December 17, 2015 By Shaked Vax 3 min read

It’s a sunny spring morning when a woman crosses the large retail store parking lot and enters the building. The woman, wearing a shirt bearing the store’s logo, walks in and advances to the back of the store. She approaches a computer station and swipes an employee ID card to gain access to the retail store systems.

Should she get access? Is she really an employee or might she be a fraud? Is her logo shirt genuine? Is the ID card really hers?

Organizations of all sorts are well aware of the need to manage access in order prevent fraud in physical facilities and avoid compromise of their assets. This holds true whether it is staff members at retail store, insurance agents, health care workers or government employees. But what controls can organizations employ when the access is provided using a mobile device?

Mobile Access to Everything

We are seeing an explosion of mobile access to everything. Organizations started by providing access to services for customers, including maps and directions, purchases, restaurant recommendations and more. And now, organizational applications provide a means for employees, contractors, partners and external agents to collaborate and increase their day-to-day productivity through their mobile devices.

CISOs, CIOs and IT managers are experiencing an understandable meltdown, known as mobilephobia, when they try to control the access they are demanded to provide to their organization’s crown jewels via mobile applications. It’s no wonder they feel like the perimeter-based security they have been building for years is dead.

While mobile device management (MDM) solutions allow security teams to better identify users, flag mobile threats, enforce access policies to sensitive information and wipe devices in case they’re stolen or lost, these solutions apply only to devices they actually have full control over. Such tools include company-issued devices or employee devices used within the parameters of a bring-your-own-device (BYOD) policy.

The Unmanaged Devices Challenge

But what about all the partners, contractors, agents or even customers over which the CISO does not have MDM jurisdiction?

All these devices fall under the realm of the unmanaged mobile device access challenge. For example, an insurance agent may be working with five insurance companies. While this agent will have access to customers’ insurance policies and sensitive information via a tablet, none of those five companies have sole control over the device.

An even more prominent example is an organization’s customers. They gain access to sensitive information or operations through which they can experience fraud simply by being a consumer, but no organization would even consider enforcing BYOD management faculties (MDM) over a customer’s devices.

Better User Experience and Better Security Through Transparent Multifactor Authentication

Identifying users when they’re accessing a mobile app does not have to be based on the single-factor authentication of a user ID and password. Just like the woman gaining physical access to the retail store computer had multiple indicators of her identity, multifactor authentication can be employed to identify the legitimacy of mobile app users’ access in real time.

Mobile security solutions allow any app to gain visibility into various risk and authentication parameters to make a more educated decision on whether to allow access or not. The best part is that it can be done transparently without burdening the user with old multifactor authentication requests, which increases user frustration and at times even attrition of the service.

If a user ID is tied to a mobile device that has been associated with that user in the past, there’s a good chance it’s a legitimate access request. If the request is coming from the same city and at a similar time as in the past, the likelihood increases even more. Combining these multiple transparent authentication parameters with regular authentication facilities such as username and password or biometrics constitutes a strong user identification process, which provides assurance against fraudulent access.

Solving the Mobile Device Conundrum

By using a holistic approach to building secure applications and protecting access, like the approach offered by IBM MobileFirst, organizations can manage applications without the need to employ full-fledged device management solutions.

In a recent Gartner research paper titled “How to Live With Unmanaged Mobile Devices,” researchers predicted that “by 2018, more than half of all BYOD users that currently have an MDM agent will be managed by an agentless solutions” With 2018 looming in the not-too-distant future, organizations need to take unmanaged device security, access and fraud prevention into account when planning any mobile project.

Watch the on-demand webinar: Mobilephobia – Curing the CISO’s Most Common Mobile Security Fears

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today