The chain is only as strong as its weakest link

By Teus van der Plaat:

Mobile security – “The chain is only as strong as its weakest link”

How do organizations communicate today? The picture is changing from even five years ago and it is presenting real challenges to data security.

Only 20% of workplace communications takes place over PCs coupled on fixed communication lines. Laptops also make up 20% – mainly connected via Wi-Fi – and tablets account for about 10%. But the majority of communications – more than 50% – are carried out by iOS and Android smartphones. And that number is growing.

Within the last few years, almost all critical and secure business communications have become wireless-based. The big difference is that with fixed communication you broadly know where the end user is, but with wireless communication they could be almost anywhere. And so it is inevitable that the security of mobile devices is now crucial when protecting data and intellectual property.

Problems arise when mobile device security is based on the same principals of fixed communication protection; userid password. For example, Google has to make the Gmail email system secure while they will never know the people behind the more than 1 billion accounts. And the userid password method of authentication is relatively very weak.

Asking for long and complex passwords and imposing frequent change will make the system more secure, but also less user-friendly and therefore weak by design. The conclusion of the security experts of Google is so called two-factor authentication, which can make the security a factor 10,000 more secure than the userid password combination.

Authentication and authorization

In real life, security consists of two important elements; first the authentication, or who is sitting behind the device/application? Are you absolutely sure that the people who are trying to get permission are who they say they are?

Second, authorization. Based on role, function, etc. do you have access to a system or data, or certain transactions? The best way to approach authentication is via a PKI (Public Key System). Strong authentication has long been in place in banks, defence, police and so on but the sophistication of hackers today means all businesses have to use better security to prevent unauthorized access to their data and systems.

The reasoning behind Google’s advice to use two-factor authentication, is its requirement for an independent second factor to gain access.

Something you have and something you know

Strong authentication works with a key which can only be unlocked by something you know or via biometrics. This can be a smart card with an encrypted key, a micro SD card, or a SIM card; as long as it is a physically separate device from the system you want to work with. This key is unlocked by pin code, fingerprint or an iris-scan. An encrypted communications channel can then be established with the system, which in turn knows the public key.

Within the security sector, it has been proven that the ergonomics of a solution is the most important factor in user acceptance. A successful system should present no hazard for the user. It is why Interchange focuses on offering mobile communication products that maintain security alongside the user experience.

Yet this is only the beginning of a secure total solution as communication is one consideration but storage, maintenance, support, operating systems, user screening and so on also need to be in place in order to establish system-wide security.

An expert in network and mobile security, Teus van der Plaat served the Dutch Ministry of Defence for almost four decades and now acts an advisor for Interchange.