It’s a sunny spring morning when a woman crosses the large retail store parking lot and enters the building. The woman, wearing a shirt bearing the store’s logo, walks in and advances to the back of the store. She approaches a computer station and swipes an employee ID card to gain access to the retail store systems.

Should she get access? Is she really an employee or might she be a fraud? Is her logo shirt genuine? Is the ID card really hers?

Organizations of all sorts are well aware of the need to manage access in order prevent fraud in physical facilities and avoid compromise of their assets. This holds true whether it is staff members at retail store, insurance agents, health care workers or government employees. But what controls can organizations employ when the access is provided using a mobile device?

Mobile Access to Everything

We are seeing an explosion of mobile access to everything. Organizations started by providing access to services for customers, including maps and directions, purchases, restaurant recommendations and more. And now, organizational applications provide a means for employees, contractors, partners and external agents to collaborate and increase their day-to-day productivity through their mobile devices.

CISOs, CIOs and IT managers are experiencing an understandable meltdown, known as mobilephobia, when they try to control the access they are demanded to provide to their organization’s crown jewels via mobile applications. It’s no wonder they feel like the perimeter-based security they have been building for years is dead.

While mobile device management (MDM) solutions allow security teams to better identify users, flag mobile threats, enforce access policies to sensitive information and wipe devices in case they’re stolen or lost, these solutions apply only to devices they actually have full control over. Such tools include company-issued devices or employee devices used within the parameters of a bring-your-own-device (BYOD) policy.

The Unmanaged Devices Challenge

But what about all the partners, contractors, agents or even customers over which the CISO does not have MDM jurisdiction?

All these devices fall under the realm of the unmanaged mobile device access challenge. For example, an insurance agent may be working with five insurance companies. While this agent will have access to customers’ insurance policies and sensitive information via a tablet, none of those five companies have sole control over the device.

An even more prominent example is an organization’s customers. They gain access to sensitive information or operations through which they can experience fraud simply by being a consumer, but no organization would even consider enforcing BYOD management faculties (MDM) over a customer’s devices.

Better User Experience and Better Security Through Transparent Multifactor Authentication

Identifying users when they’re accessing a mobile app does not have to be based on the single-factor authentication of a user ID and password. Just like the woman gaining physical access to the retail store computer had multiple indicators of her identity, multifactor authentication can be employed to identify the legitimacy of mobile app users’ access in real time.

Mobile security solutions allow any app to gain visibility into various risk and authentication parameters to make a more educated decision on whether to allow access or not. The best part is that it can be done transparently without burdening the user with old multifactor authentication requests, which increases user frustration and at times even attrition of the service.

If a user ID is tied to a mobile device that has been associated with that user in the past, there’s a good chance it’s a legitimate access request. If the request is coming from the same city and at a similar time as in the past, the likelihood increases even more. Combining these multiple transparent authentication parameters with regular authentication facilities such as username and password or biometrics constitutes a strong user identification process, which provides assurance against fraudulent access.

Solving the Mobile Device Conundrum

By using a holistic approach to building secure applications and protecting access, like the approach offered by IBM MobileFirst, organizations can manage applications without the need to employ full-fledged device management solutions.

In a recent Gartner research paper titled “How to Live With Unmanaged Mobile Devices,” researchers predicted that “by 2018, more than half of all BYOD users that currently have an MDM agent will be managed by an agentless solutions” With 2018 looming in the not-too-distant future, organizations need to take unmanaged device security, access and fraud prevention into account when planning any mobile project.

Watch the on-demand webinar: Mobilephobia – Curing the CISO’s Most Common Mobile Security Fears

More from Endpoint

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…