||4/20/2012 11:01:00 AM|
BYOD, Meet Two-Factor Authentication
There are some technological concepts that simply go better together. Consider the cloud and information explosion; the cloud offers the potential for unlimited storage for a torrent of ever-increasing data. Another example is virtualization and IT agility; strategic virtualization implementations can create flexible, responsive resources that enable IT organizations to better align with ever-changing business needs.
However, one combination that might not seem so obvious is the bring your own device (BYOD) movement and security. In fact, when many CIOs and CISOs think of BYOD their focus is often on the various security and management challenges associated with this rapidly spreading trend, not how BYOD and security have a symbiotic relationship.
The well-documented and oft-discussed concerns related to the consumerization of IT are certainly warranted. However, it is important to remember that they are not impossible to overcome. With strong policy development and enforcement, aided by the effective use of mobile security and management technology, secure and effective BYOD implementations are possible.
Once this occurs, enterprises can begin to look at the massive proliferation of smartphones as an opportunity to fix a critical security issue that impacts the majority of corporate infrastructures.
A 2010 Symantec survey revealed that 44 percent of respondents had 20 or more password-protected accounts, and 59 percent said they simply rely on memory to try to keep track of their passwords. It's no wonder then that 74 percent admit they reuse their passwords from account to account. This presents a major gap in enterprises' IT armor and could potentially have played a part in the increase of high-profile data breaches over the past year.
All this highlights at least in part that passwords are no longer enough to protect sensitive corporate networks and data. Consider the following example: Imagine that an employee - perhaps one of the 74 percent of respondents mentioned above who said they reuse passwords - has created what they think to be a strong password for one of their social networking accounts. After all, it follows best practices by including a combination of uppercase and lowercase letters and numbers. However, in an effort to make sure they are capable of remembering it, they also base it on something familiar to them, perhaps a favorite pastime, a spouse's name or their hometown.
These same familiar things will also likely directly relate to much of what the employee regularly shares via the social network. Using information from the employee posts, it's not difficult for an attacker to piece together the employee's social network login credentials; this is something that happens every day. Now, if the employee has also used the same password in connection with one or more of their work-related logins, the attacker has not only figured out how to breach the user's social networking account, but also the corporate network.
This practice of password reuse can be difficult to prevent since an organization has no control over what passwords an employee uses outside the corporate infrastructure. Also, attempts to prevent this - such as policies requiring frequent changing of passwords - can be problematic and result in higher support costs due to employees forgetting their passwords. Such policies also often result in employees simply using predictable password patterns.
How BYOD Provides a Solution
For a truly secure environment, single-factor authentication - password protection - must be augmented with an additional layer applied to the login verification process. Multifactor authentication is not a new concept, but BYOD can eliminate nearly all the primary barriers preventing organizations from implementing it.
Two-factor authentication is a fairly simple concept. It combines something an employee knows - their password - with something they have - a physical object such as a security token. Only if an employee can supply both forms of authentication will they be allowed access to the protected system. However, such security tokens are often seen as less than ideal. They can be expensive; they wear out; and they can easily be lost or forgotten by employees, resulting in reduced productivity and additional support costs.
The ideal solution to this problem is a physical object that nearly every employee already has and treats with great care to not lose or even simply forget when leaving the house; something capable of providing the same security features and benefits as a security token without the baggage. This may sound like a fantasy, but the reality is that BYOD provides just such a solution: employees' smartphones.
Once BYOD is effectively implemented into a corporate infrastructure, including taking steps to properly secure and manage the devices, enabling them to function as secure login credentials is actually quite simple. All that's required is for a small application to be installed on a user's device that provides them with a one-time passcode just as a security token would. This provides a successful, cost-effective enhancement to corporate security.
What to Look For
It is important to keep in mind that not all two-factor authentication technologies capable of leveraging smartphones as credentials are created equal. There are several things corporations should look for before jumping in head first:
First, the solution should support open authentication standards. These standards, such as OATH, let companies choose the right form-factor for users, in this case smartphones. OATH also allows companies to source credentials from a wide variety of vendors, which helps ensure timely delivery by avoiding supply chain problems commonly found with more proprietary approaches.
Next, one of the key benefits to using smartphones as a security credential is reduced cost because most, if not all, employees already have the required device; the BYOD trend only strengthens this benefit. However, if the two-factor authentication solution only supports a limited array of operating systems and devices, the mutually beneficial relationship between BYOD and two-factor authentication is drastically reduced. Thus, a solution should offer broad mobile operating system support.
Third, the mobile application that supplies users with the one-time passcode should not only be compatible with the widest array of mobile devices possible, but it should also be available for free to partners, customers and employees. This prevents potential hidden cost increases and lost ROI associated with scalable deployments and magnified by customer and personnel churn.
Finally, a solution that leverages a cloud-based approach allows organizations to quickly and easily deploy strong authentication without the up-front capital expenditures associated with deploying and maintaining a dedicated, on-premise authentication infrastructure. It also provides more secure, reliable and scalable service.
With BYOD, security and management challenges are a given, but organizations should not lose sight of the potential benefits as well. Combined, BYOD and two-factor authentication can help enterprises move beyond simple single-factor login and leverage much stronger technology to improve overall enterprise security. The smart CISO is the one who looks at the combination of BYOD and security as a net gain, not a net loss.