What is it about mobile devices that, more than anything else, keeps IT security executives from getting a good night’s sleep – especially in today’s increasingly “bring your own device” (BYOD) environment?
No doubt, the biggest worry about mobile devices for IT security executives is how to be sure that a device is in the safe hands of the right person. Are the actions being performed on that device authorized?
There is good reason for BYOD-induced tossing and turning in the IT security profession. In the homeland security and defense space, highly sensitive and strategic government information is at risk. In the medical and healthcare arena, where HIPAA regulations govern confidentiality of patient records, access by persons other than the patient and his or her doctors can compromise diagnosis and treatment. In retail, sales data and other confidential company information can be stolen.
Tracking BYOD trends
According to 2012 data from International Data Corporation (IDC), global smartphone shipments passed global PC shipments for the first time in history. IDC data also show that in 2013, more mobile devices were used to access the Web than PCs. According to IDC, more than 70 percent of enterprises are in various stages of permitting mobile access in-premise or in the cloud.
Another key trend predicted by IDC is that IT’s next dominant platform will be built on mobile computing, cloud services and social networking. Meanwhile, predicts IDC, big data analytics will begin transitioning into the mainstream.
Finally, IDC expects spending on mobile devices will continue to increase 18 percent per year, accounting for 80 percent of total IT spending between now and 2020.
In a recent survey of IT executives by AirTight Networks, one out of every four respondents said they view the BYOD trend as a threat to enterprise security, while only one out of seven said they view the BYOD trend as an opportunity to reduce IT costs and improve employee productivity. Six out of 10 said they view the trend as both a security threat and an opportunity to reduce costs and improve productivity. The implication is clear: In most enterprises, BYOD is the cause of sleepless nights for security executives.
Complexities of managing mobile devices
With BYOD comes increased pressure on IT enterprises to integrate and manage a proliferation of mobile devices.
Today we are dealing with a host of BYOD devices, including smart phones and tablets, which are not standardized and much more difficult to integrate. In fact, with so many operating systems and data platforms, it is no longer possible to maintain standard integration and data profiles.
Yet, every security executive knows, the shift in the mobile communications industry toward increased convenience and personalization cannot be stopped. We have to find a way to work across these platforms and tie convenience to security.
Effective management of mobile devices must do more than allow for various security levels and ensure end-user authentication. It also needs to maintain the quality of end-users’ experience by integrating work and personal digital space on a single device and providing ease of use and convenience. At the same time, mobile device management may also have to provide increased security for mobile payments, handle persistent data across multiple platforms and protect end-users’ private information.
Finally, we must be able to manage mobile devices by being prepared to support further expansion of BYOD initiatives in the future.
Mounting security challenges
For IT security executives, there is no shortage of BYOD security challenges. A primary cause for concern is IDC data showing that use of employee-liable BYOD smartphones is outpacing use of corporate-liable smartphones in enterprise networks.
At the annual RSA computer security conference in San Francisco in 2013, FBI Director Robert Mueller talked about cyber threats to U.S. national security. Mueller said the threats include the use of the Internet by terrorists to “grow their business and to connect with like-minded individuals.” Mueller also pointed out another national security concern—the significant challenges posed by foreign state-sponsored computer hacking and economic espionage.
Mueller said the FBI has substantial expertise to address these and other threats: “Given (our) dual role in law enforcement and national security, we are uniquely positioned to collect the intelligence we need to take down criminal networks, prosecute those responsible, and protect our national security.”
But the FBI can’t do it alone, said Mueller. He noted that the Bureau is collaborating with partner agencies on a number of levels both nationally and internationally. Mueller assured conference participants that by working collectively, “We can improve cyber security and lower costs—with systems designed to catch threat actors rather than to withstand them.”
Mueller’s remarks could very well inspire hope among IT security professionals that solutions can be found to BYOD-related security challenges. But hope is not an acceptable security strategy!
Hard look at server access
With illegitimate mobile access becoming the biggest threat to mobile security, the primary challenge is hardening access to the server by identifying and authenticating the end point access. To prevent tunneling into our systems and to ensure integrity of our data, we must make sure those accessing the system are legitimate.
At the same time, we are dealing with a network that has now exploded outside the office: it’s everywhere. Increasingly, data is no longer maintained on the server and is vulnerable to illegitimate access. The threats that can compromise data seem to multiply daily; any number of users could have an infected e-mail client, malware apps could be injected into the network, or there could be people on the network who are just plain subversive. So the key becomes authentication of programs running on the network and people who are on that network.
At the same time, privacy remains a paramount concern. People who are on company-issued mobile devices, which have company data running on platforms for personal use, want to know how the network can differentiate their private data from company data.
Data integrity is another mobile security issue. It used to be that data sat on the server. Now it’s sitting on tablets and smart phones. How do we maintain integrity of that data?
The good news is that all the security needed for mobile data platforms can be implemented with technology available today. The bad news is that, historically, increased security has usually meant increased inconvenience to the end user.
Wake Up call: time for proof-positive authentication
So what is the answer? Ultimately, delivery of secure access and services to mobile devices depends on application of strong multi-factor user authentication. Proof-positive authentication should be comprised of some combination of what you know (password or PIN), what you have (ID card or token) and who you are (biometrics). The more factors a person’s ID has, the stronger the authentication.
Passwords alone are inadequate because they can be so easily compromised. While solutions combining password/PIN and ID card/token are often considered strong enough, only biometrics — fingerprint, palm print, iris scan, facial recognition and other technologies — can provide absolute proof that a person is who they claim to be.
Fingerprinting is the most common biometric, strongly supported by standards developed by the National Institute of Standards and Technology (NIST). Fingerprinting is reliable, easy to use and cost-effective, in part because the technology can tap into large databases of fingerprinting records that are available for criminal and civil uses.
As mobile security executives are acutely aware, they must be continuously vigilant to meet the ever-evolving threats driven by the BYOD trend that reach across public and private markets. Ask any security executive who has been losing sleep over authentication risks of mobile devices, and he or she will undoubtedly agree that the remedy is “anywhere, anytime” multi-factor authentication capability. Only multi-factor authentication can provide the level of identification assurance that this person has the right to access this data from this device.
To do the most effective job of protecting private/public sector networks and secure communications across the mobile world, security solutions incorporating multi-factor authentication will need a new level of integration and interoperability with existing identity management systems. From a practicality standpoint, these solutions will need to continue to be developed and be scalable to support strong multiple authentication mechanisms for:
- Secure Internet browsing;
- Secure email or text messaging;
- Secure and convenient digital signature;
- User friendly and secure replacement for PINs and passwords;
- Protection of user’s identity; and
- Protection of user’s credentials and the actual device.
When all is said and done, mobile multi-factor authentication solutions will continue to evolve and be tailored to the user base and BYOD applications in each organization. Cookie cutter solutions are not the answer given the rapidly changing BYOD environment. It’s a daunting challenge for IT security executives, to say the least, but in the long run it stands to be the best cure for BYOD-related insomnia.
About the Author:
Patrik Lindeberg is the Vice President of R&D at Precise Biometrics, a market-leading provider of solutions for fingerprint recognition to prove people's identities. Precise Biometrics serves business and government organizations worldwide and its technology is licensed to close to 160 million users.