When today’s hacker and identity theft threats combine with the new challenges presented by the trend of ‘bring your own device’ (BYOD), companies must take decisive action to deliver secure, flexible and convenient authentication to employees and their devices alike.
BYOD has always posed a headache to system administrators, since these mobile devices are accessing corporate data. In recent years, the trend has blossomed into BYOE or “bring your own everything,” as employees blur boundaries by bringing not only their own smartphones, tablets and laptops to the office, but also their own applications and networks.
This infusion of personal devices, apps and networks into the corporate environment presents a significant security challenge, as controlling access to corporate data and network assets is complicated by the presence of devices, networks and applications not fully under the IT department’s control. Many security and IT administrators have spent sleepless nights trying to address well-known and widespread security issues surrounding data synchronization on unsecured devices accessing the corporate network. In this slideshow, SMS Passcode has identified critical steps organizations can take to minimize the impact of BYOD and manage devices in a secure way.
Managing BYOD Security Issues
Click through for five critical steps organizations can take to minimize the impact of BYOD and manage devices in a secure way, as identified by SMS Passcode.
Secure Access to Data
Today, users obtain access to their PIM data by simply entering their email address and their Windows password on their mobile device. Based on the settings of the Exchange Server, the device will either be automatically approved and the data synchronization will begin or the device will be quarantined until manually approved by the administrator.
The automatic approval process presents a security vulnerability because the users are poorly authenticated only by their username and password (single-factor authentication). Alternatively, manual approval by the administrator presents the problem, especially in larger companies, of the system administrator knowing whether to approve a quarantined device or not. How does he/she distinguish between a valid user device and a hacker attempting to get access to a user’s e-mail?
To authenticate the identity of the user requesting remote access to company systems and data, take the following steps:
- Ensure authentication of the users accessing data.
- If data is synchronized:
— Ensure that the device is authenticated.
— Link the device to a named user.
— Encrypt the transport of data.
- If access is granted to centralized systems, the user must be authenticated.
Strive for Device Independency
If a company’s authentication policy is dependent on what specific device is being used to access company systems or data, then that strategy loses effectiveness.
Therefore, it is imperative to make an authentication strategy as independent as possible, including independence from devices. By removing dependence on anything device-related from the authentication discussion, the strategy is centered entirely on controllable factors. This approach allows companies to permit access to services via server-side processes that authenticate the user regardless of the device.
Use Virtualization to Minimize the Security Risk
The safest way to access centralized systems and/or data that is not meant to be synchronized is to use a virtualization solution. And the idea is that no data is transferred to the device and no application accessing data is executed on the device except the application granting access to the virtualized environment. You minimize the exposure of data and systems for threats coming from and being on the device. But regardless of the use of virtualization or synchronization of data or a combination of both, you need to ensure the identity of the user.
Streamline Access with Multi-Factor Authentication
Each change to the network has the potential to set off a chain reaction of tweaks and adjustments, which can irritate users and keep them offline. Since a streamlined authentication process keeps productivity (and morale) high, IT administrators should ensure that each new upgrade or addition affects access to critical programs as little as possible.
Advancements in remote access enable more and more employees to work from any location. The IT department is responsible for facilitating the ability of the remote workforce to perform its functions from outside the office environment, which means its authentication strategy must make it as easy as possible to safely access business applications from anywhere, at any time.
Using modern multi-factor authentication, administrators can adapt the level of security needed using contextual information, such as login behavior patterns, geo-location, and type of login system being accessed. For example, if the user is logging in from a trusted location where they have logged in before, they will not be prompted for a one-time passcode in order to authenticate. This allows end users the needed security with greater ease of use while working off-premise.
Embrace Context Intelligence
Most authentication solutions are simply based on two factors: something you know (a password) and something you have (a one-time passcode). However, looking at multiple factors surrounding each particular login, including geo-location, network IP, type of system being accessed, time of login, etc. can provide added security. All of these factors add context that helps determine the level of trust and whether the user should be authenticated or blocked.