secure mobile solutions
Organizations need to review their approach to security to adapt to the evolving needs of cloud applications

Applications that reside in the cloud offer enterprises previously unavailable levels of agility, productivity and vital flexibility – all at a crucially lower cost than ever before. However, with many enterprise cloud deployments now successfully up and running, plus the integration of the Bring-Your-Own-Device (BYOD) culture into the workplace, the complex issue of data security and access control have leapt to the fore. Ian Lowe, Senior Product Marketing Manager, Identity Assurance, HID Global, explains that more and more organizations are still falling short of sufficiently extending their 'best practice' security policy to encompass their now sprawling corporate network. 

With data now living on the wrong side of conventional internal defences in cloud-based server farms, the ground has shifted and a one-size-fits-all approach to data protection is not sufficient. As such, it has become more critical than ever to hone in on the linchpin challenge of secure identity management. Traditionally, enterprises have focused on securing the network perimeter, and relied on static passwords to authenticate users internally, within the firewall.  However, taking into account the multifarious nature of present-day threats – from Advanced Persistent Threats (APTs) to the internal risk the mass adoption of BYOD brings – it represents a considerable leap of faith to place complete trust in a singular perimeter defense. Moreover, the simple static password comes with its own challenges. For example, employees may lock themselves out of critical applications if they forget them or, more worryingly, they may reuse their passwords from personal web services for corporate applications.

User population diversity complicates cloud and mobile security
Cloud and mobile security is complicated by user population diversity

Intrinsic to cloud and mobile working practice, and further complicating security, is the diversity of the user population. To date, much of the security discussion has focused on securing the cloud-platform, but as enterprises continue to move applications into the cloud and take advantage of the Software as a Service (SaaS) model, it is increasingly important that enterprises resolve the challenges around provisioning and revoking user identities across their cloud-based applications, while also delivering secure, frictionless user login to those applications. As such, enterprises need to have an adaptive authentication solution in place that not only serves to manage users – based on their behavior and risk profile – but also crucially addresses where sensitive data lives and considers the way in which users access information.

Two-factor authentication

As a first step, enterprises should start by extending two-factor authentication measures beyond the brick and mortar locations of ‘the office’ to also cover cloud-hosted data and apps. Best practice already requires using strong authentication to secure remote access to corporate networks – therefore, enterprises must extend two-factor authentication to also cover cloud-hosted data and apps.  Two-factor authentication measures have typically been confined to physical devices like one-time password (OTP) tokens and display cards, but thanks to a variety of technological advancements these are being replaced by ‘soft tokens’ that can be held directly on the user device such as a mobile phone or tablet, or alternatively as browser-based tokens. While OTPs have proved quite popular as an additional layer of security, users have found hardware OTPs and display cards for two-factor authentication to be inconvenient. As such, replacing the token with a soft token presents an obvious solution. These contactless OTPs operate in the same way as physical tokens, generating random passwords which cannot be re-used – and thus guessed. 

Given that the user typically accesses the corporate cloud application from a web browser or application on a mobile device, a multi-factor solution such as tokenless authentication with single sign-on begins by identifying the device in use. It does so by consulting the configurable device criteria that is pre-set by the organization, and then assigns a risk score to the specific transaction.  The organization itself can therefore tailor the level of security based on the risk associated with specific types of transactions, and providing the device or transaction is verified as secure, the cloud application is enabled and the user begins their session. However, should the transaction not pass, the authentication solution can prompt users to further validate who they say they are by sending an SM, asking additional security questions or continuing authentication using a software token that is installed on a mobile device, reducing hardware and maintenance costs. This leap forward in technology provides greater security and better control of the cloud-based tools in use by employees, enabling organizations to take advantage of the substantial cost savings often associated with cloud technologies, without a bump in security costs to support it.

Accessing cloud based applications on personal devises - challenges

No single authentication method is going to address the diverse requirements for multiple devices and scenarios in today’s mobile enterprise

Unsurprisingly, as BYOD continues to grow, many of these cloud based applications are being accessed from personal devices, bringing additional challenges.  When tackling the issue of the multitude of devices in use in the workplace, whether employee-owned or corporate-issued by the organization itself, implementing a secure ‘zoning’ policy creates an encrypted zone contained inside a personal device, allowing corporate data to reside separately to the rest of the device in use. This serves to establish a clear partition between personal and business information. By clearly demarcating the data available, ‘zoning’ data enables employees to securely and efficiently access the corporate information available through cloud applications without frustrating them or decreasing productivity through laborious authentication processes.  

