Mobile Device Management and the Ubiquity of Mobile Authentication

Posted on by John Linkous

DevicesWe all know that mobile devices are rapidly becoming an absolutely indispensable component of the online world. , This makes mobile device management even more critical, regardless of who is managing the device: a large enterprise, a small business, or just you.

Online banking and other sites require a mobile device in order to send a one-time password to authenticate transactions. Smartphone apps provide on-demand content, portable transaction data (such as QR codes for your airplane boarding passes), and in-app purchasing options that aren’t possible on traditional desktop and laptop environments. Mobile payment services offer increasing options for transferring funds, often bypassing traditional transactional middlemen or supporting new crypto-currencies such as Bitcoin. 

While MDM technologies have been around for quite some time, the reality is that the ways in which mobile devices are used make them more critical than ever. 

Consider that mobile devices come with risks and threats that are unique to the platform. For one thing, mobile devices are mobile. They're small, portable, and can easily be left somewhere they shouldn't be—the back of a cab, a table at a bar or restaurant, in a bin at an airport security checkpoint, or on the counter in a public restroom. Their form factor makes them prime targets for thieves, and countless numbers are lost or stolen every single year. Each one of those mobile devices can contain sensitive information about the owner and, if the device is also used for corporate information, potentially critical proprietary data about the enterprise.

Another key problem is the security—or lack thereof—of communications. As mobile devices become more common platforms for accessing back office services within the corporate enterprise, they need to connect to those back office systems. And while on-device VPN is a common approach to connect to on-premise data centers, the simultaneous adoption of cloud-based services means that more communications are going directly to mobile-optimized websites. How do people connect to these sites? Most commonly through Wi-Fi networks, especially given the high price of data rates today. Often, mobile device users are connecting to remembered networks...and frequently, these networks are open. The opportunity for man-in-the-middle (MTM) attacks is extreme.

A third problem is simply the fact that many mobile optimization frameworks (which traditional websites use to render their content in a mobile-friendly format), as well as native mobile apps, are not exactly what you might call "bug free." Issues within libraries and frameworks for mobile development, coupled with what are sometimes poor coding practices, make these sites and applications rife for exploitation.

Enter mobile device management (MDM). MDM mitigates these risks in several important ways:

  • On-device beacons can be enabled to track down mobile devices in the event of theft or physical loss. "Phone home" and other location-tracking features can be effective in finding devices soon after they are compromised.
  • OS and application patch management provide consistent, timely updates to discovered and known vulnerabilities within mobile devices, applications, and frameworks, including blacklists and other security content mechanisms.
  • MDM platforms can block insecure communications, ensuring that mobile device users utilize only secure encrypted and properly authenticated channels.

MDM is not a panacea for all mobile device management needs or mobile threats, but it's a good starting point for many organizations. A number of presentations at RSA Conference Asia Pacific & Japan 2014, including the session "Split and Conquer: Don't Put All Your Keys in One Basket" from RSA Conference technologists Kayvan Alikhani and Salah Machani, addressed these issues. But in the absence of absolute bleeding-edge controls, MDM represents the most effective way to gain control over mobile devices and reduce risk.

John Linkous

, Technology Advisor

unmanaged devices anti-malware mobile security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community