As early as 2005, many industry analysts predicted “consumerization” — the introduction of consumer-owned/purchased devices into enterprise and business environments — would become one of the most important technology trends of the next 10 years (Gartner 2005).
Just six years later, that has already come to fruition. Employees now rely on personal smartphones, tablets or other mobile devices to send or receive corporate email, exchange sensitive information and intellectual property, and even access enterprise networks and applications.
Earlier this year, Gartner also surveyed today’s CIO to gain perspective on consumerization in the enterprise. Gartner vice president Nick Jones’ report, “CIO Attitudes towards Consumerization of Mobile Devices and Applications,” shows that U.S.-based respondents believe in two years approximately 38 percent of their employees will be using employee-purchased mobile devices in the enterprise.
This technology migration introduces several IT security challenges, including identity access management (IAM) obstacles, mobile security and authentication requirements, compliance enforcement and general security policy.
In fact, a late 2010 Morgan Stanley report, “Ten Questions Internet Execs Should Ask & Answer,” states the market will hit an inflection point in 2012 where, conservatively, shipments of mobile devices and smartphones will surpass those of PCs. Understanding this shift, technology vendors like Dell, Apple, HP and Microsoft are heavily investing in the mobile consumer space.
Explosive growth: Mobile devices take over
Any number of logical reasons serve as catalysts for the growth of mobile device use — price, expansion of Wi-Fi, faster cellular data speeds, always-on simplicity, or the ease of finding, installing and using mobile applications.
And as the mobile market share grows, so too have the challenges around mobility in the enterprise. The technology convergence of work and personal lives is real. But organizations shouldn’t shy away from this shift. It’s a permanent change in how people live, not a trend or fad.
As enterprise-specific applications are introduced — whether from the organization or third-party developers — efficiency will grow exponentially. In a 2010 Forrester study, “Insights for CIOs: Make Mobility Standard Business Practice,” senior advisor Tim Sheedy found that “around 75 percent of organizations deploy mobile applications to increase worker productivity, and 65 percent to increase employee responsiveness.”
It’s also important, however, to embrace employee lifestyles during the development of new mobile strategies. Not every person will own the same device (e.g., Apple iPhone vs. Android), so broad interoperability will be necessary. The same Sheedy study discovered interesting growth statistics for enterprise environments once dominated by BlackBerry-friendly infrastructure.
While the RIM devices are supported by approximately 70 percent of enterprises in Europe and North America, Forrester released findings in April 2010 (Enterprise and SMB Networks And Telecommunications Survey, North America And Europe, Q1 2010) that shows support for Windows Mobile (41 percent), Apple iOS (29 percent) and Google Android (13 percent) is growing quickly in the corporate realm.
Additional evidence even goes beyond consumerization; 51 percent of enterprises plan to purchase tablets for employees in the next 12 months, according to a February 2011 Morgan Stanley Blue Paper, “Tablet Demand and Disruption Mobile Users Come of Age.” This is in addition to another 16 percent of organizations that already allow employees to connect to sensitive networks with their own device.
Logically, true consumerization began when, in mass, consumers began purchasing mobile devices for personal use. Being affordable, easy to use and always on, the mobile platforms became the centerpiece of consumer lifestyles. And it didn’t take long before this reliance shifted to the enterprise space.
Dual-purpose applications became available that further enabled convergence of personal and professional lives. While five years ago it was mainly voice-only use, mobile device capabilities quickly expanded to email, calendar management, collaboration, business applications, general corporate connectivity and more. With this growth, more opportunity for risk was introduced.
Mobile platforms at risk
Mobile growth has increased the incidence of fraud targeting mobile devices. Whether simple rogue text messages, fictitious billing scams or more malicious attacks using malware installed on the device, the number of attacks grow at an alarming rate; mobile malware increased by more than 45 percent in 2010. And with less education about mobile threats, users seem more inclined to fall victim to them during mobile sessions.
