Can BYOD Help Improve Enterprise Security?
Written by Tim Matthews, Director, User Authentication Group, Symantec
From a security and management perspective, more than a few CIOs and CISOs look back with nostalgia on the days of yore when the words “smart” and “phone” were typically only used in the same sentence during a history lesson on Alexander Graham Bell. Others, however, salivate at the mere thought of the endless possibilities being brought about by the seemingly minute-to-minute advances in mobile technology.
Whichever camp one identifies with, none can deny that the mobile revolution is in full swing. In fact, according to the analyst firm Gartner, sales of smartphones will rise to $645 million in 2012. Add to this that Gartner also predicts 80 per cent of professionals will use at least two personal devices to access corporate systems and data by 2014.
The fact of the matter is that personal mobile devices such as smartphones are being brought into corporate infrastructures at a break-neck pace. Why? The answer is because it makes employees more productive and happier. The challenges this consumerization of IT creates for CIOs and CISOs tasked with enabling the secure use of these devices are well documented. However, these challenges are not insurmountable. With strong policy development and enforcement, aided by the effective use of mobile security and management technology, secure and effective bring your own device (BYOD) implementations are possible. Thus, enterprises need not fear the mobile movement.
To the contrary, in fact, enterprises should look at the massive proliferation of smartphones as an opportunity to fix a critical security issue that impacts a large portion of their infrastructures. At first this might seem counterintuitive, but once an organization has a properly managed BYOD program these devices can actually become security assets rather than liabilities.
BYOD Into Security Assets
The rash of high profile data breaches over the course of the past year highlights at least in part the simple truth that passwords are no longer enough to protect sensitive corporate networks and data. According to a 2010 Symantec survey, 44 per cent of respondents had 20 or more password protected accounts, and 59 per cent said they simply rely on memory to try to keep track of their passwords. It’s no wonder then that 74 per cent admit they reuse their passwords from account to account to at least some degree.
This obviously presents a major security risk for businesses. For example, by gathering information from a user’s social media profiles – favorite athletic team, pet’s name, hometown – an attacker is well-equipped to piece together the employee’s social media login credentials; this is all much easier than one might think. There is a good chance the employee uses the same password for their corporate login credentials as well. Thus, the attacker has not only figured out how to breach the user’s social media account, but the corporate network as well.
This practice, however, can be difficult to prevent since an organization has no control over what passwords an employee uses outside the corporate infrastructure. Also, attempts to prevent this such as policies requiring frequent changing of passwords can be problematic and result in higher support costs due to employees forgetting their passwords. Such policies also often result in employees simply using predictable password patterns.
Thus, for a truly secure environment, single-factor authentication – password protection – must be augmented with an additional layer applied to the login verification process. Such multifactor authentication is not a new concept, but the consumerization of IT trend, particularly the influx of personal mobile devices, can eliminate the primary barriers preventing organizations from implementing two-factor authentication.
Two-factor authentication is a relatively simple concept, it combines something an employee knows – their password – with something they have – a physical object such as a security token. Only if an employee can supply both forms of authentication will they be allowed access to the protected system. However, such security tokens are often seen as less than ideal. They can be expensive; they wear out; and they can easily be lost or forgotten by employees, resulting in reduced productivity and additional support costs.
The ideal solution to this problem would be a physical object that nearly every employee already has and treats with great care to not lose or even simply forget when leaving the house; something capable of providing the same security features and benefits as a security token without the baggage. This may sound like a pipe dream, but the reality is that BYOD provides just such a solution: employees’ smartphones.
Once employee smartphones are successfully brought into the corporate infrastructure, including taking steps to properly secure and manage the devices, enabling them to function as secure login credentials is actually quite simple. All that is required is for a small application to be installed on a user’s device that provides them with a one-time passcode just as a security token would. Thus, a successful marriage of enhanced corporate security with cost-effectiveness and convenience is achieved.
However, it is important to keep in mind that not all two-factor authentication technologies capable of leveraging smartphones as credentials are created equal. There are several things corporations should demand from such a solution:
- Broad mobile operating system support – One of the key benefits to using smartphones as a security credential is reduced cost because most if not all employees already have the required device; the BYOD trend only strengthens this benefit. However, if the two-factor authentication solution only supports a limited array of operating systems and devices, the mutually beneficial relationship between BYOD and two-factor authentications is drastically reduced.
