Mobile computing has had an enormous positive effect on worker productivity worldwide. However, the flexibility, time savings and productivity gains that mobile computing affords must be balanced against inherent security risks. Some of these risks are obvious, such as the potential loss of company data from a stolen device or the possibility of data being intercepted in transit. Other risks from viruses/malware, overprivileged users, and social engineering are often overlooked.
Yet despite the perceived importance of security, organizations are doing very little to secure mobile access-they're either waiting on the sidelines until viable security solutions present themselves or they're crossing their fingers and adopting a "hope for the best" approach. In fact, a recent survey of SearchMobileComputing.com members indicated that 31 percent of them have no mobile security policies in place at all. (See http://tinyurl.com/b63b2n for full survey results.)
The lack of vigilance around mobile security can be attributed to several factors: Some organizations may be put off by the initial cost or the lack of cross-platform support offered by handset manufacturers and mobile operating system vendors. Other organizations may be concerned about the overhead and additional training required to administer security policies using vendor-specific tools. Finally, organizations may be concerned about their users' willingness to accept security solutions that are overly restrictive or unduly cumbersome.
Fortunately, it is now possible to secure mobile computing environments without undermining the productivity of mobile users.
Securing mobile applications, devices and users
All mobile applications are not created equal. For example, a multi-player game does not require the same level of security as a mobile banking application. For this reason, it is important that IT organizations configure and combine security settings (such as the ability to cache user credentials locally) into security schemes that can be assigned to applications and users as appropriate.
Asking users to hand their mobile device over to their IT personnel while their devices are configured and their mobile applications loaded isn't a tenable-or cost-effective-strategy for managing a distributed workforce. But today IT personnel can take advantage of flexible tools to provision and manage mobile applications over-the-air (OTA) using a Web-based operations console. These tools can even automate actions that are repeatedly performed to offload overworked IT personnel. Most importantly, they allow administrators to remotely "kill" mobile applications and erase mobile data from devices without any user action required.
Another principal security concern is validating the identity of mobile users. This validation is typically done by asking for a user name and password. However, relying on user-provided login credentials alone is a dubious proposition, as passwords are not always maintained securely. Login credentials are also susceptible to "man-in-the-middle" and other similarly styled attacks where a hacker intercepts the user's credentials and then replays them to gain unauthorized network access.
A two-factor authentication scheme that validates both the user's credentials as well as their mobile device offers substantially more protection. With this method, the two-factor security solution uses soft tokens that are assigned to users and provisioned to their devices by a third party. Two-factor authentication ensures not only that the user knows the correct login information, but that they also have a device with an assigned soft token. Unless the hacker also steals the mobile device assigned to that user, simply replaying the user's credentials won't allow them access to protected data.
In another scenario, an effective mobile security solution can reduce the risk of social engineering attacks even further by distributing the authentication process across multiple parties, giving each responsibility for a critical piece of a "secret" they collectively share. The user initiates the authentication process by providing identifying information. This information is used to generate a one-time password (OTP) based on the purported identity of the user. The OTP is validated, and then the solution grants or denies the user's authentication request accordingly. All three constituents must collaborate in order for this distributed process to work, making it extremely difficult for hackers to compromise.
Because of these and other mobile security advances, users' personal-and previously unmanageable-mobile devices can finally be brought under centralized IT control. And while there is still no perfect mobile security solution, these new, more flexible management capabilities allow enterprises to better protect their mobile computing environments by striking the right balance between worker productivity and data security.
The availability of effective mobile security solutions may also break down barriers to the adoption of mobile computing in the financial services industry and other verticals that handle highly sensitive data. Many of these companies want the employee productivity gains provided by mobility, but consider the security risks too high. Now that these risks can be mitigated using remote IT management tools and a two-factor authentication process, companies that haven't been willing to take the plunge may finally be ready to.
About the Author
Benjamin Wesson is the strategist responsible for Dexterra Concert, a highly flexible development platform for mobile applications. He specializes in the business and technology needs of enterprise customers, and has more than a decade of enterprise product management, marketing, and engineering experience.
Please note that the Viewpoints listed in CRM magazine and appearing on destinationCRM.com represent the perspective of the authors, and not necessarily those of the magazine or its editors. If you would like to submit a Viewpoint for consideration on a topic related to customer relationship management, please email viewpoints@destinationCRM.com.