent defences we have. And it’s been sitting in our pocket all along!
Intercede’s MyID identity and credential management software enables organisations to create and use trusted digital identities for employees, citizens and machines. This allows secure access to services, facilities, information and networks.