Simple security in the mobile 'jungle'

Last month’s 8th annual IT Security Analyst & CISO (chief info security officer) Forum organised and hosted by Eskenzi PR brought together a fascinating combination of those in charge of securing household names in the insurance, banking, accounting, pharmaceuticals and media verticals and a rich vein of vendors offering their security wares.

Shortly after, the tempo and feel of the event was well documented in my colleague, Bob Tarzey’s event report, in his blog “From ‘no’ to ‘know'”, which explored the highly pragmatic idea of not blocking users, but understanding what they doing – and why.

This is especially important in the ‘mobile’ context, where the edge of the network is no longer a beige box running one operating system sat on the desk, but a plethora of pocket-able, smart, highly connected and increasingly wearable devices used by pretty much everyone and anyone. Each comes not only with a diversity of operating systems and huge ecosystems of apps, but also the personal preferences and idiosyncrasies of each user.

Finding enterprise tools that span and control devices, data, apps and ultimately the person using them is increasingly challenging – the problem could be characterised as no longer simply ‘herding cats’, but ‘juggling lions’.

Images from popular culture indicated that lion tamers used to manage with a whip and a chair – essentially let the lion loose, but always kept within the keen eyes of the tamer plus a bit of fear from the potential of the whip and a prod from the chair in the right direction – so could IT security learn from this approach?

Many of the vendors at the Forum offered keen eyes to detect threats and problems, including vendors RiskIQ, Tenable and OpenDNS as well as others offering tools to whip applications, users and policies into shape such as Veracode, PulseSecure and Illumio.

However, one particular vendor caught my eye from a mobile perspective – Duo Security with its simple approach to two-factor authentication.

Humans are generally the weakest element in security, in IT just as in everywhere else. If it’s counter-intuitive (their perception, not yours), slow or just ‘a bit difficult’, it will not be used or not used properly. Even the most loyal employees will find ways round cumbersome tools that impede them in addressing the task at hand.

Duo addresses this by making it simple for a user to authenticate; online, offline, while mobile or just over a landline. This can be accomplished by one touch on an app on the screen of a favourite mobile device, an SMS via a mobile phone if there is no internet available, or an automated voice call to a phone. Not to leave anyone or more ‘old-fashioned’ circumstances out, Duo also supports hardware devices via display tokens or the YubiKey USB device.

The enterprise using Duo’s authentication service can keep control of the branding so that users recognise it as their own and since users can self enrol and configure authentication methods based on their preferences, they are engaged from the outset. Offered by monthly subscription per user, and geared to different levels of functionality for different sizes of business or requirements, this is simple authentication as a service.

Security can often be seen as painful to endure by users making it difficult to get buy-in and easy to be obstructive, which does not really help with the core intention – improving security. With so much user choice and preferences being exerted, it is far better to use tools that fit with ‘lifestyles’ as well as prodding security in the right direction. Here is a potential lion tamer’s wooden stool; simple to use, works anywhere and perhaps even better, the ‘lions’ can self-enrol.