Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Mobile Security Shifts From Devices To Apps

As BYOD presents organizations with an ever increasing number of security challenges, CIOs are examining strategic benefits associated with moving beyond MDM (mobile device management) and controlling the actual devices, to a MAM (mobile application management) focused strategy that enables their users to continue to use their own devices, while protecting enterprise resources, data and applications.

"Cloud-based services can provide myriad security benefits, as many CIOs are realizing. According to Infonetics Research, cloud-based security is projected to increase at a compound annual growth rate of 10.8 percent from 2012 to 2017. Mobile apps that run through the cloud can be better protected, as cloud infrastructures offer enhanced encryption and safer enterprise mobility capabilities" said this article from MaaS360.

This trend speaks to the need to accommodate users of all kinds of devices, in any environment, as mobile devices become more entrenched in our day to day lives. Managing and distributing devices to employees carries challenges associated with scale, and the potential to turn off users who love their personal devices because of the great experience they offer. Enterprises and organizations who are creating security strategies for the mobile world should maximize their efforts and resources by enhancing the security and usability of their applications, instead of controlling the devices they run on.

 

Changing The Security Model for Mobile

 "...it's become so 'consumery' out there that the old security requirements on the desktop PC just haven't grafted over. It might be easier to change the security methods than change the user behaviour. Biometrics here we come" says I.D. Scales for TelecomTV. 

 

The challenges associated with BYOD, coupled with the capabilities of smart devices, are creating an environment that begs for innovative security solutions that secure the right content at the right juncture, without requiring users to change their behavior, or imposing outdated processes or workflow users are accustomed to on their PCs. Mobile devices are designed to enhance user experience - allowing an individual to access and interact with all kinds of applications on demand, and it makes sense to consider how standard features of these devices can be deployed to facilitate requirements like security. Biometrics fit into this use case because they leverage information that is already there - information about the user themselves, which a user always has at their disposal.

 

Successfully leveraging these capabilities will require a commitment to the user experience expected on a mobile device. It shouldn't feel like logging into a PC and going through the "old" requirements for security. It is absolutely worth exploring how features on the mobile device can be used to achieve a "new" kind of security for users.

 

Emerging Authentication for Mobile Payments

Mobile payments will become more integrated in the way we shop, buy and sell in the coming years. PCMag published an article this week discussing some of the innovative technologies being brought to the market to authenticate these transactions to to reduce the significant threat of fraud in an area that is growing faster than security technologies are being developed to protect it.

Contactless and and wearables-based authentication methods seem to be likely to be used in this case (as discussed previously in this blog). If the user is wearing their smart watch and tries to make a payment, simply validating that this second device is present makes the watch a kind of token. Niche players will also no doubt begin marketing authentication methods based on image and voice recognition, gesture capture and other data that can be captured about the user and used in an authentication context. 

These methods will be viable in the long run if they take a mobile-centric view of what it means to authenticate an individual. With mobile, many of the traditional authentication methods enterprises rely on will become obsolete, and flexibility/cross platform support will become key requirements as new authentication methods are required to work across an ever increasing number of devices in use. This will create a discussion that centers more around the user themselves (their unique attributes, behaviors, devices, locations...), and what it means to determine whether they are who they say they are. 

 

How Will Wearables Change Multi Factor Authentication?

Samsung is expanding the capabilities of it's new smartwatch, and making it increasingly compatible with it's other Galaxy devices (smartphones and tablets).

Wearables raise some compelling questions around multi factor authentication, especially where the devices are linked to function as a "team". Will these devices take the place of traditional hardware tokens? A company called Bionym has already launched a wearable device for this purpose, however these developments have the potential to move far beyond yes/no authentication and the device whose sole purpose is to authenticate a user, to contributing to a more nuanced view of who a user really is. When these devices communicate with each other, their mere presence, along with the data they are collecting and processing, create a more in depth view of the user that hasn't been accessible before. Possibly most interesting here are the possibilities for biometric and behavioral data these devices will be able to collect. If your watch can detect your heartbeat and use it as an authentication method for apps on your phone, you as a user have built-in authentication that doesn't require you to consciously do anything it all. 

We will see the newest generation of wearables have an impact in the authentication space, as the data available to determine the identity of the user is made more varied and communication improves across smart devices.

 

 

MasterCard Joins FIDO - What Will It Mean?

MasterCard's decision to join the FIDO Alliance has been much discussed since the announcement earlier this month. It is certainly encouraging to see large payment providers commit to FIDOs mission, which is focused on moving beyond usernames and passwords for authentication of end user transactions. 