Ultimately, it is important for enterprises to adopt a layered approach to security, recognising that no single authentication method is going to address the diverse requirements for multiple devices and scenarios in today’s mobile enterprise. Fortunately, the latest technologies ensure enterprises can continue to leverage their preferred two-factor authentication credential anytime anywhere, even when the highest levels of identity assurance and security are required. For example, the enterprise could combine risk-based authentication techniques with standard two-factor authentication tokens to help eliminate the risk of token sharing. How does this work? It’s simple really. The first time an employee registers their token for use, the authentication solution will take a fingerprint of the end-point device they are using. The next time the person uses their token for access, the authentication solution will conduct a check on the token and the end-point device and if both elements are validated it will allow access; if something is amiss the authentication solution can make a risk based decision to either allow access by asking for another authentication factor, such as an out of band SMS one time code, or deny access.  This layered approach best addresses the evolving needs of corporate data protection and identity assurance.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Ian Lowe Director, Product Marketing, Enterprise Physical Access Control, HID Global

In case you missed it

Secure, Pinpoint Location with UWB-Enabled Indoor Positioning
Secure, Pinpoint Location with UWB-Enabled Indoor Positioning

Indoor positioning is, in many ways, an inside version of the satellite-navigation apps we rely on for outdoor navigation, but with an added twist – it can also be used to help locate people and things. Let’s say you’re at home and misplaced your car keys, or you’re in a grocery store and can’t find your favorite brand of coffee. Or maybe you’re working in a factory and need a particular tool from a storage bin, or you’re a site manager dealing with an emergency and need to make sure everyone’s exited the building. Indoor positioning helps in all these situations, because it can locate items and guide you to where they are. The importance of “where” Knowing where an asset is located in real time is useful in many ways. In industrial settings, it improves item utilization rates and saves time spent searching for things. It opens the door for a new level of “just in time” efficiency on factory floors, and for inventory management in warehouses and retail environments. Safety is another benefit of accurate location, because knowing where people, automatic guided vehicles, and robots are in real time can help prevent accidents and keep people out of harm’s way. Accurate location in real time also enables contextual decision-making, so your smart house adjusts your stereo automatically as you move from to room or lets you control objects by simply pointing at them. Lets you control objects by simply pointing at them Security authorisations based on location is another possibility. Precise real-time location is something that can be hard to fake, so it can be used to restrict access to an area or used to add protections based on where an asset sits, where a piece of data resides, or the origination point of a communication. Getting the technology right Developing an effective technology for indoor positioning requires several things. To begin with, location readings needs to be very precise, with accuracy down to as small an area as possible. The technology has to be secure, because location often needs to be kept private. The technology has to be reliable, even in harsh environments, and easily scalable, too, so it can address the thousands of people and assets in large venues. It has to be low power and affordable, so it can be embedded in everything from high-end, complex devices like smartphones to low-end, simple devices like asset tags. And, of course, the technology has to have latency low enough that it can track movement in real time. Various wireless technologies, including Bluetooth and Wi-Fi, are already used for indoor positioning, but they don’t deliver on the full set of requirements, especially in terms of accuracy. A different kind of wireless, called Ultra-Wideband (UWB) checks all the boxes. It has the potential to change the way we do all kinds of everyday tasks. What is UWB? UWB is based on the IEEE standard 802.15.4a/z, which has been optimized for micro-location and secure communication. UWB is highly accurate. It can pinpoint people and things to within just a few centimeters, making it 100 times more accurate than the current implementations of Bluetooth Low Energy (BLE) and Wi-Fi. UWB is reliable because it has high immunity to various types of interference, including multipath, which is when a wave from a transmitter traveling to a receiver by two or more paths causes interference. UWB also offers very low latency, with update rates of up to 1000 times per second and readings that are as much as 50 times faster than satellite navigation. UWB is also implemented using mainstream technology, so it’s both affordable and optimized for low power. Lastly, UWB leverages distance-bounding techniques defined by the IEEE to provide a level of security that makes it extremely difficult to hack. Ultra-Wideband (UWB) checks all the boxes How is all this possible? Physics! UWB out-performs other location technology because, unlike Bluetooth and Wi-Fi, which transmit narrowband signals and use Received Signal Strength Indicator (RSSI) to determine location, UWB transmits wideband signals (500 MHz) and uses Time-of-Flight to determine location. Already in 40+ verticals UWB is already bringing value to products and services in more than forty verticals covering the consumer, automotive, industrial, and commercial market segments. For example, it brings operational visibility to manufacturing and logistics, helps businesses protect workers, and reduces safety-management costs. UWB also lets robots and drones self-navigate, and enables secure, hands-free access to cars, front doors, and other secure locations. It even helps with contact tracing and social distancing in the fight against COVID-19. Now in smartphones Recent adoption in smartphones means UWB is ready to grow quickly. Developers are using UWB as part of new services, with an eye toward making various everyday activities more convenient and safer. With UWB as part of smartphone apps, purchases will be more secure, accessing your car will be possible without a key fob, and misplaced items won’t stay hidden for long. Retail outlets will use location for targeted marketing, and finding things on store shelves will be easier than ever. Home automation will become seamless, and friends and family will be easy to find even if they’re in a crowd. The question of interoperability Having UWB in smartphones is an important first step Having UWB in smartphones is an important first step toward making UWB an everyday part of life, but interoperability is another key factor, since smartphones have to interact with a wide range of other devices and services. That’s where the FiRa Consortium comes in. Launched just over a year ago, the FiRa Consortium is a member-driven organization of market leaders from the consumer, mobile, industrial, enterprise, and semiconductor industries. FiRa members work collectively to define the future standards that will make interoperability across UWB products a reality. With FiRa making it possible for developers to use UWB in all kinds of new ways, the future of indoor location is really only limited by the developer’s imagination.