Further, online-banking users — both consumers and commercial users — continue to be the target of sophisticated attacks. Financial institutions are targeted by advanced malware threats that leave many traditional safeguards ineffective. Instead of phishing attacks that lead to fake websites designed to harvest usernames and passwords, the techniques are now more sophisticated and effective against previously deployed defenses. Whereas once such attacks were the domain of amateur hackers, sophisticated cybercrime groups have emerged as online fraud leaders, targeting consumer- and commercial-banking users alike.
And while attacks typically are confined to the consumer space, these same consumer devices are gaining access to corporate networks and information. This is where consumerization directly affects the enterprise.
New thinking: Mobile vs. PC
The mobile migration is an intriguing shift for business productivity, but a potential nightmare for IT security and identity access management (IAM) — the processes and tools to manage user access to networks, applications and data.
To deploy the correct safeguards, organizations must prioritize areas of concern that are a hindrance to proper mobile convergence in the enterprise.
The general risk around consumerization is straightforward. As was seen with laptops issued by employers years ago, end-users will predictably fall into a pattern of common behavior that includes storing sensitive information on mobile devices; sharing passwords across devices, applications and networks; unknowingly introducing viruses to the enterprise environment; and potentially performing activities that expose employers to non-compliance.
Cost and complexity
But risk isn’t the only factor in play. Complexity and cost of new identity management systems remain top of mind for CISOs and IT directors. Gone are the days managing one identity for each employee or end-user. For true mobile convergence, organizations require infrastructure that provides diverse user and device identities, as well as complex mobile device management capabilities.
Lack of control
The other major obstacle is based around control; or, more accurately, the lack of it. With desktops and laptops, IT staff could combat everyday challenges with antivirus solutions, device/file encryption, password policy enforcement, content-monitoring or even remote-swiping technology.
Even if some of these capabilities are available for mobile platforms — chances are they are not — they aren’t proven in enterprise environments. And it’s currently unknown which channels or methods sophisticated criminal groups will leverage next to attack corporations through employee-owned mobile devices. Until there is better visibility regarding mobile platform controls, this will remain an area of concern for most organizations.
An evolving enterprise architecture
As more services move to the cloud, more tasks will be executed via mobile devices. Whether in governments, enterprises or customer-focused organizations, the popularity of mobile devices will serve as a catalyst to cloud-based services and vice versa.
The adoption of cloud-based technology has been staggered. Enterprises were first to embrace the idea via hosted or software-as-a-service (SaaS) models. Government agencies, on the other hand, were more hesitant because of their responsibility to protect private or sensitive information. As security for mobile devices and the cloud improves, more governments are able to consolidate services with cloud-based infrastructure to take advantage of efficiencies and cost-savings.
As consumerization continues, the cloud remains one of the most effective solutions to support mobile services and applications; pressure exists on both ends of the technology spectrum. And as organizations seek methods to reduce costs and streamline operations, mobile- and cloud-based capabilities are capable or realizing those goals.
According to a recent Gartner webinar by vice president Nick Jones, “The Trends Driving Your Mobile Strategy Now Through 2015,” consumerization will be a central theme in 2012. The session states end-users will gravitate toward multiple devices and platforms, and will synchronize information with cloud-based servers and services. Further, Jones says, “consumerization always wins and “enterprise’ devices are a declining category.”
The nature of the server-based technology begs the question: does it even make sense to have centralized IT infrastructure?
A secure resolution
With the ubiquity of mobile devices established, what are the answers to solving the aforementioned challenges? And how can mobile devices themselves be used to actually increase enterprise security?
In short, organizations should layer security techniques and capabilities. Ideally, this approach is already the basis for general identity-based security within the enterprise, but it’s equally valid for the mobile space.