FIDO's proposed user experience reflects an understanding on their part of the need to offer quick and easy authentication for users, especially in a mobile use case. Authentication cannot take a lot of time, require the end user to remember anything complex, or require the user to navigate multiple screens or to open additional apps. Big players in the space, like MasterCard, joining FIDO shows that there is widespread support for a standard for authentication that acknowledges that best solution will enhance both security and user experience.

 

Advances in Mobile Authentication

Apple's announcement last week that the upcoming iPhone will have biometric (fingerprint) authentication represents the market's recognition that we need better authentication for our mobile devices - and it should be as easy as possible to use.

Whether Apple's fingerprint feature will catch on - how it will be accepted by users, how well it will work, and what it's ultimate success will be, is not the focus of this post. Authentication and security are taking center stage. Users are realizing that mobile devices are becoming our go-to methods to access critical information (work related applications, banking, social media...) and traditional methods of securing computers - both technical and situational, are no longer relevant. Mobile authentication requires accepting that the user is "mobile". They're in their car or out at lunch. They're on shared networks. They're in crowded spaces. For this use case, successful authentication technology needs to be fast, intuitive, and adaptive. Apple recognizes this - because your finger is part of you, it's always there. A single fingerprint is a quick and easy method of identifying yourself. 

In the coming months we will see the conversation around mobile authentication, and securing mobile apps and activities, continue. Innovative ways to provide better security for mobile will be increasingly adopted, and users will see some of the same advances in authentication that we have seen other areas of mobile technology.

 

What's Stopping Us From Working in the Cloud?

Despite all the hype we hear about the cloud, working in the cloud might be coming more slowly than most of us imagine. In this post on InfoWorld, Gartner's recent findings that only about 8% of enterprise users are working in the cloud give us a chance to ask: What are the real barriers to adoption of cloud based technology for the enterprise?

It's easy to see that the growing number of mobile users will mean that eventually there will be more work we can do in the cloud, but adoption is slower than many predicted. InfoWorld's article references three barriers to adoption, even with the demand from mobile users, saying: "Even with a mobile boost...the growth of cloud office systems will remain slow for a few reasons. First, PCs and the office productivity software that runs on them are cheap -- and mobile office tools are even cheaper. Second, connectivity issues persist: You're not connected to the Internet all the time, and a metered connection typically costs money. Finally, there are still worries about security and privacy." Garter's Tom Austin, Vice President and Gartner Fellow says "While 8 percent of business people were using cloud office systems at the start of 2013, we estimate this number will grow to 695 million users by 2022, to represent 60 percent." 

As users adopt office systems in the cloud, we will see innovation in the technology that supports them in this move, and addresses the existing concerns organizations have about cost, connectivity and security.

 

Get BYOD Right

Are organizations getting BYOD wrong? InfoWorld's "The Squeaky Wheel" featured a compelling post by Brian Katz this morning, where he examines what the fundamental goals and principles of BYOD really are, and how companies and organizations "miss the mark" when it comes to the true benefits of BYOD - empowering the user to use their own device, and enabling productivity.

Katz is right to point out that there are a number of emerging vendors targeting organizations who implement BYOD programs. These vendors enable organizations to deploy, manage and provision company resources on a privately owned device. These activities require security solutions that are designed to meet the needs of users accessing company data and applications - and of the companies providing them - including the increased productivity and ease of access users enjoy on their own devices. When this approach is adopted, simple and easy to use security should be at the top of the list for organizations who make their resources available on devices they do not own and do not control. 

 

Google I/O and User, App and Device Security

As developers who attended Google I/O last week return to their work inspired by  innovative concepts they saw in action in San Francisco, flexible and innovative security should be on their minds. Google's Android operating system now has over 900,000,000 users, and will continue to grow as developers take advantage of the tools and services Google provides, which were the highlight of the conference this year. According to the 5 year product roadmap Google released this month, "stronger authentication" is a priority. As new features, applications and devices are rolled out and adopted, we will see increasing emphasis on securing these new technologies.

Security and user experience can seem to be at odds, but in reality they go hand in hand. Cumbersome security workflow will have an effect on experience, but the opposite is also true - elegant, innovative security designed for the mobile experience, will enhance it. ZDNet published an article last week emphasizing the importance of speed and user experience for increasing conversion for mobile commerce apps. Security is part of that experience, especially where having it extends users' ability to knit technology into their day to day activities. As users adjust to new ways to pay, transfer money or access data, a sense of security will part of what makes these technologies easy to use. User experience will benefit from enhanced mobile security.

Securing mobile technologies, with user experience in mind, will require innovative security solutions that are intuitive, easy to understand, easy to integrate with and easy to support. 

 


Page 3 of 7