The increasing reliance being placed by businesses on mobile IT access will nearly always lead to increased risk, at least in the short term. One of the main reasons for this is that the growth in use of mobile devices is often ad-hoc and unplanned. Of course the way mobile devices are deployed varies; the allocation of laptop computers and BlackBerry smartphones may well be planned, whilst the use of iPads and Android smartphones may be ad hoc, driven by users with their own devices.
One reaction could be to attempt to block all unplanned usage of devices. However, this is not necessarily desirable or practical. There are many benefits from allowing remote access; the flexible working they enable mean employees can be more responsive and that can lead to more efficient business processes. Try blocking access from their devices and an employee will find a work around for sending, and urgent message to a customer may be done via an open social network rather than the corporate email system, where the communication can be archived and is auditable at a later date.
What risks arise from the use of mobile devices and how can their use be controlled, so that the benefits can be realised and the threats mitigated? Before addressing this it is worth pointing out that there are two broad approaches to putting controls in place:
- On the device itself (which may be limited depending on ownership)
- Centrally, protecting the applications and data being accessed from mobile devices.
There are four broad categories of risk – access, data, malware and business continuity. This article details how each of these can be approached and concludes with a fifth issue; an end-point management regime is needed to pull them altogether.
Security of mobile remote access
This requires addressing access to the device itself and access to the network resources that the user is permitted to use. With any device a passcode for access can be put in place; that leads to all the usual problems with password management – users forgetting them and the need to reset them.
However, the bad guys find ways around device level passwords, so additional strong authentication of the user is desirable; especially if sensitive data is to be stored on a device. Examples are bio-metrics (most commonly finger prints), hardware tokens or a mechanism for distributing one time passwords. Strong authentication has mostly been used for laptop device access and not smartphones and tablets. In fact, smartphones can be used for enabling strong authentication of access to laptops (see below). However, with the increasing power of these devices perhaps they should require strong authentication too.
It need not be the case that gaining access to the device itself opens up the available network resources, although in some this will deem enough to do so. Others will require secondary authentication for opening up a VPN connection or gaining access to applications. Here, the management overheads need to be balanced against risk. Too many passwords to remember, too many times they get forgotten. So it makes sense to use the mobile device to authenticate access to a single sign on system, but get this wrong and there is a lot at stake.
To counter this there is a range of additional measures that can be taken. These include:
- Hardware recognition – only allowing access from known devices that can be recognised through a range of characteristics or an agent installed on the device.
- Geolocation – using IP address analysis of GPS software to identify the user’s location and decide if it is as expected; a UK based sales person should not be requesting access from Moscow!
- Out of band authentication – for example, sending one time passwords via an independent device to the one being authenticated (e.g. to mobile phone to authenticate a laptop).
Comments