Core to this theory is the use of a versatile authentication platform. This approach authenticates all identities — whether human, software or machine — within a government, enterprise or consumer space. Specific methods and technology are available that help secure the mobile platform, as well as transform the mobile device itself into a layer of the security architecture. The end goal is to secure every possible attack point to help reduce the vulnerability — whether perceived or realized — of mobile platforms.
Increasingly, organizations understand mobile devices are an important component to end-user lifestyles. Many carry their mobile device at all times, making it a prime candidate to serve as an identity credential. This behavior dictates that smartphones or mobile devices will increase end-user adoption because they’re rarely “forgotten at home.”
In fact, mobile devices are able provide even more security than what is available on the market today. As the market matures, and organizations adopt mobile as a credential, we will likely see many uses for mobile devices.
Transparent soft token
An authentication software module is embedded within the mobile application. End-users will only enter usernames and passwords into application fields. The mobile application automatically accesses the custom authentication module to generate a one-time-passcode (OTP) token in the background. The OTP token, along with the unique user ID, is transparently sent to the secure server. This all occurs in real-time with little user input.
Leveraged more in the enterprise, digital certificates identify and secure a multitude of transactions, identities or communication. They enable trusted device authentication for access to corporate applications, VPNs, servers and more.
Mobile as a credential
Mobile smartcard reader
This is a mode of operation where a mobile device is used to read smartcards. For example, an employee can use a mobile device to read a smartcard, then use out-of-band authentication to gain access to a laptop/desktop or even verify a transaction. It also has practical applications for online-banking customers. In all examples, a smartphone equipped with RFID-reading capabilities, and possibly dedicated software, is required.
Mobile device as a smartcard
Similar to the mobile credential, this is a mode of operation where a mobile device is the credential, replacing the need for a physical smartcard. In the enterprise, end-users can bring their mobile device near a desktop or laptop for secure authentication. This is achieved via wireless, proximity-based transmission technology such as Bluetooth and/or near field communication (NFC).
Basic transaction approval
Real-time transaction verification — right on a user’s mobile device — is one of the most advanced methods of stopping malware and online fraud. This is particularly useful for enterprises and financial institutions as organized crime groups target larger business transactions and ACH transfers.
Account and access control changes
A business-specific capability, employees can securely verify account or identity-related changes. This can include everything from simple account updates or password changes, to more advanced uses such as confirming logins for specific behavior patterns (e.g., employee logs in from location not within their profile).
Mobile enterprise workflow
The technology may be extended to increase employee productivity on mobile devices. No longer will enterprises be forced to sacrifice security for the sake of mobile convenience. Mobile verification can be tailored to confirm enterprise-specific tasks or transactions (e.g., expense approval).
In the near term, existing technology such as Bluetooth and near field communication (NFC) will be extended to provide advanced mobile device authentication that’s even simpler for the end-user. As mentioned, capable devices will securely authenticate the user via proximity.
Mobile devices will continue to disrupt incumbent technologies. One technology that stands a great chance of disruption is payments — the replacement of credit cards with a mobile device that will act as a wallet (e.g., Google Wallet). Many industry experts believe that NFC will be a cornerstone of payments.
Beyond mobile payments, another application of NFC is the ability to securely authenticate a user/device via proximity. Many organizations today are experimenting with the capabilities of NFC and constructing proof-of-concept models in anticipation of this technology becoming ubiquitous.
Mobile devices: Here to stay
The growing use of mobile devices — and more importantly an aggressive digital lifestyle convergence — demonstrates the need for organizations to implement mobile strategies into current and future security and/or IAM roadmaps.
Ideally, organizations are at crossroads where general security and mobile IT operations can be merged to be managed under a single versatile authentication platform. This approach will streamline the management of identities and devices that access an enterprise’s environment.
And it’s important to foster, rather than discourage, the convergence of employee work and personal lifestyle that’s achieved via mobile devices. This will help organizations better leverage the benefits of mobility and increase adoption of security policy — a strategic play that’s core to securely capitalizing on consumerization.