Info Security PG: Do you think this security weakness can be turned into an opportunity? What should CSOs do to tackle this challenge?
T. Kendall Hunt: BYOD may look like a trip into a world of security weaknesses, but it can be turned into an opportunity. Employees can be empowered to take security in their own hands. As device ownership shifts to the employee, so does the burden of protecting it. The IT department can address BYOD security by providing detailed security requirements for each type of personal device that is connected to the corporate network. Security policies define the device requirements with regards to providing access.
By establishing a mobile device security program, challenges can be countered. In the short term, IT’s best strategy to address these challenges is with a combination of regularly updated and enforced policy, software, infrastructure controls and education. Strong collaboration with other departments is necessary to avoid a difficult BYOD roll-out. For example, policies should be developed in conjunction with HR and Legal, to offer an answer to tax, corporate liability, labor and privacy implications. In the longer term, application management and appropriate cloud services are necessary to tackle other BYOD challenges.
The critical technologies to consider in order to guarantee secure BYOD implementation, are strong isolation methods, mobile application management, encryption and containerization and management of content and delivery mechanisms. The management and maintenance of the personal applications and data are still the employee’s responsibility, though mobile device security training will help to alert employees and ensure that their mobile devices are configured, operated and used in a secure manner.
Info Security PG: Do you think password management plays a role in securing devices?
T. Kendall Hunt: Definitely, password management plays a significant role in securing devices. For example, an extra level of security can be obtained with user authentication. With the implementation of a secure authentication method, IT administrators control who accesses the corporate network and applications. But password management can be a stumbling block for employees and IT departments alike. Offering support for password management requires resources and can be a time-consuming and costly affair.
The most ubiquitous and easy-to-use secure authentication method used today is two-factor authentication generating one-time passwords (OTPs). This assumes that two elements are needed to log in securely: e.g. something you have (such as a DIGIPASS that generates one-time passwords) and something you know (such as a PIN code or a static password). When these two factors are combined with one another, the person linked to the authentication device can get safe access to the corporate applications. It is meaningless to intercept one-time passwords, as they cannot be used more than once and only last for a limited number of seconds.
Info Security PG: There are many strong authentication solutions available. Why should CSOs select DIGIPASS to secure their organizations?
T. Kendall Hunt: With its DIGIPASS, VASCO offers a strong authentication solution to conveniently secure access to password protected content. IT needs to implement this extra level of security to the access log-on procedure to bar intruders from confidential corporate data. To be granted access, companies can deploy a mobile authentication solution, such as DIGIPASS for Mobile. Users need to generate an OTP, by downloading a mobile client on their device. Once the authentication is successful, users will be granted access to the corporate data. As long as users are logged in, they can make use of the corporate network.
The convenience is not only for the users, but also for the IT department. The step-by-step approach eases the integration in the corporate network. The integration is straightforward and simple. Different tools are available to assist with the integration.
Info Security PG: In addition to implementing strong authentication do you have any additional recommendations for organizations who to secure access to their organizations mission critical assets?
BYOD is a user-driven wave companies can’t ignore. Despite indisputable and challenging cons - both for employees as for employers - the pros are currently winning the battle. A corporation that is willing to adopt a BYOD policy will certainly save on high-priced devices and will take advantage of the newer and faster technology on employee-owned devices. But more important is that employees will be able to decide on the technology they want to use for work. This improves employee satisfaction and helps in attracting and retaining staff.
In order to face the challenges coming along with the BYOD trend, a company needs to set up a complete BYOD policy, covering all aspects of this trend. All company departments, regions and levels need to be involved to avoid financial, technical or cultural surprises and meet unexpected IT and security issues. Authentication is key to avoid that fraudsters gain access to company-critical information. The DIGIPASS technology is a convenient way to provide secure authentication for own-device-users and others.