Modernizing Authentication — What It Takes to Transform Secure Access
The bring your own device (BYOD) phenomenon is here to stay, with managers quick to see the advantage in keeping workers happy - and available - by allowing them to use their tablets and smartphones for work-related tasks. But not all devices are created equal.
"Devices running on Android have the reputation of being less secure, often for good reason," says Mike Battista, a consulting analyst with Info-Tech Research. "Android's openness is both a blessing and a curse. It can give IT the flexibility to exert whatever control they want, but it can also give bad guys access."
Battista says fragmentation also comes into play. Newer Samsung Android devices have built-in security features such as Knox, but in a BYOD environment IT can't depend on everybody having a Samsung device. It can be a headache to identify the security strengths and weakness of hundreds of different devices.
(And there are no security guarantees. Earlier this month security researchers exposed a flaw in Samsung’s Knox architecture that they said could facilitate interception of data between the secure container and the external world, including file transfers, emails and browser activity.)
"Then there's iOS, which is less open, so IT has fewer options when it comes to security," says Battista. "For example, even on fully managed devices IT will probably never have the ability to take remote control of an iOS device or mess with a user's personal apps and data. But that also means the bad guys can't do the same."
And although there is broad agreement that Android phones attract the most malware, an aggressive posture can make a big difference: These devices can be easily controlled so long as they are upgraded to the most recent version of Android.
"For example, the new Android version 4.4 (Kit Kat) features an Android sandbox reinforced with security enhanced SELinux," says Pankaj Gupta, CEO at Amtel, which provides mobile device management solutions. "This is a verified-boot capability to thwart persistent rootkits, with a robust certificate infrastructure."
For its part, because Apple iOS is less fragmented, a single iOS security strategy will apply to almost all iPhones and iPads. From an overall enterprise perspective iOS has minimal vulnerabilities due to its sandbox architecture. Popularity helps, too. As a rule, analysts argue that the more mainstream a device, or the more common its operating system, the more secure it is likely to be.
MDM in the Cloud
Whether using iOS, Android or other platforms, a mobile device management (MDM) solution can help isolate and quarantine infected or compromised devices. And running MDM from the cloud offers distinct advantages over doing it on-site.
"Cloud-based MDM is a lot easier to set up, and requires less up-front investment, than on-premise MDM," says Battista from Info-Tech. "Today, major vendors offer almost a hundred percent feature parity between cloud and on-premise."
Battista notes that cloud-based MDM can cost more in the long run, but that cloud prices are coming down as vendors battle to offer the most features at the lowest prices. As well, cloud-based solutions can make MDM, traditionally a complex undertaking, far more manageable than on-site systems. On-site software can require significant up-front capital investments to acquire the technology, train a team and integrate with existing systems and processes.
"Even if the average company had the budget and the stomach to see an MDM project through, the risk of BYOD ruining everyone's fun was always there," says Levy. "Traditional MDM solutions that function well in a predictable landscape don't necessarily scale or adapt well once BYOD comes into the picture."
Overall, tips for getting MDM right then shift to the policy front. Examples include publishing apps to an enterprise's own store, moving beyond rigid blacklisting to more flexible "geofencing" in which some apps not available at work can be accessed at home, and getting strict with rogue devices and bandwidth usage.
"If you're going to allow BYOD devices to access corporate data, you cannot allow jail broken iPhones and rooted Android devices to access enterprise data resources and expose the organization to malware and virus attacks," says Gupta from Amtel. "As well, BYOD devices are still consuming Wi-Fi bandwidth on the company network. Here, enterprises can circumvent such behavior by implementing geofencing limitations on data-hogging apps."
If Android and iOS can be handled in a BYOD environment, with policy-driven cloud-based MDM able to secure enterprises of all sizes, is there then an argument for a device that brands itself as being more secure, such as BlackBerry? Perhaps not.
"It is questionable whether or not BlackBerry will have a role to play in high security environments," says Gupta from Amtel. "Using a robust MDM solution you can get all the security that was available on BlackBerry with a combination of either iOS7 or Android OS with Samsung SAFE or KNOX enhancements."
Others disagree. Though acknowledging that the security value proposition is weakening, there are still those who argue that BlackBerry has a role in many businesses.
"The brand still resonates with security-minded business decision-makers who are looking for help in figuring out BYOD," says Levy.
BlackBerry is continuing with its painful corporate transformation. If it makes it through, most of its business opportunities are expected to revolve around sectors and clients with a security focus, or those who have made big investments in BlackBerry - a market that is still in place.
"However, that could literally change tomorrow," says Battista. "Every business I talk to is looking into a backup plan to switch to if BlackBerry suddenly disappears."
In fact, Battista says most enterprises are going a step further and introducing either BYOD in place of corporate-issued BlackBerrys, or corporate-issued iPhones managed by MDM in place of BlackBerrys. "Both of these options can be just as secure as issuing BlackBerrys," he says.
Which means that, despite wanting to be the platform of choice in higher-security environments and the fact that this is where BlackBerry hitched its wagon long ago, the point may npw be moot.
A graduate of McGill University, Timothy Wilson joined IDC Canada in Toronto as a research analyst in 1997. In 2000 he began T Wilson Associates and continued to consult for research companies, as well as working directly with large vendors such as Microsoft and SAP. Throughout his career Timothy has contributed to the IT, trade and mainstream press. He has lived and worked in Latin America and is proficient in Spanish. He has received a first place CBC Literary Award and a Gold National Magazine Award for his non-fiction writing.