The potential benefits of leveraging consumer mobile technologies for the enterprise are huge, but as more and more consumer devices connect to enterprise networks and store corporate data, the associated risks continue to increase.
Many end-user behaviours, such as forwarding corporate email to personal accounts and storing corporate content in the Cloud, can expose corporate data, while the extreme rate of change in the mobile space also serves to compound the challenges of managing the risks.
People want to blend personal and work lives on one mobile device, which is usually their own personal device, breaking the mould of using only company-issued technology for work.
As enterprises implement mobile devices and applications, they must identify the risks and ensure effective security controls to adequately manage them.
To monitor for advanced threats, organisations have implemented intrusion detection systems (IDS) or other tools that capture and analyse traffic on corporate networks to identify suspicious activity such as communications to command and control servers. These tools can monitor mobile traffic when it is routed through corporate networks. However, enterprises still don’t have visibility into mobile traffic on carrier networks.
After understanding the risks, organisations need to determine what tools and techniques are available for mitigating them.
To help enterprises manage and secure consumer mobile devices, mobile device management (MDM) solutions have emerged. A few MDM features are also beginning to be offered by platform vendors. With an MDM solution, a user typically installs a client application on their mobile device and then connects to an MDM resource server. Thereafter, the client software reports the device state to an MDM control server, which dictates rules and policies that the client implements on the device.
The downside to MDM is that, owing to the fledgling nature of the MDM market, they are beset with limitations, including a lack of scalability, poor user experience, limited features and platform support, the inability to vary permissions by group, and so on.
Users typically access mobile devices by entering a PIN or password. As these devices are increasingly used to access corporate applications and store corporate data, enterprises may require stronger authentication.
Two-factor authentication often combines a password with an additional factor. With token-based authentication, a one-time password is generated (usually on a fob) and used as the second factor. Enterprises commonly use token-based authentication in setting up secure access to virtual desktops via Virtual Private Networks (VPNs).
Smart cards are another two-factor option; readers are also becoming available for mobile devices. The advantage of these methods is that enterprises are often able to leverage existing authentication systems.
Risk-based authentication examines a variety of indicators behind-the-scenes, to determine the risk level of access requests and transactions.
If indicators suggest an anomaly, or if highly sensitive data or unusual transactions are requested, the user must provide additional authentication. Risk-based authentication is commonly used in banking, including mobile banking, and can also be applied to enterprise applications.
When used in conjunction with single sign-on, risk-based authentication may be especially convenient for working with multiple enterprise apps. Rather than have the user log in to one app after another, if they have already logged into one enterprise app and request access to another within a short period of time, the system would check for deviations in behavioural or contextual factors. Additional authentication would be required only for anomalies or higher-risk requests.
Other methods use the mobile device itself as a second factor. One emerging solution uses an identity domain controller to host information about each user and their device serial number. To access the corporate network via a registered device, the user provides their password and, at the same time, transparently to the user, the domain controller checks the serial number.
Certificate-based device authentication is another option. A certificate (a data file containing cryptographic keys) is issued to the device and stored on-board (typically using an MDM that supports certificates). Before an application allows access, the user’s password and device’s certificate validity must be verified. One drawback is that certificate management can be onerous and require significant investment in infrastructure and resources.
Where to start?
The following five recommendations provide a basis for managing mobile enterprise risks today and planning for the future.
- Establish mobile governance
- Create an action plan for the near term
- Build core competencies in mobile app security
- Integrate mobility into long-term vision
- Expand mobile situational awareness
The mobile genie has been let out of the bottle and there’s no going back. But the news isn’t all bad. Ultimately, it’s not about ensuring absolute security - it’s about managing risks. Each organisation must accurately evaluate its opportunities and determine how much risk it is willing to take on to capture those opportunities. Risks can be mitigated to an acceptable level. It will require an overall organisational commitment and a forward-looking enterprise risk management vision that embraces the mobile future.
Shaun McLagan is network security provider RSA’s general manager for Australia and New Zealand