Feeds

User convenience versus system security

The mobile technology trade-off?

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Mobile Workshop A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations.

From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with users having to juggle multiple logins across different applications and connectivity options. In order to deal with the fallout from this – password reset overhead on help desks, exposure from users writing passwords down on Post-its, etc – one in five had already invested significantly in the single sign-on (SSO) approach, with a further third following them down this route.



Of course SSO quickly leads to a requirement for more advanced authentication as people realise that a single username and password combination falling into the wrong hands could lead to not only one system being compromised, but every system the user who owns the login has access to. Not surprisingly, we picked up a lot of interest in alternative and multi-factor authentication approaches (see Figure below).


Click to enlarge


So, the general trend is towards stronger, smarter and more consistent authentication, which will not only lead to greater security, but potentially, with SSO, to a higher degree of user convenience.

But is there a potential fly in the ointment?

In the same study, we learned that over 80 per cent of organisations allow access to systems from company provided mobile devices (laptops, PDAs, smart phones, etc), with over 40 per cent permitting access from personally owned mobile devices. And what is it that users like about this? It’s the convenience and flexibility of being able to access applications and data directly while they are out and about. And time and time again, we hear from research that this is good for the business – better productivity, improved decision making, and so on – so as the price of wireless data enabled mobile devices and related services comes down, and wireless access increasingly becomes a native feature of back-end servers (e.g. Microsoft Exchange), then usage is surely destined to escalate.

This brings mobile security into sharp focus, with lots of discussion across the industry about secure connectivity, data encryption and other technology solutions. But the one thing that potentially stands in the way of effective mobile security is the same thing that makes mobile devices so attractive in the first place– the convenience factor.

Ask the average BlackBerry or Windows Mobile user about the benefits of such devices, and they will typically cite immediate fuss-free access to their email and/or other frequently accessed applications. Against this background, even simple password protection on the device is regarded by many as being intrusive, so the temptation is just to leave the device open which, let’s face it, many (most?) devices are. We then end up with the ludicrous situation of a BlackBerry with Triple DES end-to-end encryption back to the server that any third party can just pick up and use to access potentially sensitive corporate information. Sure you can wipe or disable a lost or stolen device with an over-the-air instruction from an administrator, but not all systems support this and in any event, there is potential for abuse until the point the user realises and reports the loss.

Coming back to where we started, we then have the consideration that in other scenarios, security specialists are already questioning whether simple usernames and passwords are really adequate for the future. But being realistic, are users really going to tolerate multi-factor authentication for handhelds using tokens, smart cards or whatever?

One possible answer to this problem is biometrics, and over the past few years, lots of devices have been launched with fingerprint readers. These could potentially provide device security in a more convenient manner, but so far, they don’t seem to have caught on in a big way. Perhaps the problem hasn’t been widespread or prominent enough for people to care enough to date, but with such a high emphasis on advanced authentication in other areas, an obvious disjoint is emerging when we consider mobile security in the broader context.

There doesn’t seem to be a magic bullet to solve this mobile device security challenge at the moment, but we’re sure many of you out there must have considered this and related issues, and might even have some practical experiences or useful advice that may be of benefit to others. If so, we’d be really interested in your feedback below.®

Remote control for virtualized desktops

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.