With more and more workers requesting to access corporate data through their mobile devices, managers are stuck between wanting to provide enterprise mobile access to their employees and heeding concerns about the security risk they pose to the business if these devices are lost or compromised. In Symantec Corp.’s report issued last summer
Capabilities, communications options, and functionality can vary greatly from device to device, resulting in an authentication complexity that can be overwhelming
for even the most flexible organizations.
So with the strong demand for accessing enterprise resources from mobile devices, what are the best practices and technology options available to organizations who want to provide strong authentication services to protect their information?
Before this question is answered, it’s important to understand that there are not just one or two operating systems on these mobile devices. Workers can walk through the organization’s doors with a device sporting any one of several widely used platforms, including Windows Mobile, iOS, Blackberry, the various flavors of Android, or some other proprietary operating system, each at different release levels; all these operating systems may run on anything from a mobile phone, to a mobile gaming device, to a tablet. Capabilities, communications options, and functionality can vary greatly from device to device, resulting in an authentication complexity that can be overwhelming for even the most flexible organizations. So how can an organization reduce this problem to a manageable level?
To start, organizations must assess the relative risks of mobile access against other electronic channels used to access enterprise information. These security risks include the lack of security capabilities in mobile applications, the growing threat of mobile malware, and the ever-present prospect of device misplacement or theft.
In order to mitigate these risks, an organization must create good enterprise mobile access governance by establishing security policies and procedures. These procedures should include how the mobile devices will be protected, how they can be used, and what data can be accessed and stored on them. Without establishing a set of hard-and-fast rules for access, an organization cannot begin to manage the security risks these devices pose or reduce the chance of loss or destruction of the data these devices access.
This governance process must begin with an organization’s executive management conducting a meeting with their IT leadership team in order to negotiate what is “in bounds” and what is “out of bounds” when it comes to mobile access to enterprise information. Examples of decisions that must be made include:
- Whether access to regulated data such as protected health information (PHI), or other types of sensitive data such as financial data, is allowed by a mobile device.
- Whether storage of business data will be allowed on the device, and if so, whether or not it must be stored in an encrypted format.
- What mobile operating systems, versions, and applications will be supported, including any prerequisite software such as, software firewalls, antivirus software and other corporate standards for computing device protections.
In addition to these examples, enterprise and end-user rights and responsibilities must be clearly defined. Examples of such regulations include mandatory support for password length and complexity, reporting of lost devices, and devices shared with friends and family. In the case of a reported loss of a device, whether the organization has the right to remotely wipe the device; and physical protection against unauthorized access is important. Finally, organizations need to know what mobile devices will access their information. This should be done by setting up a formal request for access process as well as by providing minimal mobile device security training for the end user.
After mobile access governance procedures have been defined, the next decision enterprises must make is “how” mobile devices will authenticate to the data they access. Many organizations rely on password credentials to authenticate users, so they must establish minimum password length and complexity rules. In addition to this, many organizations use strike counters on their boundary applications that, after repeated login failures, can lock down or hard-reset a mobile device. While these access controls can be effective, many managers question if passwords are a strong enough credential technology to provide for something that can fall out of a worker’s pocket on the train or be used to access enterprise data from anywhere in the world. Because of these risks, organizations are now evaluating and deploying stronger alternative authentication methods. For example, numerous smartphones now include fingerprint readers that offer an alternative to power-on passwords and a few mobile security products can also process handwritten signatures entered with a stylus. In addition to these strategies, many organizations are now requiring their workers to install mobile security products that support strong public-key authentication, based on a digital certificate that is provided through the mobile device’s communications channels, such as MMS, text messages and email. Vendors like McAfee Inc., Good Technology Inc., Certgate GmbH, HID Global, SafeNet Inc. and others now provide mobile security commercial-off-the-shelf (COTS) products based on these technologies for many of the most popular mobile operating systems and devices.
For those mobile devices that are allowed to retain enterprise data on internal storage, authentication information can now be stored on a removable media smart card (MMC, SD). This is a strong form of authentication because certificates are nearly impossible to forge. Before the user attempts to access the information, they must insert the card. As long as the card remains inserted, the information is unlocked. However, to prevent a lost mobile device from being compromised, when access is no longer needed, the media smart card is removed and stored away from the device ensuring the data is safe.
Even though all the authentication methods mentioned above are available today in the enterprise mobile marketplace, strong mobile security authentication still requires the user to physically add and remove hardware, read a message, view a text or swipe their finger for access. While enterprise security managers are beginning to sleep a bit better at night knowing their information is safer, the current authentication methods require a certain level of interaction with mobile devices in order to gain access to enterprise data. This technology, by its nature, flies in the face of the mobile device manufactures' goals of providing increasingly intuitive, user-friendly applications and services.
In order to seek a balance between security and convenience, industry authentication vendors are investigating new ways of authenticating mobile devices to achieve a more balanced security architecture. At the forefront of this research process, the MOBIO (Mobile Biometry) project is attempting to ease the burden of strong authentication by recognizing who the user is by using mobile device cameras and microphones, something that’s included in almost every mobile device. The participants in MOBIO are accomplishing this using face and voice recognition software to strongly authenticate the user.
As enterprises struggle to define what data a mobile user will have access to, hopefully in the near future the problem of knowing who the user is will be as easy as he or she speaking into the device and asking for the data.
About the author:
Randall Gamby is the information security officer for the Medicaid Information Service Center of New York (MISCNY). MISCNY manages and maintains the largest state-run Medicaid claims data warehouse in the United States. Prior to this position he was the enterprise security architect for a Fortune 500 insurance and finance company. His experience also includes many years as an analyst for the Burton Group's Security and Risk Management Services group. His coverage areas included: secure messaging, security infrastructure, identity and access management, security policies and procedures, credential services, and regulatory compliance.
This was first published in February 2012