IDENTITY & ACCESS BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape
Introduction How does your enterprise view the BYOD (Bring Your Own Device) trend opportunity or threat? For most organizations, the answer is probably both. BYOD has the potential to improve employee productivity and job satisfaction, to lower costs for contractors, temporary workers and consultants, and in some cases even reduce the costs of company-issued mobile devices for employees. Other industry influencers are questioning the economic benefit of BYOD: David Willis, vice president and distinguished analyst at Gartner said recently, "The business case for BYOD needs to be better evaluated. Most leaders do not understand the benefits, and only 22 percent believe they have made a strong business case. 1 Willis also said, For most IT organizations, it s at best a break-even proposition and could end up costing more because of the software and support costs associated with it. 2 Nucleus Research, a company that tracks technology ROI, said this about BYOD: "The hype behind BYOD is that it is cheaper and drives more productivity than traditional corporate-procured mobility. However, the reality is that the support costs, compliance risks and usage reimbursement typically lead to a higher total cost of ownership with no discernible ROI or productivity gains." 3 In fact, the reality of the ROI or the incremental cost of a BYOD strategy depends entirely on the situation. If you can eliminate buying laptops for contractors and enhance security, you probably have a really clear payback. On the other hand, letting your employees use their mobile devices for more than email might be a good idea, but the security and IT management costs certainly blur the payback picture. At the same time, something on which everyone agrees is that mobile devices are now the preferred target of hackers. According to the latest reports of the Anti-Phishing Working Group (APWG,) the known samples of mobile malware grew to 30,000 in 2013 from only 50 in 2010. And, according to the APWG, as mobile devices are used for more sensitive transactions such as payments, which are on track to top $1.3 trillion in 2015, the criminal interest will only get more intense. 4 For IT teams sorting out these contradictory factors, however, perhaps the best conclusion to draw about BYOD is that one size does not fit all. Effective BYOD strategies must be tailored to specific situations and use cases. 1 Gartner, Inc., "Bring Your Own Device: The Facts and the Future, David Willis, May 1, 2013. 2 CIO, 2013 Prediction: BYOD on the Decline? Tom Kaneshige, November 13, 2012 3 Nucleus Research, Understanding the Hard ROI of BYOD, April 2013 4 Anti-Phishing Working Group, Mobile Threats and the Underground Marketplace, May 2013.
As the global leader in digital security, last year alone Gemalto shipped more than 1.5 billion smart secure devices and supplied a wide range of software and services to hundreds of the world s largest enterprises and government agencies. Drawing from Gemalto s extensive knowledge and experience, this white paper distills the broad subject of BYOD into three BYOD scenarios commonly presented to our consulting engineers: Securing BYOD Virtual Workspaces for Contractors Using BYOD Mobile Devices as OTP Authenticators Securing BYOD Mobile Device Access We hope the information shared in this guide will empower you to find actionable BYOD mobile security ideas that fit your own organization s specific requirements and use cases and enable you to seize the opportunities while reducing the threats in this dynamic landscape. Use Case #1: Securing BYOD Virtual Workspaces for Contractors Outsourcing is globally pervasive. Contractors, temporary workers and consultants are good for business, but can create IT security issues. In industries involving technology, defense, personal or financial information a common way to secure information and protect network access is a company-supplied laptop. While this approach gives IT departments effective control over the endpoints and network access, it is expensive. Companies that use contractors see BYOD as a potential way to avoid the expense of a corporate-issued laptop; however, security, data loss and network access risks are significant barriers to widespread adoption of BYOD for contractors. Pluggable USB virtual desktops present a new and effective solution to this problem. First, it turns the economics on its head, because a secure workspace device costs about $100 compared to $1,500 or more for a laptop with applications and security software. Companies that use contractors see BYOD as a potential way to avoid the expense of a corporateissued laptop Second, USB virtual desktops solve the security problems by providing a fully contained virtual workspace that delivers the same protections for identity authentication, network security and data loss prevention as a company-issued laptop. It enables the safe use of BYOD by giving the company real estate on contractor-owned PCs and laptops that they control with their own security policies. There are several requirements that are essential when evaluating USB virtual desktop solutions. The USB device itself must have built-in hardware security based on smart card technology. This PIN-protects the USB device and ensures nothing is altered or added that could introduce a threat. It provides a tamperproof container for
authentication and encryption keys, it confirms and mutually authenticates the remote host and establishes unique session keys for end-to-end security from within the secure smart chip. The client device should fully contain the virtual desktop image and operate in a way that isolates it from the contractor s PC so it cannot be affected by keyboard loggers, Trojans or other malware on the contractor s device. One way to achieve this is use a sandbox approach that isolates the virtual desktop. Another more secure way is to boot directly from the USB virtual desktop device. Another requirement for the USB virtual workplace is it should be compatible with leading VPNs. This will simplify integration into existing IT infrastructures, and help organizations avoid risks associated with DNS re-directs, malevolent Wi-Fi connections, eavesdropping and other networkbased attacks. An essential feature is to provide options to control data loss according to policy, such as by preventing downloading or storing files completely on the PC or by sandboxing local encrypted temporary files on the USB device. Removing the token should immediately end the work session. When in use, the virtual desktop connects directly to the remote network, and only runs selfcontained or approved applications or those remotely operating on the host or cloud service. In short, a USB-based secure virtual workspace client protected by a smart card authentication layer is a highly secure and cost effective approach to enabling BYOD use for contractors, with a clear ROI.
Use Case #2: BYOD Mobile Devices as OTP Authenticators IT security teams recognize that reliance on usernames and passwords for identity authentication is a problem that can lead to data breaches. Now many companies are looking at the BYOD trend as a solution to the password problem by using mobile devices as one-time password (OTP) authenticators. In its 2013 "Magic Quadrant for User Authentication" research firm Gartner Inc. reported that enterprise interest in OTP methods remains high and that phone-as-a-token methods are dominating traditional hardware tokens in new and refreshed deployments. 5 Securing access to your network with OTP provides an additional layer of security to username and password and presents a very high barrier to hackers. When the user needs to access corporate data resources using a mobile device, they simply enter their username and the numeric code provided by the OTP device (see illustration). The authentication server validates the code and access is granted to appropriate network resources. This increases the security of the login process by ensuring the person accessing the network is in possession of two factors of identity verification-- something you have, the OTP token, and something you know, the username and potentially a password. This means that someone cannot simply steal a password from malware on your mobile device for example and use it to log into your IT systems; they need to have the OTP device to gain access. OTP helps ensure identity and authentication security using twofactor authentication, but the cost of buying and deploying dedicated hardware OTP tokens, however, has limited their use. BYOD and the ubiquity of mobile phones change the economics, however, because organizations can now use their employees phones to generate OTP passwords, eliminating the cost of dedicated tokens. The mobile phone becomes the second factor of authentication. For example, a text message to a mobile phone is a very low cost way to throw a high barrier in front of hackers trying to penetrate corporate IT systems. Another even more secure option is to use a one-time password (OTP) application on the phone. This turns a mobile phone into an OTP token, instead of having to pay for a separate device that can cost a business $60 or more per year to issue and support for its employees. Researchers at IDG estimate that 63% of companies already support smartphones for work use and 45% expect to add tablets too over the next 18 months 5 Gartner, Inc., Magic Quadrant for User Authentication, Ant Allan, March 7, 2013.
There are many advantages to using OTP tokens for mobile security: Supports any mobile device including Android smartphones and tablets, Apple ios devices including iphones and ipads and others Requires no changes to the mobile device hardware or software Easy and fast implementation at the device and system level Simple and intuitive for users, who enter the OTP through a browser window Another important benefit to IT teams that implement OTP-based security is that it can work with either a VPN client or Microsoft Windows 7 Direct Access. In addition, standards-based OTP enables organizations to have full ownership of their key management through selfprovisioning using recognized methods such as the IETF reference standards for Open Authentication Organization (OATH) key provisioning. This means that there are no dependencies on the vendor maintaining the confidentiality of the keying material. As companies add support for BYOD, they should also consider using their employees mobile phones to strengthen their login security. It may be that with BYOD and mobile OTP, the answer to the enterprise password problem is already in the employees hands. Use Case #3: OTP Authentication to Secure BYOD Mobile Device Access BYOD is a trend that is here is stay. Industry researchers at IDG estimate that 63% of companies already support smartphones for work use and 45% expect to add tablets too over the next 18 months 6. Yet many large companies still will not allow BYOD until effective security is more available and trusted for mobile devices. Others will give employees basic capabilities like email and calendar but strictly limit what else they can do. One practice companies use to expand their BYOD strategy is to provide stronger authentication when employees login through mobile phones or tablets. By using a second factor of authentication that is external to the phone such as an OTP token, organizations can have much greater confidence the person using the mobile device is its actual owner. Another option for companies using a converged ID badge that includes smart card technology is to add the OTP app to the smart chip in the credential and use low cost pocket or wallet readers to obtain the one-time password. There are also cards available that put the OTP display on the card, eliminating the need for a separate device. 6 IDG Enterprise, Consumerization of IT in the Enterprise, January 2012
In the future, mobile devices will contain some type of embedded Secure Element a smart card or other chip that can be used as a second out-of-band channel of authentication. With this approach, either OTP or PKI-based identity credential authentication can be used to secure remote access and prove identities. The keys to making this effective are a proven secure component technology and trusted architecture that will isolate the Secure Element and its authentication process from the mobile device itself. There are several possible technologies, including SIMs and MicroSDs for example, but it will be several years before these standards solidify and become mainstream. The chart below summarizes the main characteristics of different Secured Element options.
One crucible where these advanced security technologies are being tested is the U.S. federal government. Having already standardized on smart card-based Personal Identity Verification (PIV) credentials for both physical and logical access control, standards organizations are now experimenting with PIV-derived credentials using SIMs and a Trusted Execution Environment in smart phones as a solution for mobile security. Summing Up While the BYOD trend will continue to be fueled by user demand, it presents both opportunities and challenges. At the same time the technology is dynamic and from a security perspective immature. Faced with this landscape, enterprises need to tightly examine their specific situations and use cases. Based on our global experience, three opportunities rise to the top and meet the tests of effectiveness, compatibility across the vast array of mobile devices and a clear ROI. While many focus on the risks of mobile device security, in fact the BYOD trend is rich with security strengthening options. USB virtual workspaces devices can enable significant cost reductions for contractors typically provided with companyissued laptops while ensuring security. Mobile OTP can turn employee smartphones in two-factor authentication tokens reducing the risks of stolen passwords, a key cause of corporate and government data breaches. And BYOD use can be safely expanded by providing a second authentication factor such as an OTP device. Thank you for reading The purpose of this brief is to give you ideas on how to take advantage of the opportunities presented by the BYOD trend while ensuring your security. We hope these concepts spark fresh thinking and helps you start planning new possibilities for expanding BYOD strategies to improve employee productivity and better protect your organization s information. What did you find most useful? What would you like to know more about? We look forward to hearing your feedback and questions. Where do you go from here? To start, we hope you share this brief with you colleagues. Work with your management to make sure they understand the threats and rationale for expanding your BYOD strategy, and what that will do to increase employee productivity and strengthen the security of your IT infrastructure.