What is the Role of Higher Education to Create Next-Gen Security Leaders?
What is the Role of Higher Education to Create Next-Gen Security Leaders?

Traditionally, security industry professionals have often come from backgrounds in law enforcement or the military. However, the industry is changing, and today’s security professionals can benefit from a variety of backgrounds and educational disciplines. The industry’s emphasis on technology solutions suggests a need for more students of computer science, engineering and other technology fields. The closer integration of security with related disciplines within the enterprise suggests a need to prepare through a broad array of educational pursuits. We asked this week’s Expert Panel Roundtable: What is the role of higher education to create the next generation of physical security leaders?

How Innovations In Security Can Increase Freedom And Protect Lives In Our Communities
How Innovations In Security Can Increase Freedom And Protect Lives In Our Communities

People have always had an innate need to feel secure, from building fires at the front of caves that ward off predators in prehistoric times, to today’s efforts of locking your front door. This need for security extends to venturing further afield from the home and is critical for communities to thrive and survive. More than ever, people want to be and feel safe; protected against physical and now biological threats. When it comes to staying safe, populations around the world have recently demonstrated immense adaptability to changing the way we live our lives in order to protect ourselves and others. In the wake of the COVID-19 pandemic, it isn’t strange to walk down a high street and not see swathes of people wearing face masks, where as little as six months ago it may have been an unnerving sight. While wearing a mask may not be a choice made by the majority in ordinary times, people are compliant as it is helping them get back to a “new” normality in day-to-day interactions. The same can be said for the use of technology. Beyond pure security, the technologies used to keep the public safe can become integrated into existing environments to make it easier to stay safe while visiting areas where there could be safety risks. Technologies used to keep the public safe can become integrated into existing environments Technology enabling freedom A good example of this is airports. The aftermath of the 9/11 attacks in 2001 changed how we are checked in at airports before boarding a flight, and I’m sure countless lives have been saved as a result of this more stringent security measures. However, the development of new technologies, which have been created against the backdrop of a more threat conscious world, could mean we are able to relax the experience of going through airport security for travellers. We now have innovations to spot, amongst hordes of people, those who pose a threat, while blending in with the general public. If we are able to make these identifications before an act is committed, we can cut out some of the draconian measures we are all so used to with scanning passengers before travel at a security checkpoint. If this is the case, then we could get to a model whereby you can pass through transport hubs, like airports, more freely, as fewer visible, large, overt checkpoints will be needed. And best of all, these new technologies can protect personal identity and civil liberties, until a threat object or behavior is detected. Concealable security solutions Today, visible checkpoints scan people in masses, using such large, wieldy devices, such as metal detectors, millimetre machines and hundreds of surveillance cameras peeking down from the ceilings. The use of these systems, which can feel intrusive and hold people up as they wait to pass through, can be reduced by employing new, innovative and concealable security solutions that are able to detect threats, but blend in with the existing environment; basically unseen, but always watching. For example, new advancements in magnetic technologies can be concealed in everyday objects that are aesthetically pleasing, such as planter boxes, which people walk past these every day without really noticing. These threat detection sensors, concealed in planter boxes, can scan individuals and their bags for catalogued metal objects. They can distinguish between those that may pose a threat, e.g. gun, knife, rifle, and those that are unlikely to, e.g. phone, keys. With this advanced magnetic technology, it becomes possible to discover weapons on a person's body, allowing for immediate alert notification to onsite security. Beyond physical objects, there are also small, concealable sensors that can detect, diagnose and track airborne trace explosives, chemical warfare agents and volatile organics. These sensors use tuneable electronic signals to detect chemical threats with a parts-per-billion sensitivity and can then send an immediate threat alert to security to investigate further.  