DOC RABE Media - Fotolia
Getting user authentication right is essential to IT success, but with today's focus on mobility, the risks are increasingly complex.
When IT discussions turn to matters of security, the focus is almost always on encryption. Scrambling sensitive data to protect it from eavesdroppers and thieves is certainly a great place to start. But of equal importance is user authentication, in which at least one party in a given connection -- and ideally, both parties -- must prove their identity/identities to the other.
As is the case with encryption, authentication is no guarantee of absolute security. (There is no such thing.) Credentials -- most often usernames and passwords -- can be stolen or otherwise fall into the wrong hands. Given that these credentials often factor into determining the keys used in encryption and decryption, a failure in authentication can have disastrous results. Once sensitive digital information is compromised, it remains such forever. Recovery from such a breach can be time-consuming, costly and even impossible.
Here are some tips to keep in mind as mobile user authentication becomes more important in the enterprise:
Devise user authentication policies
Security and authentication policies are often unique to a given organization; effective security is never a one-size-fits-all proposition. A basic security policy -- defining what information is sensitive, who can have access to this information and under what circumstances, and what to do in the event of a breach -- is a must. Simple and obvious elements, like requiring PIN codes on mobile devices and regular password changes, are essential. Policy can go further to explain what a given user/device combination can do based on credentials and context. Only after policies are set and tested in an isolated or pilot setting should specific user authentication technologies be considered.
Consider two-factor mobile user authentication
Of increasing importance is two-factor authentication, which is loosely described as requiring "something you have plus something you know" before granting user access. The "something you know" is typically the traditional username/password combination. The "something you have" is a security token generated by a dedicated hardware device, a mobile app like Google Authenticator or an SMS message. The tying of a specific user to a specific device is key, and it's far more secure than the username/password combination alone.
The threat of malware is another reason to enhance your mobile user authentication processes. The challenge of knowing exactly what a given app or application is doing always remains, and thieves' ability to surreptitiously capture credentials further motivates the requirement for two-factor authentication.
Take the identity management leap
Contemporary user authentication implementations are often referred to identity management, which defines classes of users and grants specific permissions to each -- from guests and knowledge workers to system administrators, senior management and beyond. Most identity management products take advantage of existing directory services, minimizing implementation headaches and eliminating potentially harmful redundancies.
As consumerization and mobility take hold, and workers demand access to corporate assets from a mix of employee- and employer-owned devices, the demand for identity management has grown. Providing a central repository of capabilities based on user, device, credentials and context makes a lot of sense, and also decreases the load on administrative staff, consequently lowering operating expenses.
How do you know the proper security measures are in place, and how can you verify functionality and effectiveness? Sadly, security is the one aspect of IT where no job is ever done. Continual diligence is necessary, no matter what policies and solutions are in place.