The Security Challenges of Mobility – RSA

Craig Dore, Senior Identity Architect, Asia Pacific, RSA

In today’s business environment, there’s a rapid shift that has been underway for the last decade, one which embraces two themes: the shift to cloud and the shift to mobility.

These two themes provide clear value when applied to corporate IT. There are obvious cost-savings, increased efficiency, flexibility – the list goes on. It is likely that even when one physically visits an office, one is using systems and applications that are hosted elsewhere, perhaps not even in the same country.

One popular phrase is, “work is something you do, not somewhere you go”. The power of mobility in the workplace is compelling. In many organisations, teams of people are collaborating regardless of their workplace arrangements. However, on the flipside of all the convenience and fluidity in the workforce, there is a dark side. That dark side is about establishing and maintaining trust and security.

These trends are clearly transformative and advantageous, yet consider where the sensitive data is stored. In many cases, it’s housed within publicly accessible databases, protected only with a password. People may think these systems employ numerous security measures, but tell that to Yahoo, who were breached and had 1 billion user passwords leaked to the world.

Many internal IT security groups experience challenges with authentication. They often wish to “do more” in terms of enforcing strong authentication for cloud and business apps. However, they are often hampered by the users themselves who see security as a barrier to getting work done. Enterprise security groups are routinely dissuaded from widely deploying strong authentication (i.e. 2-step authentication) due to a more disruptive user experience.

So, where to go from here?

The answer lies in “risk-based authentication”. Risk-based authentication is commonly deployed in online banking systems and provides key benefits.  First, they challenge users only when they do something more sensitive online (e.g. transfer money). Second, the system is designed to be silent. In the background, an expert system watches, learns and reacts to user behaviour. Fundamentally, risk-based authentication solutions are about user experience and remaining as invisible as possible.

These types of risk systems exist for businesses as well. Ideally, a “silent” risk system would collect and monitor many attributes related to user behaviour, such as checking their device and when it’s used. The more context, the better. Thus, normal behaviour wouldn’t introduce “annoying” multi-step challenges all the time. Even better, any authentication challenge would be simple – e.g. a user is required to simply tap a button on his/her phone when requesting access, like a fingerprint using biometric security.

In summary, there are a few vendors that provide systems like these. In the end, an investment in a secure and strong authentication solution may not need to constantly force users to jump through security hoops. And that’s the point in the world of cloud and mobility – convenience and security can go hand-in-hand.