Facing up to the mobile revolution
- Article 26 of 33
- SC Magazine, April 2011
Whether companies are actively encouraging their employees to work on the move, or staff are simply using personal mobile devices of their own accord, security professionals face a major new headache in protecting their organisations from threats, writes Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
Authentication is an area that needs to be looked at. Eric Maiwald, research vice president at Gartner, says this provides the first line of defence against an unauthorised person picking up a handheld device and accessing the information on it. A suitable authentication mechanism will mirror the mechanisms found on client computer systems, with authentication required at power-on, an inactivity timer so that re-authentication is required after a period of non-use, and protection from too many failed login attempts, such as an additional locking mechanism or a wipe of the device. Many devices have these features built in, although Google's Android does not have built-in support for strong passwords.
"Handheld devices are different from client computer systems, and therefore some allowances must be made for how the devices will be used," warns Maiwald. "For example, it's not appropriate to force authentication on a mobile device before a user can answer a call or make an emergency call." Inactivity time-outs may also require adjustment, depending on how the device is being used. "If the handheld device is being used for driving directions with a GPS application, an inactivity time-out that forces the driver of a vehicle to re-authenticate is inadvisable," adds Maiwald.
Swivel's PINsafe offers an alternative to standard authentication. The user chooses a four-digit PIN, and whenever they wish to access an application, PINsafe delivers a one-time security string of randomly generated numbers to their mobile phone or browser. The user enters the numbers from the security string that correspond with the numbers in the PIN - if the user's PIN is 1234, they will enter the first, second, third and fourth numbers of the string.
Authenticating for access to corporate resources is also a concern. Few mobile devices offer USB ports to connect biometric devices et al for two-factor authentication. But applications from companies such as RSA and Signify are available for most smart devices that can create software tokens for authentication, avoiding the need for separate key fobs. If the device is a phone, it can be used as a second factor - SMS messages can be sent to the phone number associated with the device with an authentication token, ensuring that only specific devices can be used to access corporate resources. Importantly, according to David Emm, senior regional researcher UK at Kaspersky Lab, "two-factor authentication is great because it's not enough for Trojans such as Zeus to get hold of".
However, Jim Tiller, vice president, security professional services, North America, at BT Global Services, has concerns. "When you take away the separate fob, that's really only pseudo two-factor authentication," he says.
Network access control or mobile device management systems, such as Bradford Networks' Network Sentry and Sophos Mobile Control, can determine what kind of device is accessing the network and assign rights according to policy, as well as configure the devices.
"There are a number of tools in the arsenal we can use," says Arabella Hallawell, Sophos's vice president of corporate strategy; she explains that these include whitelisting and locking down of phone functions. "But it's a balancing act. You can use more restrictive technology, but it will take a lot longer for you to get the advantages of consumerisation," she adds.
Terms and conditions
Before employees can access corporate resources, they should agree to policies regarding acceptable usage. This can include terms requiring security software, such as BullGuard's Mobile Security anti-malware and management software, to be installed where necessary; device encryption to be turned on - a default for most, but not all; and for some configuration to be undertaken by administration software such as Sophos Mobile Control.
Some terms may cause problems. If employees are using their own devices, while setting a minimum password length or requiring data to be encrypted on the device are things that many members of staff will be happy to abide by, saying that the organisation can remotely wipe the data from the phone if it is lost or stolen may be balked at. Although employees do need to accept some degree of personal responsibility if they are to be extended the benefits of remote working and use of their own devices, it is possible for data to be segregated on phones, so that only certain parts of the phone need be wiped in the event of loss, rather than all of it - which should cushion the impact. RIM's BlackBerry Balance - so called because it aims to enhance users' work-life balance - allows its phones to be partitioned, for example, while BlackBerry Protect provides back-up, location and remote wipe facilities. McAfee's WaveSecure and Kaspersky Mobile Security offer similar remote wipe facilities, among other functions.
Equally, by ensuring that little or no data is on the device, employees can be spared this dilemma. Browser-based access to resources avoids anything being saved to the device, since everything is stored within the session. Meanwhile, desktop virtualisation technology, such as Windows Terminal Services or Citrix and VMware's various products, allows corporate desktops to be run from a server.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages