Mobile devices have brought a seismic shift in the way businesses connect, engage, and transact today. They have enabled organizations with unparalleled flexibility, helping efficiently support a distributed workforce and implement policies such as the BYOD (bring your own device). With portability, ease of access, high levels of connectivity, and various form factors, mobile devices have ushered in a new era of “work from anywhere” reality.
Paradoxically, the very advantages of mobile devices are also the causes for concern around data privacy and cybersecurity.
Mobile Security Challenges Are Serious and Too Many
Unlike the traditional desktop PCs that are bound to the office premises and protected by firewalls, mobile devices—such as smartphones, laptops, and tablets—are portable with no definite location, therefore not protected by the network perimeter. Remote users connect to the corporate network via unsecured home and public Wi-Fi networks. The lack of strong access controls in these remote constructs is an enticing opportunity for hackers to execute attacks, such as man-in-the-middle, intercepting communications and modifying data.
Securing the communication between mobile devices and the enterprise network is serious challenge for IT teams. Sensitive business data is being accessed directly from the cloud on the internet and sometimes stored on the local hard drive of the mobile device. Without robust security for data at rest and transit, the chances of confidential and valuable information getting exposed to the attack surface are significantly high.
The CISO’s Guide to Certificate Lifecycle Management
Implementing BYOD has driven a sharp rise in the use of personal mobile devices for work. Recent data indicates that two-thirds (66%) of smartphones and over half (55%) of tablets used in the enterprise last year were employee-owned. Managing this abundance of employee mobile devices and ensuring only authorized devices are provided network access has become an uphill battle for IT teams.
While Mobile Device Managers (MDMs) help simplify and streamline the management of mobile devices, they do not entirely address the security problem. There might be scenarios where vendors and partners need to access enterprise applications. Their devices may not be part of the enterprise MDM and can pose a serious threat to security.
Strong and Reliable Authentication Is Key for Mobile Security
To mitigate these security risks, organizations must be able to trust the data and applications on their mobile devices as well as the device owners. This begins with implementing a strong security control that can authenticate both device owners and devices, and only allow those that can be trusted with the corporate network and applications.
Traditionally, mobile devices have been authenticated using usernames and passwords. But this method is no longer recommended as it requires users to remember passwords and frequently change them, resulting in reused and weak passwords getting compromised and used for credential-based brute force attacks. Research suggests that 66% of users “always” or “mostly” use the same password or variation across websites.
One of the best examples that elucidates the password problem is the Colonial Pipeline attack of last year that brought down the largest fuel pipeline in the U.S. It might be surprising to know that the breach was caused not by any sophisticated technique but by a single compromised password that an employee happened to reuse on another account that was previously hacked. It is this poor cyber hygiene that hackers usually exploit, making it a less secure practice.
Are Digital Certificates the Solution?
One of the widely-accepted and time-tested means of authentication that effectively addresses the security challenges of mobile devices and distributed workplaces is public key infrastructure (PKI) or digital certificates.
Based on public key cryptography, digital certificates help validate the identities of both the mobile device and its owner. Authenticating both the device and the user helps ensure only authorized devices are allowed network access and authorized users the application access.
With most mobile communications happening on the internet, the importance of end-to-end encryption cannot be overstated. One of the core benefits of using digital certificates is the robust data encryption they provide. All communications happen via encrypted tunnels, ensuring data remains unaltered and safe during transit.
Digital certificates are also multi-functional, which means that the same certificate can be used to secure a variety of use cases discussed below.
- Email Access: Allow only authorized devices to access corporate email servers and authenticate users to their email.
- Email Communication Security: Allow users to digitally sign email and encrypt the message sent, ensuring the authenticity, integrity, and confidentiality of email.
- Wi-Fi Access: Allow only those mobile devices with valid digital certificates to access your corporate Wi-Fi network.
- VPN Access: Configure VPN connections to only allow devices with pre-installed certificates to access corporate connections.
When compared to the traditional way of using usernames and passwords, digital certificates come with several advantages. Unlike passwords, digital certificates can never be shared. As the private key associated with the digital certificate never leaves the device, the possibility of it getting stolen and misused is almost nil. So, digital certificates are far less vulnerable than passwords.
Digital certificates also provide an enhanced user experience on mobile devices than usernames and passwords. They do not require any human intervention, which means users are released from the hassle of changing passwords frequently or providing one-time passwords.
Another advantage of digital certificates is that they are well supported by various smartphone operating systems such as Apple iOS and Android as well as enterprise MDM solutions. They also natively work across most enterprise networking and software applications.
Take Advantage of Mobility While Minimizing Security Risks
With work-from-anywhere and BYOD becoming the order of the day, the mobile ecosystem is constantly evolving, and mobile threats are growing increasingly sophisticated. Looking at the costs associated with a breach, mobile security needs to be on top of the security agenda for organizations.
As traditional authentication methods fail to deliver, digital certificates are rising to the challenge, helping provide uninterrupted and trusted access for mobile devices. While there are other measures too that organizations can take to secure the mobile environment, digital certificates are reliable, secure, and efficient.