It’s a sunny spring morning when a woman crosses the large retail store parking lot and enters the building. The woman, wearing a shirt bearing the store’s logo, walks in and advances to the back of the store. She approaches a computer station and swipes an employee ID card to gain access to the retail store systems.
Should she get access? Is she really an employee or might she be a fraud? Is her logo shirt genuine? Is the ID card really hers?
Organizations of all sorts are well aware of the need to manage access in order prevent fraud in physical facilities and avoid compromise of their assets. This holds true whether it is staff members at retail store, insurance agents, health care workers or government employees. But what controls can organizations employ when the access is provided using a mobile device?
Mobile Access to Everything
We are seeing an explosion of mobile access to everything. Organizations started by providing access to services for customers, including maps and directions, purchases, restaurant recommendations and more. And now, organizational applications provide a means for employees, contractors, partners and external agents to collaborate and increase their day-to-day productivity through their mobile devices.
CISOs, CIOs and IT managers are experiencing an understandable meltdown, known as mobilephobia, when they try to control the access they are demanded to provide to their organization’s crown jewels via mobile applications. It’s no wonder they feel like the perimeter-based security they have been building for years is dead.
While mobile device management (MDM) solutions allow security teams to better identify users, flag mobile threats, enforce access policies to sensitive information and wipe devices in case they’re stolen or lost, these solutions apply only to devices they actually have full control over. Such tools include company-issued devices or employee devices used within the parameters of a bring-your-own-device (BYOD) policy.
The Unmanaged Devices Challenge
But what about all the partners, contractors, agents or even customers over which the CISO does not have MDM jurisdiction?
All these devices fall under the realm of the unmanaged mobile device access challenge. For example, an insurance agent may be working with five insurance companies. While this agent will have access to customers’ insurance policies and sensitive information via a tablet, none of those five companies have sole control over the device.
An even more prominent example is an organization’s customers. They gain access to sensitive information or operations through which they can experience fraud simply by being a consumer, but no organization would even consider enforcing BYOD management faculties (MDM) over a customer’s devices.
Better User Experience and Better Security Through Transparent Multifactor Authentication
Identifying users when they’re accessing a mobile app does not have to be based on the single-factor authentication of a user ID and password. Just like the woman gaining physical access to the retail store computer had multiple indicators of her identity, multifactor authentication can be employed to identify the legitimacy of mobile app users’ access in real time.
Mobile security solutions allow any app to gain visibility into various risk and authentication parameters to make a more educated decision on whether to allow access or not. The best part is that it can be done transparently without burdening the user with old multifactor authentication requests, which increases user frustration and at times even attrition of the service.
If a user ID is tied to a mobile device that has been associated with that user in the past, there’s a good chance it’s a legitimate access request. If the request is coming from the same city and at a similar time as in the past, the likelihood increases even more. Combining these multiple transparent authentication parameters with regular authentication facilities such as username and password or biometrics constitutes a strong user identification process, which provides assurance against fraudulent access.
Solving the Mobile Device Conundrum
By using a holistic approach to building secure applications and protecting access, like the approach offered by IBM MobileFirst, organizations can manage applications without the need to employ full-fledged device management solutions.
In a recent Gartner research paper titled “How to Live With Unmanaged Mobile Devices,” researchers predicted that “by 2018, more than half of all BYOD users that currently have an MDM agent will be managed by an agentless solutions” With 2018 looming in the not-too-distant future, organizations need to take unmanaged device security, access and fraud prevention into account when planning any mobile project.
Watch the on-demand webinar: Mobilephobia – Curing the CISO’s Most Common Mobile Security Fears
IBM Security Trusteer Products Strategist