Mobile security, certificates and authentication: Mobile management, Part VI

Mobile security is a necessary concern of any enterprise and, as discussed in this tip, IT organizations must consider both security and authentication factors for their mobile devices.

One reason why the mobile device is so important to the concept of mobility is security. Various approaches to telephony, data, email and other applications have come to rely on the device, or a certificate on that device, as the basis for a security schema. So whether we're talking about a BlackBerry tunnel, a VPN or user authentication, any of these approaches requires some form of two-factor authentication, and a component of the mobile device (e.g., MAC address, SIM, etc.) is one of those factors. Any mobility management solution must provide for integration with security architectures.

Enterprises have become extremely good at developing and managing security approaches for their own networks, but when things go across a third-party network, that's when it gets complicated. Add mobile into the equation and we can see why so many IT departments are happy to pursue one of three alternatives. The is to eschew the network altogether and to rely on infrared, Bluetooth and even cradle-based synchronization for connectivity between mobile devices and applications. The second is to use the locked-down and tightly controlled BlackBerry tunnel available to users of that device and service. The third is to use laptop computers, 3G network connectivity and a VPN tunnel for secure, mobile access to enterprise data and applications.

This leaves us with a debate about what mobility really is. Is it a laptop and a 3G card? Or is it an even more mobile device that boots instantly and uses whichever network is available at the time? The former is state-of-the-art, but the latter is an integral part of the complicated future ahead of us.

Authentication: Middle ground between carrier and enterprise
In order to secure a user, we must authenticate him, which means that we must identify him and verify the services that he is authorized to use. Once we have verified this information, then we can deliver services securely. In this regard, Mobile operators and enterprises are doing similar things with different technologies. On GSM networks, the SIM card is an important part of a mobile user's identity, but SIM technologies aren't used on CDMA networks or in many enterprise applications. For IT departments, the mobile operator's credentials can be a good place to start for authentication, though other certificates or device attributes (such as MAC addresses) are viable alternatives.

Services like Wi-Fi and WiMAX rely on authentication technologies such as RADIUS, WPA, TKIP and other approaches well-known to IT organizations. Getting the carriers involved in sharing those directories is a different story. More likely than not, mobile workers will continue to rely on multiple user identities and permissions across carrier and enterprise networks. Even as enterprises rely on directories for user permissions, there will be duplication between the carrier and the enterprise.

Islands of authentication

Corporate Mobile Management Series
Part I: Introduction

Part II: Mobility and enterprise management

Part III: A crisis of architecture and process

Part IV: Mobile-specific management solutions

Part V: Carrier mobile device management approaches in the enterprise  

Part VI: Security, certificates and authentication

Part VII: Policy and process

Part VIII: Best practices for corporate mobile device management

Duplication will take the form of one system for enterprise authentication and a separate system for authentication to public network services. Mobile data services are an obvious point of contention, but telephony is a good place to start. Mobile operators already provide global roaming between carrier networks for telephony, but these networks use authentication processes that are inaccessible (largely because of cost) to enterprises of all sizes. The upshot is that on-campus mobile telephony on an enterprise Wi-Fi network can either use a separate set of authentication processes and technologies or the IT department must get involved with the carrier network at one level or another. The latter option costs money, but it also provides seamless handoff between the two networks. The former solution requires users to consciously "switch" between networks, and given that option, we already know that users will simply stick with the cellular network.

The same holds true with mobile data. A recent study found that 90% of the traffic generated by users of laptop + 3G card combinations was from on-campus locations. Faced with the responsibility of "thinking" about connectivity, most mobile users opt for the least common denominator – or the solution that works in the greatest number of places with the least amount of effort.

The point about mobile data is that -- if enterprise IT departments want to manage user connectivity (including roaming users onto the most appropriate network) in order to provide a cohesive set of enterprise services -- IT managers will need a way to manage user authentication and to share credentials with public network operators. And the management of authentication, credentials and security requires agreement about the underlying process of mobile device management.

A service example
For example, suppose an IT department wishes to offer a cohesive enterprise telephony service to workers. This service will place the user on the corporate network whenever an enterprise Wi-Fi signal is available (e.g., on campus, remote office, VPN tunnel, etc.). In all other situations, the user will access public cellular networks. The user will have a single telephone number and it will ring to the mobile device. The user will be able to specify the hours during which calls are taken and individuals whose calls ring through at all hours. The user will not have a desktop telephone, and there will be a single voicemail that can be available in an email-like format on the mobile handset. The IT department will provide reduced-number dial plans and will be able to route calls (including international ones) via the corporate network.

Today, there are technologies that provide some of these features, but these approaches require a level of integration between enterprise and carrier networks. Some of the services mentioned rely on access to the carrier signaling infrastructure. Other services rely on access to enterprise Wi-Fi authentication services. Providing this integration between the carrier and the enterprise requires agreement at a fundamental level about the software and certificates available on the mobile handset. Reaching this agreement requires clear delineation of mobile device management roles and responsibilities.

It's about services
Delivering enterprise services to mobile users requires IT departments to share credentials and user authentication information with mobile operators. To do this securely and effectively, enterprises and mobile operators will need to establish a common set of expectations about roles, responsibilities and demarcation points for mobile device management.

Daniel Taylor

About the author: Daniel Taylor is managing director for the Mobile Enterprise Alliance, Inc. (MEA), and he is responsible for global alliance development, programs, marketing and member relations. He brings over fourteen years of high technology experience and is well known as a subject matter expert on many of the aspects of mobility, including wireless data networking, security, enterprise applications and communications services. Prior to the MEA, Dan held a number of product marketing and development positions in the communications industry.


Dig Deeper on EMM tools | Enterprise mobility management technology