Mobile communications are converging with IT infrastructures through the advent of “bring your own device” policies that allow employees of corporations or government agencies to access internal information with their personally owned devices.
The trend is a powerful one for users and their employers. It improves productivity by allowing employees to tap information while they are on the move. It reduces costs for the employer by letting workers buy and maintain their own communications devices.
That said, the BYOD trend also has emerged as a major security challenge for corporate and government IT security managers, some of whose networks are not yet adequately hardened to accommodate the personal device. Most devices themselves are not hardened either. According to Juniper Research, only one in 20 smartphones and tablets have third-party security installed, despite steadily increasing threats. The opportunity for criminals, disruptors and joy hackers is significant.
Today, IT specialists generally try to stop unregulated data transfers by using mobile device management software that lets them control an employee's access to various classes of information. Mobile application management software lets managers develop in-house apps with an eye toward security.
These tools are great for management, but the reality is they do little to protect network applications, programs or valuable information. Whenever unauthorized access is discovered, IT security departments must shut down the system to outside users, thus killing productivity, or they must scurry to buy single-focus solutions.
A better approach would be for threat and security managers to look beyond managing the devices and toward hardening their networks. Rather than try to assemble technologies themselves, IT managers should look to the industry for help. They need tools that let them ensure authentication, authorization, verification and compliance to corporate IT policies. The comprehensive security policies may necessitate multiple requirements for authentication, multiple factors for verification, mobile device encryption capabilities and secure alerting requirements.
Authentication is the basic requirement. It is the process of determining whether a user or device is, in fact, who or what the user or the user's device purports to be. Authentication must be more than a username, password or soft token. Authentication should require two of the following regulatory approved factors:
User-known information, such as logon password, PIN, etc.
Something the user has access to, such as an ATM card or smart card.
A user capability, such as biometrics using keystrokes, face recognition or fingerprints.
Authentication should also be tied to verification, but they are not the same. Verification is any means by which a person or device can be uniquely identified. In some cases, biometrics can be used but more commonly location can be used as the verification factor. Precise location technologies can calculate the device location using and verifying the mobile device registration information contained within the operator network.
Multifactor authentication is the next level of authentication, and it continues to evolve, due to its ability to take two distinct factors and ensure a sophisticated relationship between them. For instance, a username and password can be combined with the distinct device location and verified via a carrier network. By comparing the authorization credentials and location identification, a user is both verified and authorized to access the government or company network.
However, once authorization occurs, the key is to maintain the corporate policy and ensure users have access in accordance with the established guidelines. Most companies or government agencies and their IT departments have developed various access levels to control and protect applications, programs and sensitive data. Authorization levels and associated access can be determined by the use of location tools, such as geo-fencing, which is integral to telecom hardware and software and can allow for secure areas to be created. This is in addition to other location tools that provide a distinctive capability of multifactor verification and can be further monitored and utilized for compliance to the policy. The key is to make sure that the type of location used cannot be spoofed. Handset-based technologies can be spoofed, whereas network-based location cannot. IT departments can allow access to different parts of the network via location determination and thus minimize the disruption that can occur from outside parties.
In addition, there must be a well-tuned notification system between the IT department and the user. A user needs to be informed if he has ventured outside a permissible zone. The need for notification is an additional tool in the arsenal that should be used to ensure vulnerabilities are detected and dealt with in a fast and efficient manner.
For users who must have the highest level of security and the ability to access high-risk and confidential information from the edge, BYOD is more than just an IT challenge. With more than 10 operating systems and 30 mobile device providers, BYOD has become a management nightmare. But, more and more often, security solutions are looking toward encryption as the answer to this challenge. Encryption is widely used for employees who carry laptops, but it should also be used when individuals regularly access and send sensitive information or have such discussions via mobile devices. No longer can encryption be kept to basic forms, such as Secure Real-time Transport Protocol and Secure Internet Programming over Transport Layer Security protocols. Instead, encryption must be at the highest level across the user base, for example using Advanced Encryption Standard 256.
As highlighted in the National Security Agency's “Project Fishbowl,” encrypted VoIP communications can now be used as a second security layer. Encrypted calls are done by either preloaded or downloadable clients that enable the device to make the call from the originating unit to the terminating unit, as long as the caller has the keys to decrypt the call. This sounds like a lot of work, but in reality it is either a call using the standard mobile phone capability or a call where the caller has pressed a green button to make an encrypted call. Government workers who deal with sensitive information, executives and anyone else who deals with confidential information will benefit from this solution.
The bottom line is that numerous strategies must be brought together as an integrated solution in order for IT security managers to cope with the mobile revolution. Encryption, authentication as a service, location as a service and notification as a service must be implemented in an organized way. Doing so requires a solution provider with vast experience in the mobile communication industry. A successful provider must also have expertise in cybersecurity, cyberwarfare exploitation, network protection, system integration, encryption technologies and carrier-scale network deployments.
CTOs, CIOs and IT managers must take a holistic view of security beyond BYOD, MDM and intrusion prevention or detection systems. The use of multilevel authentication and multifactor verification requires knowledge of more than one industry. Few companies have these capabilities, and choosing one without the right expertise would leave dangerous security holes.
IT professionals should ask themselves two pressing questions: What companies have the combination of experience to help secure the edge? How long can I wait before enlisting one of these companies?
Keith Bhatia joined TeleCommunication Systems of Annapolis, Md., in January as vice president of business development for the company's commercial software group.