Feeds

User convenience versus system security

The mobile technology trade-off?

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Mobile Workshop A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations.

From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with users having to juggle multiple logins across different applications and connectivity options. In order to deal with the fallout from this – password reset overhead on help desks, exposure from users writing passwords down on Post-its, etc – one in five had already invested significantly in the single sign-on (SSO) approach, with a further third following them down this route.



Of course SSO quickly leads to a requirement for more advanced authentication as people realise that a single username and password combination falling into the wrong hands could lead to not only one system being compromised, but every system the user who owns the login has access to. Not surprisingly, we picked up a lot of interest in alternative and multi-factor authentication approaches (see Figure below).


Click to enlarge


So, the general trend is towards stronger, smarter and more consistent authentication, which will not only lead to greater security, but potentially, with SSO, to a higher degree of user convenience.

But is there a potential fly in the ointment?

In the same study, we learned that over 80 per cent of organisations allow access to systems from company provided mobile devices (laptops, PDAs, smart phones, etc), with over 40 per cent permitting access from personally owned mobile devices. And what is it that users like about this? It’s the convenience and flexibility of being able to access applications and data directly while they are out and about. And time and time again, we hear from research that this is good for the business – better productivity, improved decision making, and so on – so as the price of wireless data enabled mobile devices and related services comes down, and wireless access increasingly becomes a native feature of back-end servers (e.g. Microsoft Exchange), then usage is surely destined to escalate.

This brings mobile security into sharp focus, with lots of discussion across the industry about secure connectivity, data encryption and other technology solutions. But the one thing that potentially stands in the way of effective mobile security is the same thing that makes mobile devices so attractive in the first place– the convenience factor.

Ask the average BlackBerry or Windows Mobile user about the benefits of such devices, and they will typically cite immediate fuss-free access to their email and/or other frequently accessed applications. Against this background, even simple password protection on the device is regarded by many as being intrusive, so the temptation is just to leave the device open which, let’s face it, many (most?) devices are. We then end up with the ludicrous situation of a BlackBerry with Triple DES end-to-end encryption back to the server that any third party can just pick up and use to access potentially sensitive corporate information. Sure you can wipe or disable a lost or stolen device with an over-the-air instruction from an administrator, but not all systems support this and in any event, there is potential for abuse until the point the user realises and reports the loss.

Coming back to where we started, we then have the consideration that in other scenarios, security specialists are already questioning whether simple usernames and passwords are really adequate for the future. But being realistic, are users really going to tolerate multi-factor authentication for handhelds using tokens, smart cards or whatever?

One possible answer to this problem is biometrics, and over the past few years, lots of devices have been launched with fingerprint readers. These could potentially provide device security in a more convenient manner, but so far, they don’t seem to have caught on in a big way. Perhaps the problem hasn’t been widespread or prominent enough for people to care enough to date, but with such a high emphasis on advanced authentication in other areas, an obvious disjoint is emerging when we consider mobile security in the broader context.

There doesn’t seem to be a magic bullet to solve this mobile device security challenge at the moment, but we’re sure many of you out there must have considered this and related issues, and might even have some practical experiences or useful advice that may be of benefit to others. If so, we’d be really interested in your feedback below.®

Remote control for virtualized desktops

More from The Register

next story
Mighty Blighty broadbanders beg: Let us lay cable in BT's, er, ducts
Complain to Ofcom that telco has 'effective monopoly'
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
Ofcom tackles complaint over Premier League footie TV rights
Virgin Media: UK fans pay the most for the fewest matches
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?