Feeds

User convenience versus system security

The mobile technology trade-off?

  • alert
  • submit to reddit

The essential guide to IT transformation

Mobile Workshop A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations.

From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with users having to juggle multiple logins across different applications and connectivity options. In order to deal with the fallout from this – password reset overhead on help desks, exposure from users writing passwords down on Post-its, etc – one in five had already invested significantly in the single sign-on (SSO) approach, with a further third following them down this route.



Of course SSO quickly leads to a requirement for more advanced authentication as people realise that a single username and password combination falling into the wrong hands could lead to not only one system being compromised, but every system the user who owns the login has access to. Not surprisingly, we picked up a lot of interest in alternative and multi-factor authentication approaches (see Figure below).


Click to enlarge


So, the general trend is towards stronger, smarter and more consistent authentication, which will not only lead to greater security, but potentially, with SSO, to a higher degree of user convenience.

But is there a potential fly in the ointment?

In the same study, we learned that over 80 per cent of organisations allow access to systems from company provided mobile devices (laptops, PDAs, smart phones, etc), with over 40 per cent permitting access from personally owned mobile devices. And what is it that users like about this? It’s the convenience and flexibility of being able to access applications and data directly while they are out and about. And time and time again, we hear from research that this is good for the business – better productivity, improved decision making, and so on – so as the price of wireless data enabled mobile devices and related services comes down, and wireless access increasingly becomes a native feature of back-end servers (e.g. Microsoft Exchange), then usage is surely destined to escalate.

This brings mobile security into sharp focus, with lots of discussion across the industry about secure connectivity, data encryption and other technology solutions. But the one thing that potentially stands in the way of effective mobile security is the same thing that makes mobile devices so attractive in the first place– the convenience factor.

Ask the average BlackBerry or Windows Mobile user about the benefits of such devices, and they will typically cite immediate fuss-free access to their email and/or other frequently accessed applications. Against this background, even simple password protection on the device is regarded by many as being intrusive, so the temptation is just to leave the device open which, let’s face it, many (most?) devices are. We then end up with the ludicrous situation of a BlackBerry with Triple DES end-to-end encryption back to the server that any third party can just pick up and use to access potentially sensitive corporate information. Sure you can wipe or disable a lost or stolen device with an over-the-air instruction from an administrator, but not all systems support this and in any event, there is potential for abuse until the point the user realises and reports the loss.

Coming back to where we started, we then have the consideration that in other scenarios, security specialists are already questioning whether simple usernames and passwords are really adequate for the future. But being realistic, are users really going to tolerate multi-factor authentication for handhelds using tokens, smart cards or whatever?

One possible answer to this problem is biometrics, and over the past few years, lots of devices have been launched with fingerprint readers. These could potentially provide device security in a more convenient manner, but so far, they don’t seem to have caught on in a big way. Perhaps the problem hasn’t been widespread or prominent enough for people to care enough to date, but with such a high emphasis on advanced authentication in other areas, an obvious disjoint is emerging when we consider mobile security in the broader context.

There doesn’t seem to be a magic bullet to solve this mobile device security challenge at the moment, but we’re sure many of you out there must have considered this and related issues, and might even have some practical experiences or useful advice that may be of benefit to others. If so, we’d be really interested in your feedback below.®

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.