Playing Pitfall! with Enterprise Mobile Identity

by in Security
Over three decades ago, the game Pitfall! came out for the Atari game console. In it, you control a character named Pitfall Harry, swinging over pits and crocodiles, avoiding fire, scorpions and many other dangers in the jungle while racing to gather treasure.

[embed]https://www.youtube.com/watch?v=0K1HjsUr__8[/embed]

The world is just as rife with dangers to your mobile enterprise as the jungle of the Pitfall! games. However, instead of crocodiles, you have executives who access sensitive financial data on a tablet, then let their teens play games on that same device later that day. Rather than dodging rolling logs, you have to worry about a doctor accessing medical records with a smartphone on an unsecured wireless network. While not physically as dangerous as crocodiles, quicksand or snakes, any potential for a data breach is enough to terrify anyone concerned with data security.

Starting into the Jungle

Smartphones were the enterprise’s first foray into mobility, and businesses have been eager ever since to enable secure, convenient consumer interactions. We’ve made it a good way into the mobility jungle in that respect, but now many companies are starting to give internal users access to enterprise applications so they can work more effectively. Precisely because of their portability, there’s a very real possibility that a device with access to corporate data and enterprise applications can fall into the wrong hands. Mobile identity is vital to addressing the risks of mobility.

Pitfalls!

  • Inconvenient Access – Quicksand: Users get stuck with inconvenient access methods, slowing them down or frustrating them to the point where they abandon a potential session altogether. If they have to constantly re-authenticate—especially on a small glass screen—they’re not going to be as productive and will try finding another way to work.

  • Eavesdropping – Scorpions and Snakes: Those with malicious intent can find ways to hear what your users hear and see what your users see. Your users don’t realize it, but they’re unwittingly endangering your environment because their devices have so many different ways to communicate. Bluetooth and poor wireless network encryption seem to be favored routes for this kind of attack.

  • Information – Pits: People have a bottomless pit of information, including GPS tracking, photos, contacts, social media, podcasts and more on their devices. Attackers can use that information to guess passwords and access interconnected business data on mobile devices; those conditions can make a data breach much, much more serious.

  • Theft – Crocodiles: The biggest danger is theft. You worry about what will happen if your users leave their computer bag at the airport, or a thief sneaks a corporate smartphone from a user’s coat pocket. The data on those devices could be—and probably are—heading straight into the open jaws of someone who can do damage, whether they’re looking for the data or just the device to sell.


But you’re not entirely at the mercy of the harsh jungle, even if it’s a jungle of data instead of venomous snakes. In Pitfall!, you have the ability to jump, climb, duck and swing to avoid obstacles and get the treasure. In the real world, mobility offers advantages that should be considered.

  • Bring Your Own Smart Card – Ducking: Smart cards are a good way to give people access to a building, but might not be the best way to provide access to data. In lieu of a card, you can use public key infrastructure (PKI)-based mobile signature encryption on a phone’s SIM card to grant access to data. This has the twin benefits of reducing the administrative burden of managing smart cards separately, as well as the fact that users are less likely to forget their phone than their card.

  • Location Awareness – Jumping: Most mobile devices use streams of location-based services to tailor content for users, such as weather, traffic, locating things nearby and so on. This location data—gathered by means of GPS, wireless towers and Wi-Fi networks—gives you information you can use to trigger a requirement for step-up authentication. If a user is trying to access financial records from a local coffee shop with weak security, you might want your software to challenge the user to provide additional information to prove his or her identity.

  • Biometric Hardware – Swinging: Remember those crocodile identity thieves that are waiting to snap up your data? Biometrics are a great way to swing over them. It may sound like an expensive piece of technology, but remember that biometric technology is now in quite a few consumer electronics, including many smartphones. It isn’t foolproof, but can be better than passwords if done correctly (meaning, don’t offer a password backup).


You can use these three technologies to supplement your security measures. Taken on their own, each of these strategies can greatly improve data security. But if you worry that your organization is going to come upon a pitfall so significant it’ll be too much for any of these strategies, you can take advantage of multifactor authentication (MFA). MFA requires two or more authentication methods, such as a password and a smart card. These factors are generally one of three things:

  • Something only the user knows, like the name of their first crush or a corporate security code

  • Something only the user has, like a smart card or other security device

  • Something only the user is, like a fingerprint


Naturally, the more factors you include in the authentication process, the tighter your security will be. Mobile devices already provide all these things—thus, it’s a great way for you to provide MFA, since it’s cheaper to access than other possible solutions.

However, there is a danger to including too many authentication methods. Business users want to access the information they need wherever they want with no hassle. So if you use MFA, you also need to consider single sign-on (SSO) to simplify access for legitimate users while maintaining the security to keep others out.

New technology always causes disruption, and mobility presents a whole host of new challenges. As you duck, jump, swing and run through the jungle of data, mobile identity will be one of the main tools that helps you solve those challenges.

Labels:

Identity & Access Mgmt
Anonymous