My friend Tony loves electronics and gadgets and probably owns every type of man toy – iPads, home theatre system, Xbox, GoPro, Quadcopter with Wifi camera, etc. He travels a lot for work and is always connected to the internet via his phone and wireless HotSpots. He is a technophile, which makes work and life convenient for everyone associated with him. Or does it?
In my opinion, Tony is a perfect embodiment of the statement, “Employees are the biggest vulnerabilities for a company’s information security.”Tony’s work emails have been setup on every tablet he has owned. He never cared about removing email settings and data from the old devices when he bought a new one (Who does that anyways?). His kids have access to his old mobile devices and most of them do not have passcode locks because, for end users, ease of use often trumps security concerns. This gives Tony little to no control over who else can use those old devices for casual browsing. And he not only compromises his personal data, but his work data as well. While he is no Jennifer Lawrence(trust me, his personal photos are not in demand!), he still makes his personal information vulnerable and exposes his work email to casual browsing by others, inadvertently compromising his company’s information security. And he is not an exception. There are lots of folks like Tony. Not too long ago we had this news:
Furthermore, what happens when Tony quits his job? All that data on his mobile devices is the company data/IP walking out of the door unchecked.
So the obvious solution that comes to mind is, “I will have my IT admin setup, manage and control access to company data on my phone.” Great! That addresses the device management aspects of ability to remote wipe data, track lost phone, manage apps, etc. But what about access management on the mobile server itself, ensuring that only authorized admins are managing your mobile devices remotely to protect against insider threats such as these:
- The Register: Heartbleed-based BYOD hack’ pwns insurance giant Aviva’s iPhones – On May 20th, a hacker utilizing a heartbleed-based attack was able to obtain access to the MobileIron server that managed more than 1,000 employee mobile devices at Aviva and performed a full wipe of every device and eventually, shutting down the server itself.
- WSJ: Remote Data Wipes of Workers’ Personal Devices Are Rising – Of the Fiberlink erasures from July 2013 to June 2014, 49% were completed automatically after something like a security breach triggered the company’s wiping process.
Enter multi-factor authentication – which authenticates users based on verification of at least two of the following:
- something they know
- something they own/possess
- someone they are (biometric)
In the context of mobile, this needs to be applied at both ends – mobile end user as well as the mobile admin.
Multi-factor authentication has been around for some time (remember the physical security tokens that people carried with their laptops?). Mobile admins follow the same multi-factor authentication as the regular IT admin to gain access to the mobile server to manage your mobile devices remotely. See AuthAnvil’s Two Factor Authentication to understand how insider threats and security breaches can be mitigated for the servers that mobile admins use.
But multi-factor authentication for mobile end users is tricky. Picture yourself holding your phone in one hand and a physical security token in other hand to check work email. How will you scroll/click on the screen?
There is a smarter way to handle multi-factor authentication on mobile devices. In a BYOD context, IT admins’ control of the user’s personal device is limited compared to a company-provided device. Hence multi-factor authentication is very critical in BYOD context. Multi-factor authentication for mobile users can be easily done by pairing users with specific device(s) and enforcing secure PIN entry on the apps which access company emails, documents and other IPs (not the device level PIN). So the mobile users can access company data only if they:
- Enter the correct security PIN for the apps (something they know)
- Use the approved device paired with them(something they own/possess)
The use of Active Directory / LDAP system at the backend will extend the user’s access privileges to the mobile devices. It is very important to note that all this is a very streamlined process – users just have to open the app the usual way and enter the security PIN for the app.
Multi-factor authentication on mobile devices is very important as these devices move company data outside the organization boundary very easily. But the multi-factor authentication on mobile cannot follow the physical security token model. By pairing users with devices and enforcing PIN at app level, multi-factor authentication can be streamlined and transparent to the mobile user, ensuring ease of use and security at the same time. There are innovative solutions in the market that implement such multi-factor authentication on mobile devices and if you are enabling an “anytime anywhere available” mobile workforce then you should seriously consider having this capability.
Author: Varun Taware