- Free client side app – The mobile application that supplies users with the one-time passcode should not only be compatible with the widest array of mobile devices possible, but it should also be available for free to partners, customers and employees. This prevents potential hidden cost increases and lost ROI associated with scalable deployments due to customer and personnel churn.
- Cloud-based infrastructure – A cloud-based approach allows organizations to quickly and easily deploy strong authentication without the up-front capital expenditures associated with deploying and maintaining a dedicated on-premise authentication infrastructure. It also provides more secure, reliable and scalable service.
- Support of open authentication standards – Open authentication standards, such as OATH, let companies choose the right form-factor for users, in this case smartphones. OATH also allows companies to source credentials from a wide variety of vendors, which helps ensure timely delivery by avoiding supply chain problems commonly found with more proprietary approaches.
With BYOD comes security and management challenges, but organizations should not lose sight of the forest because of the trees. Not only will BYOD, done right, create employee productivity and happiness advantages, but it can also create opportunities to improve overall security. Leveraging employees’ mobile devices as secure login credentials is one way these devices can become an arrow in IT’s quiver, rather than a thorn in its side.
Dr Peng Wei: Designing the Future of Autonomous Aircraft
Air traffic is expected to double by 2037. According to the International Air Transport Association (IATA), the world will need 37,000+ new passenger and freight aircraft, and more than half a million new pilots—unless we come up with another solution. Right now, a George Washington University School of Engineering and Applied Science professor, Dr Peng Wei, is starting to research autonomous electric aircraft design.
NASA will fund the research, which will study how to minimise risks for electric vertical take-off and landing (eVTOL). As Airbus states: ‘Autonomous technologies also have the potential to improve air traffic management, enhance sustainability performance and further improve aircraft safety’.
Who is Dr Wei?
An assistant professor of Mechanical and Aerospace Engineering, Dr Wei has researched aircraft control, optimisation, and AI and ML applications in aviation. Over the next three years, he’ll lead the US$2.5mn NASA grant project in collaboration with researchers from Vanderbilt, the University of Texas at Austin, and MIT’s Lincoln Lab.
Why is His Research Important?
Even though the wide adoption of self-piloting cars, much less aircraft, is still far down the road, technologies that Dr Wei and his colleagues are researching will form the commercial transport of the future. But aviation manufacturers, in order to produce autonomous aircraft, will have to meet extremely high safety standards.
‘The key challenge for self-piloting capabilities is how the system reacts to unforeseen events’, said Arne Stoschek, Wayfinder Project Executive at Acubed. ‘That’s the big jump from automated to autonomous’. In the air, AI-piloted aircraft will have to manoeuvre around adverse weather conditions, such as wind and storms, and other high-altitude risks, such as GPS hacking, cyberattacks, and aircraft degradation. And the stakes are high.
‘If a machine learning algorithm makes a mistake in Facebook, TikTok, Netflix —that doesn't matter too much because I was just recommended a video or movie I don't like’, Dr Wei said. ‘But if a machine learning algorithm mistake happens in a safety-critical application, such as aviation or in autonomous driving, people may have accidents. There may be fatal results’.
What Are His Other Projects?
In addition to the new NASA research, Dr Wei has been awarded three other grants to pursue AI-piloted aircraft:
- A 2-year grant from the Federal Aviation Administration (FAA) in conjunction with West Virginia University and Honeywell Aerospace to investigate “learning-based” aviation systems
- A six-month SBIR Phase I NASA award with Intelligent Automation to mitigate airspace congestion at vertiports—the electric craft version of airports.
- A 1-year collaborative grant with the University of Virginia and George Mason University from the Virginia Commonwealth Cyber Initiative (CCI) to develop anti-cyber attack technologies and aviation video systems
Research like NASA and Dr Wei’s three-year programme will help improve how AI reacts and adapts to challenging air conditions. In coming years, autonomous aircraft will likely take off slowly, starting with small package delivery, then upgraded drones, and finally commercialised aircraft. But congestion issues will worsen until autonomous aircraft are the best alternative.
According to BBC Future, by 2030, commuters will spend nearly 100 hours a year in Los Angeles and Moscow traffic jams, and 43 cities will be home to more than 10 million people. The final verdict? Bring on the AI-operated transit.