Threat detection sensors Innovative threat detection sensors can be integrated with existing security solutions These new, innovative threat detection sensors can be integrated with existing security solutions, such as access control systems, as well as security policies and procedures to enhance the effectiveness and performance of onsite security personnel and first responders. A great example of integration is using AI-driven/computer vision object recognition software with existing CCTV systems to detect visible threats, such as guns or knives. Every second in an early warning notification of a visible weapon drawn can save lives and possibly stop an attack from being carried out. Security and law enforcement can be alerted in real-time of the location and nature of the incident, so that action can be taken immediately. Extending the security perimeter with new detection sensors means security personnel and law enforcement don’t have to rely on someone reaching a checkpoint before a physical or chemical-based weapon is detected. And as these solutions get deployed more and more, awareness of these technologies seep into the marketplace. Would be assailants will be more likely to be deterred, as they think about walking along a path to the building or checkpoint and getting caught before they can instigate an attack. And to my earlier point, it also affords law abiding citizens more freedom to move around public spaces as they do not need to go through the lengthy security checks that we currently experience. Addressing current threats to act fast Unfortunately, annually we are seeing a rise in gun crime and knife attacks in soft target areas, with daily incidents reported across the US and UK. This has been exacerbated, specifically in the US, by the coronavirus pandemic and civil unrest, where gun sales have escalated in recent months - the FBI conducted 3.7m background checks on those wishing to purchase firearms in March 2020, an increase of 1.1m over March 2019. With so many more guns on the street, it increases the opportunity for bad actors to use these weapons with ill intent within their communities. It is important to harden soft target areas where our communities gather, such as schools, churches, resorts, office buildings, and stadiums and arenas. However, the nature of these venues - somewhere to meet, have fun and relax - do not lend themselves to prison-style, fortress-feel security measures. As well as the big, overt and visible technologies mentioned before, can in fact prove targets for terror. However, the good news is that some public sites have started to invest in and install these new innovative weapon detection solutions. This contributes to the creation of a seamless experience for civilians, who are able to enter and enjoy these locations without forsaking the way of life they have come to know and love, without divesting item in their pockets, pat downs, and slow walkthrough security scanners. Making public areas safer Beyond single-site installations at these locations, city managers and city councils are now looking at the widespread deployment of these new, concealable, touchless and unobtrusive security technologies, all with a goal to make their public areas safer. Once a threat is detected in one venue, an alert can be sent out in the immediate area Furthermore, by having an interconnected security system, once a threat is detected in one venue, an alert can be sent out in the immediate area. This will be picked up by other local security personnel in nearby sites, so they can be on guard to protect members of the public around their premises, as well as support law enforcement in finding and neutralising the threat.    We’ve all heard the phrase smart cities, but with innovations in physical and biological threat detection, these cities can be as safe as they are smart.