Corporate computer security has recently been forced to expand beyond the usual remit of protecting company-owned devices by also protecting consumer endpoints owned by staff members. Employees working on personal smartphones, tablet computers and netbooks have moved the goal posts for ICT security specialists. How do you keep control of endpoints your company doesn't even own?
The cleverest thing about smartphones is their ability to mix work and play together in a single handset. The attraction is clear: carry two phones, one for work calls and e-mails and another for personal use, or one smartphone that does both? Combine the two phones into one and things get easier and more convenient, even if it does mean the user has to spend precious minutes each month claiming back data and voice costs as company expenses.
The smarter choice
When I talk of "smartphones", I really mean "any device that has desktop-like functionality and connectivity" - equally popular for browsing the web in front of the TV as it is for editing spreadsheets on the way to work.
These devices could be Android phones, iPhones, iPads or netbooks, all made by a multitude of manufacturers and using different operating systems. The challenge for the industry is to maintain a good standard of security whilst still supporting these devices, a task that may result in many of the old assumptions and best practices being cast aside or rethought.
Shifting the security burden to the user
In the past, things were simple. Desktop PCs could be protected using existing security procedures and, as these PCs never left the building, keeping tabs on endpoint security was easy. Then business went mobile. Company laptops could be used anywhere in the world and Wi-Fi in particular made company data accessible to anyone using a company laptop registered on the corporation's network. Businesses began issuing employees with data-enabled mobile phones, but as each phone was the same make or model, security was loaded onto the phone directly.
Now we are seeing the "consumerisation" of corporate IT, with employees bringing their own digital connected devices into the office to help them complete their work. It might create security issues for IT support staff, but the horse has already bolted - the trend is here to stay, like working from home and dress-down Fridays. Creating rules and enforcing limitations will work up to a point, but no user likes to be told how to use their own device.
Late last year, Ernst & Young's 13th annual Global Information Security Survey (reported in Computer Weekly) revealed that the lack of control over endpoints - caused by IT consumerisation - can cause problems for data security. So at least it looks like the industry agrees: consumerisation is an issue that needs to be dealt with.
Wish you were here
A distinction can be made between authentication of the device and authentication of the user - they are not necessarily the same thing. Software certificates and hardware settings are a way of successfully authenticating a device, but how do we know that the device has not been stolen? An alternative option is to use smartcards, but how do we know that the laptop has not been stolen with the smartcard already inserted and the certificates installed (as they inevitably will be), making it impossible to determine if the user is legitimate. Add to this the limited range of devices that accept smartcards (or the need to obtain card readers) and it is clear this option is, for all but the most simple of circumstances, impractical.
While it is possible to create tailor-made security software for each platform, it is prohibitively expensive. The ideal is a zero-footprint approach that does not require software to be loaded locally onto each device, but still authenticates the remote user and ensures they are who they claim to be. Using physical authentication tokens is one way of making sure the user is a genuine employee and not a hacker, as the user will be the only one in possession of the token.
Unfortunately, this runs contrary to the original drive towards IT consumerisation - it increases, not decreases, the number of items a user has to carry at one time. A mobile phone is a multipurpose device, and a user will likely have it at their side at every moment of the day, whether they are at work or at home. The security token (which generates a unique code to strongly authenticate the user using a two factor entry system) only has one purpose, and is much more likely to be lost, broken or simply forgotten about.
Getting the message across
A solution that allows total freedom for smartphone users is two-factor authentication using text messages sent to the user's personal mobile phone. This passcode can be used for any device, so a secure VPN connection on their personal netbook is easily authenticated using the passcode received on their mobile phone. The key strategy for successful using text messages for delivering passcodes is resolving intermittent network coverage and SMS delivery delays. Products that pre-load one time passcodes after each authentication attempt ensure that an authentication code is always available.
Allowing workers to do their work without introducing obstacles is a key to building a successful IT security strategy, and ultimately creating a successful company.
Andy Kemshall is Technical Director at SecurEnvoy
This was first published in January 2011