Written by Tim Matthews, Director, User Authentication Group, Symantec
From a security and management perspective, more than a few CIOs and CISOs look back with nostalgia on the days of yore when the words “smart” and “phone” were typically only used in the same sentence during a history lesson on Alexander Graham Bell. Others, however, salivate at the mere thought of the endless possibilities being brought about by the seemingly minute-to-minute advances in mobile technology.
Whichever camp one identifies with, none can deny that the mobile revolution is in full swing. In fact, according to the analyst firm Gartner, sales of smartphones will rise to $645 million in 2012. Add to this that Gartner also predicts 80 per cent of professionals will use at least two personal devices to access corporate systems and data by 2014.
The fact of the matter is that personal mobile devices such as smartphones are being brought into corporate infrastructures at a break-neck pace. Why? The answer is because it makes employees more productive and happier. The challenges this consumerization of IT creates for CIOs and CISOs tasked with enabling the secure use of these devices are well documented. However, these challenges are not insurmountable. With strong policy development and enforcement, aided by the effective use of mobile security and management technology, secure and effective bring your own device (BYOD) implementations are possible. Thus, enterprises need not fear the mobile movement.
To the contrary, in fact, enterprises should look at the massive proliferation of smartphones as an opportunity to fix a critical security issue that impacts a large portion of their infrastructures. At first this might seem counterintuitive, but once an organization has a properly managed BYOD program these devices can actually become security assets rather than liabilities.
BYOD Into Security Assets
The rash of high profile data breaches over the course of the past year highlights at least in part the simple truth that passwords are no longer enough to protect sensitive corporate networks and data. According to a 2010 Symantec survey, 44 per cent of respondents had 20 or more password protected accounts, and 59 per cent said they simply rely on memory to try to keep track of their passwords. It’s no wonder then that 74 per cent admit they reuse their passwords from account to account to at least some degree.
This obviously presents a major security risk for businesses. For example, by gathering information from a user’s social media profiles – favorite athletic team, pet’s name, hometown – an attacker is well-equipped to piece together the employee’s social media login credentials; this is all much easier than one might think. There is a good chance the employee uses the same password for their corporate login credentials as well. Thus, the attacker has not only figured out how to breach the user’s social media account, but the corporate network as well.
This practice, however, can be difficult to prevent since an organization has no control over what passwords an employee uses outside the corporate infrastructure. Also, attempts to prevent this such as policies requiring frequent changing of passwords can be problematic and result in higher support costs due to employees forgetting their passwords. Such policies also often result in employees simply using predictable password patterns.
Thus, for a truly secure environment, single-factor authentication – password protection – must be augmented with an additional layer applied to the login verification process. Such multifactor authentication is not a new concept, but the consumerization of IT trend, particularly the influx of personal mobile devices, can eliminate the primary barriers preventing organizations from implementing two-factor authentication.
Two-factor authentication is a relatively simple concept, it combines something an employee knows – their password – with something they have – a physical object such as a security token. Only if an employee can supply both forms of authentication will they be allowed access to the protected system. However, such security tokens are often seen as less than ideal. They can be expensive; they wear out; and they can easily be lost or forgotten by employees, resulting in reduced productivity and additional support costs.
The ideal solution to this problem would be a physical object that nearly every employee already has and treats with great care to not lose or even simply forget when leaving the house; something capable of providing the same security features and benefits as a security token without the baggage. This may sound like a pipe dream, but the reality is that BYOD provides just such a solution: employees’ smartphones.
Once employee smartphones are successfully brought into the corporate infrastructure, including taking steps to properly secure and manage the devices, enabling them to function as secure login credentials is actually quite simple. All that is required is for a small application to be installed on a user’s device that provides them with a one-time passcode just as a security token would. Thus, a successful marriage of enhanced corporate security with cost-effectiveness and convenience is achieved.
However, it is important to keep in mind that not all two-factor authentication technologies capable of leveraging smartphones as credentials are created equal. There are several things corporations should demand from such a solution:
- Broad mobile operating system support – One of the key benefits to using smartphones as a security credential is reduced cost because most if not all employees already have the required device; the BYOD trend only strengthens this benefit. However, if the two-factor authentication solution only supports a limited array of operating systems and devices, the mutually beneficial relationship between BYOD and two-factor authentications is drastically reduced.
- Free client side app – The mobile application that supplies users with the one-time passcode should not only be compatible with the widest array of mobile devices possible, but it should also be available for free to partners, customers and employees. This prevents potential hidden cost increases and lost ROI associated with scalable deployments due to customer and personnel churn.
- Cloud-based infrastructure – A cloud-based approach allows organizations to quickly and easily deploy strong authentication without the up-front capital expenditures associated with deploying and maintaining a dedicated on-premise authentication infrastructure. It also provides more secure, reliable and scalable service.
- Support of open authentication standards – Open authentication standards, such as OATH, let companies choose the right form-factor for users, in this case smartphones. OATH also allows companies to source credentials from a wide variety of vendors, which helps ensure timely delivery by avoiding supply chain problems commonly found with more proprietary approaches.
With BYOD comes security and management challenges, but organizations should not lose sight of the forest because of the trees. Not only will BYOD, done right, create employee productivity and happiness advantages, but it can also create opportunities to improve overall security. Leveraging employees’ mobile devices as secure login credentials is one way these devices can become an arrow in IT’s quiver, rather than a thorn in its side.