Everybody knows that the IT perimeter has been permanently warped by cloud-based resources, the consumerization of IT and the ever-agile work day. Information technology and information security decision makers are grappling with the tight-rope act of balancing the security of their organization’s data with their stakeholder’s usability expectations. Happily, the pervading need to bridge the identity-mobility-access gap has given rise to innovative identity and access management (IAM) solutions, of which this blog series provides an overview.
Invasion of the Mobiles
There is a ferocious demand for mobile in the workplace. Smartphones, tablets and wearables are charging into the enterprise market and drastically changing the way we work. Bring Your Own Device (BYOD) and other forms of enterprise mobility strategies have gained traction in many different industries and sectors over the past few years, becoming global trends. According to the Strategy Analytics’ latest report, “Global Mobile Workforce Forecast Update 2016-2022, the global mobile workforce is set to increase to 1.87 billion in 2022, accounting for 42.5% of the global workforce.
The mobile workforce has been a top up movement, with employees driving the efforts to persuade IT and the C-suite to allow non-enterprise issued devices to mingle with corporate resources. And as the workforce gets younger, further tapping into the millennial population, we’re going to see a disappearance of desktops, as tablets, wearables and ultrabooks become the primary work devices. While Enterprise IT leaders are just try to stay ahead of the curve when it comes to network security, here comes the mobile movement. Allowing to bring a personal device or devices into the work environment is no longer a request but a demand by employees.
Bring your Own
When an enterprise decides to allow employees to bring their own devices (BYOD) onto the company network, there are many potential problems to consider. First, BYOD creates a loss of control for central IT. With IT managing the devices they can ensure only corporate-approved applications, software, etc. are installed. Allowing outside devices skews the boundaries shared between an employee’s work and personal life. What happens when an employee leaves the company and takes their personal device with them? How do you ensure they can’t access company assets? And what about if corporate clients keep calling them directly (to a phone number that is still the employee’s property)? Good questions that must be addressed before diving into BYOD.
Companies implementing BYOD should strongly consider policies requiring employees to use a form of strong authentication. That way, the company takes control again and can manage the admin rights of their employees accessing the corporate network remotely. But instead of finding a way to mandate multi-factor authentication on mobile devices, many times the option is to ignore or relax security standards for mobile devices.
This should not be an option. The bottom line is that corporate IT should take a long hard look at mobile security before it’s too late. This is especially apparent as mobile infections reached a record high in April 2016, with 1.06 percent of devices infected by a range of malware, including ransomware, spyphone applications, SMS Trojans, personal information theft and aggressive adware.
With a BYOD policy in place, many enterprises are realizing additional security is needed and that reliance on usernames and passwords for identity authentication is a problem that can lead to data breaches. To help enterprises address the security challenges brought by BYOD, there are a variety of technologies already available on the market today, and several more being developed.
Looking to Certificates
Public Key Infrastructure is one of the strongest and most trusted security protocols and is used in many enterprise badge deployments worldwide. Using PKI not only provides strong authentication, but includes additional security functionalities that are attractive to today’s enterprise. With PKI, you can encrypt data and email, as well as digitally sign. These functions are becoming increasingly important as companies need to protect digital file exchange and encrypt content to prevent hackers from intercepting communications.
PKI nuts and bolts
So how does PKI work? The short explanation is PKI is a process of validating a user’s digital identity over a public or private network. It does so by associating a pair of public and private keys with the individual’s identity credentials. These keys are created with a cryptographic algorithm and shared by a certificate authority (CA) that links them to the user’s unique identity. The CA stores this information in a database and issues digital certificates, which include the public key or information about the public keys, in order to verify the user’s identity. A smart card or USB token is like a mini computer and stores private information, including the user’s certificates and associated private keys.
PKI solutions use public and private keys and their certificates correspond with software applications, encryption technologies, processes and services that enable secure communication and business transactions. In PKI systems, the private key is maintained by the end user. The public key is available as part of a digital certificate within a directory that can be freely accessed.
To help determine your best security strategy, watch and learn from our webinar, The Foundations and Future of PKI….
If you missed Part 2 in our IAM Trends series, check it out, IAM Trends: Enterprise mobile security concerns. Join us next time, as we talk about extending a PKI-based corporate security protocol to mobile devices.