The smartphone as universal access device

Entrust's Mark Reeves talks mobile authentication and access management to the Enterprise Security and Risk Management Summit

These days the average person has many different identities across many different devices, applications, social media and cloud services.

With the increasing number of identities come more and more opportunities for criminals to not only find a way past the defences but also to link all of these online presences together for nefarious ends.

Mark Reeves, regional vice president international at security vendor Entrust outlined the issue to the audience at the Computing Enterprise Security and Risk Management Summit in London today.

Not only do people have more online identities and thus more attack surfaces, but the blurring of work and leisure makes this a serious issue for the organisations where they work.

"In developed markets, 75 per cent of white collar workers are on BYOD," Reeves said.

"Companies are being forced to adapt, but often they have not thought through the security aspect. We are all connected 24/7 and the merging of personal and professional means that security concerns are extending outside the office."

Vulnerabilities in smartphones and apps can allow attackers access to the many online identities of the user, including SMS messages, images, email and social feeds, a powerful combination as the basis for a targeted phishing attack, for example.

However, Reeves continued, if the security issues can be ironed out, mobile devices such as smartphones have powerful features and usage patterns that organisations can make use of. For example, users always have their phones on them, meaning that they are always available.

"If I realise I've forgotten my office pass on my way to work I just carry on, but if I've forgotten my phone I turn around and go back home to get it," Reeves said.

As to the devices, Reeves went through a number of features that are in many cases already part of the device or the device ecosystem that can be used for corporate purposes.

Applications in walled-garden-type ecosystems are securely signed and vetted, for example, and sandboxed to ensure they do not interact with those that might contain malware. Mobile devices often have features such as biometrics, GPS, Bluetooth and cryptography.

Using these features a smartphone can be transformed into a multipurpose mobile digital identity, authenticating users to allow them to access physical devices such as sensor-equipped doors or to log into PCs via NFC, to access corporate or cloud services, and to participate in secure transactions using mobile digital signatures.

"From a corporate perspective the convenience factor is pretty high," Reeves said.

The challenge is managing the device in a secure manner in such a way that it doesn't restrict the way that a user interacts with it. This is made possible by embedding digital certificates on the smartphone to create trusted identity credentials. Reeves said that this approach maximises security while causing a minimum of inconvenience to the user.

Mobile device management (MDM) software is also crucial, Reeves said, to allow the device to be locked or killed should it be stolen.