Feeds

User convenience versus system security

The mobile technology trade-off?

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Mobile Workshop A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations.

From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with users having to juggle multiple logins across different applications and connectivity options. In order to deal with the fallout from this – password reset overhead on help desks, exposure from users writing passwords down on Post-its, etc – one in five had already invested significantly in the single sign-on (SSO) approach, with a further third following them down this route.



Of course SSO quickly leads to a requirement for more advanced authentication as people realise that a single username and password combination falling into the wrong hands could lead to not only one system being compromised, but every system the user who owns the login has access to. Not surprisingly, we picked up a lot of interest in alternative and multi-factor authentication approaches (see Figure below).


Click to enlarge


So, the general trend is towards stronger, smarter and more consistent authentication, which will not only lead to greater security, but potentially, with SSO, to a higher degree of user convenience.

But is there a potential fly in the ointment?

In the same study, we learned that over 80 per cent of organisations allow access to systems from company provided mobile devices (laptops, PDAs, smart phones, etc), with over 40 per cent permitting access from personally owned mobile devices. And what is it that users like about this? It’s the convenience and flexibility of being able to access applications and data directly while they are out and about. And time and time again, we hear from research that this is good for the business – better productivity, improved decision making, and so on – so as the price of wireless data enabled mobile devices and related services comes down, and wireless access increasingly becomes a native feature of back-end servers (e.g. Microsoft Exchange), then usage is surely destined to escalate.

This brings mobile security into sharp focus, with lots of discussion across the industry about secure connectivity, data encryption and other technology solutions. But the one thing that potentially stands in the way of effective mobile security is the same thing that makes mobile devices so attractive in the first place– the convenience factor.

Ask the average BlackBerry or Windows Mobile user about the benefits of such devices, and they will typically cite immediate fuss-free access to their email and/or other frequently accessed applications. Against this background, even simple password protection on the device is regarded by many as being intrusive, so the temptation is just to leave the device open which, let’s face it, many (most?) devices are. We then end up with the ludicrous situation of a BlackBerry with Triple DES end-to-end encryption back to the server that any third party can just pick up and use to access potentially sensitive corporate information. Sure you can wipe or disable a lost or stolen device with an over-the-air instruction from an administrator, but not all systems support this and in any event, there is potential for abuse until the point the user realises and reports the loss.

Coming back to where we started, we then have the consideration that in other scenarios, security specialists are already questioning whether simple usernames and passwords are really adequate for the future. But being realistic, are users really going to tolerate multi-factor authentication for handhelds using tokens, smart cards or whatever?

One possible answer to this problem is biometrics, and over the past few years, lots of devices have been launched with fingerprint readers. These could potentially provide device security in a more convenient manner, but so far, they don’t seem to have caught on in a big way. Perhaps the problem hasn’t been widespread or prominent enough for people to care enough to date, but with such a high emphasis on advanced authentication in other areas, an obvious disjoint is emerging when we consider mobile security in the broader context.

There doesn’t seem to be a magic bullet to solve this mobile device security challenge at the moment, but we’re sure many of you out there must have considered this and related issues, and might even have some practical experiences or useful advice that may be of benefit to others. If so, we’d be really interested in your feedback below.®

Boost IT visibility and business value

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Trying to sell your house? It'd better have KILLER mobile coverage
More NB than transport links to next-gen buyers - study
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.