On my way to a major security conference, I reread an InformationWeek mobile security report by Michael Finneran. I knew identity and access management would be a very hot topic, so I wanted to gain a mental advantage by reviewing third-party mobile security reports. Finneran’s report offered two very interesting pieces of information:
- 86 percent of organizations either allow or plan to allow the use of employee-owned devices for work functions.
- 42 percent of organizations allow employees to bring in any device — smartphones, tablets, laptops and other mobile devices — and to access the network so long as they agree to certain policies.
Those bulleted statements resonated in a big way. You can’t help but notice as you walk around or go anywhere that just about everyone’s head is down, looking at a mobile device. Often, these people are performing work-related tasks.
The Need for Mobile Identity and Access Management
For many organizations, simple passwords are all the proof users need to log in to the corporate network. Finneran states that 80 percent of organizations with BYOD programs require only a password for mobile access to the corporate network. But what happens when a mobile device is lost or stolen and the password is cached on the device? “Oops, my bad.”
I began to think of my conference role as an IBM ambassador. How would I handle this type of conversation? Do I know enough about identity and access management from a mobile perspective?
My answer was no, so I educated myself on the clear benefits of IBM Security Access Manager for Mobile. I wanted to explore how this product integrates with products from IBM’s security intelligence portfolio, and understand how clients can gain a more predictive — as opposed to reactive — approach to their overall security strategy.
IBM Security Access Manager for Mobile provides the following benefits:
Reduce Mobile Security Risks
- Reduces mobile security risks by providing context-aware access control that can enforce established policies and guidelines. Using contextual data analytics to calculate risk, organizations can grant access based on a dynamic risk assessment of the confidence level of a transaction.
Prevent Mobile Fraud
- Enables organizations to easily deploy multifactor authentication that requires users to prove their identities. For example, users can be sent one-time passwords (OTPs) via text or email, and they can enter the OTP in addition to their regular login information to access the network. For added security, OTPs can also be provided by external devices using hash-based message authentication code (HMAC) algorithms. Similarly, Trusteer, an IBM company, offers a range of fraud-focused mobile security solutions.
Enable Identity-Aware Applications
- Helps organizations make applications “identity aware” by using OAuth standards-based technology. Users can obtain a one-time authorization code that enables their device to connect securely to applications, providing seamless, password-free access for users. User credentials are not stored on the device; only device tokens that are exchanged transparently each time the application is launched are stored. An optional PIN can also be required during authentication for added security.
Leverage Mobile Security Intelligence
- Enables organizations to define context-based access policies at a transactional level and require additional authorization based on the type of device, environment, identity or behavior patterns. With a 360-degree view into all the elements of mobile user access, organizations can strengthen their security and compliance posture. Security Access Manager for Mobile integrates with IBM’s QRadar Security Intelligence Platform to provide deep insights into how users access information hosted on-site or in the cloud.
Moving Forward with Risk in Mind
As you go about your day-to-day, notice how often your co-workers are heads down, working on their mobile devices. Then ask yourself these questions:
- Are they logged into a corporate network?
- Do they realize the Wi-Fi they are connected to could pose a risk?
- Are they unknowingly jeopardizing sensitive data?
Simply asking these questions is a first step in the right direction.