Skip to content

Posts from the ‘MobileIron’ Category

Mobile Identity Is The New Security Perimeter

  • 86% of enterprise executives say that mobile threats are growing faster than any other according to Verizon’s Mobile Security Index 2019 and 67% of enterprise execs are less confident about the security of their mobile devices compared to other IT assets.
  • Mobile devices are hackers’ favorite platform to target, with over 905,000 malware packages installed in Q1 of this year alone and over 5.3 million in 2018, according to Statistica.
  • 38% of mobile devices introduce unnecessary risk into the organization based on an analysis of privacy and security settings according to MobileIron’s Global Threat Report.

Mobile devices reflect you and your customers’ identity in the many apps, data, and ongoing activities you and they choose to engage in. Every enterprise looking to reinvent itself by scaling digital business strategies is putting mobile devices at the center of growth plans because they are everyone’s identity.

89% of security leaders believe that mobile devices will serve as your digital ID to access enterprise services and data in the near future according to a recent survey by IDG completed in conjunction with MobileIron, titled Say Goodbye to Passwords. You can download a copy of the study here. Mobile devices are increasingly becoming the IDs enterprises rely on to create and scale a mobile-centric zero trust security network throughout their organizations.

Enterprises are relying on mobile devices more than ever before, personalizing them for each associate or employee to launch and scale new business initiatives. These factors combined are leading to a rapid expansion of, and reliance on mobile devices as the single digital ID enterprises rely on to enable perimeter-less borders. The following IDG survey results reflect enterprise security leaders’ prediction of when mobile devices will authenticate Identity Access Management (IAM):

Passwords Aren’t Strong Enough For A Zero Trust World   

The bottom line is that passwords are the weakest defense in a zero-trust world. Ineffective in stopping privileged credential-based breaches, with the most privileged system access credentials shared and at times resold by insiders, passwords give hackers a key to the front door of enterprises’ systems. They no longer have to hack their way in; stolen or purchased passwords and privileged access credentials available on the Dark Web-enable hackers to use the front door of enterprise IT.

Both the IDG study published in conjunction with MobileIronSay Goodbye to Passwords and Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity Management by Enterprise Management Associates (EMA) validate how weak passwords are in a zero-trust world and the many reasons they need to go.  Here are a few of the many factors that favor move beyond passwords to mobile-centric zero-trust security framework:

  • While 95% of enterprise executives say they have multi-factor authentication (MFA) implemented, a little more than half of their users are using it. Senior security executives say they doubt the security benefits (36%), expense (33%), and the decision that users don’t access sensitive information (45%), making MFA pointless.
  • 86% of senior security executives would dump password use as an authentication method if they could. In fact, nearly half of those surveyed cited eliminating passwords as a way to cut almost half of all breach attempts. Perceived security shortcomings are a key reason why almost three-quarters of these security leaders say they’re actively looking for replacements for passwords for authentication.
  • 62% of the senior security execs reported extreme user irritation with password lockouts. The percentage of respondents who reported extreme user frustration at password lockouts rose to 67% at companies with more than 5,000 employees. Users having to call in and change their password with IT’s help is a major drain on productivity and worker’s time. Senior security executives want to abandon passwords given how high maintenance they are to support and how they drain time and productivity from any organization.   

Creating A Mobile Zero Trust Network

The new reality for any enterprise is that mobile device identities are the new security perimeter. Mobility devices ranging from smartphones to tablets are exponentially expanding the threat surfaces that enterprises need to secure and passwords aren’t scaling to do the job. Instead of just relying on a password, secure access needs to be determined by a “never trust, always verify” approach that requires verification of the device, user, apps, networks, and evaluation of the presence of threats before granting access.
The formidable challenges of securing a perimeter-less enterprise where the mobile device identities are the new security perimeter need a mobile-centric zero-trust network to succeed. Zero trust validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats—all before granting secure access to any device or user.  Zero trust platforms are built on unified endpoint management (UEM) systems and their enabling technologies including zero sign-on (ZSO) user and device authentication, multi-factor authentication (MFA), and mobile threat detection (MTD). The following illustration reflects best practices in provisioning, granting access, protecting, enforcing, and provisioning access privileges for a mobile Zero Trust network.

Conclusion

Your smartphone or mobile device of choice is increasingly going to become your ID and secure access to resources across the enterprises you work for. Passwords have proven to be ineffective in thwarting the most common source of breaches, which is privileged credential abuse.  Enterprise executives interviewed for two completely different studies reached the same conclusion: IT infrastructure will be much safer once passwords are gone.

How To Secure Mobile Devices In A Zero Trust World

  • 86% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types.
  • 48% say they’ve sacrificed security to “get the job done” up from 32% last year.
  • 41% of those affected say the compromise is having major with lasting repercussions and 43% said that their efforts to remediate the attacks were “difficult and expensive.”

Bottom Line: The majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device or platform today according to Verizon’s Mobile Security Index 2019.

Why Mobile Devices Are the Fastest Growing Threat Surface Today     

Verizon found that 86% of enterprises see an upswing in the number, scale, and scope of mobile breach attempts in 2019. When broken out by industry, Financial Services, Professional Services, and Education are the most commonly targeted industries as the graphic below shows:

The threat surfaces every organization needs to protect is exponentially increasing today based on the combination of employee- and company-owned mobile devices. 41% of enterprises rate mobile devices as their most vulnerable threat surface this year:

Passwords and Mobile Devices Have Become A Hacker’s Paradise

“The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division in a recent Wall Street Journal article, Username and Password Hell: Why the Internet Can’t Keep You Logged In. Verizon found that mobile devices are the most vulnerable, fastest-growing threat surface there is, making it a favorite with state-sponsored and organized crime syndicates. How rapidly mobile devices are proliferating in enterprises today frequently outpace their ability to secure them, falling back on legacy Privileged Access Management (PAM) approaches that hacking syndicates know how to get around easily using compromised passwords and privileged access credentials. Here’s proof of how much of a lucrative paradise it is for hackers to target passwords and mobile devices first:

  • Hacker’s favorite way to gain access to any business is by using privileged access credentials, which are increasingly being harvested from cellphones using malware. Hacking organizations would rather walk in the front door of any organizations’ systems rather than expend the time and effort to hack in. It’s by far the most popular approach with hackers, with 74% of IT decision makers whose organizations have been breached in the past say it involved privileged access credential abuse according to a recent Centrify survey, Privileged Access Management in the Modern Threatscape. Only 48% of the organizations have a password vault, and just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. The Verizon study found that malware is the most common strategy hackers use to gain access to corporate networks. MobileIron’s Global Threat Report, mid-year 2018 found that 3.5% of Android devices are harboring known malware. Of these malicious apps, over 80% had access to internal networks and were scanning nearby ports. This suggests that the malware was part of a larger attack.

Securing Mobile Devices In A Zero Trust World Needs To Happen Now

Mobile devices are an integral part of everyone’s identity today. They are also the fastest growing threat surface for every business – making identities the new security perimeter. Passwords are proving to be problematic in scaling fast enough to protect these threat surfaces, as credential abuse is skyrocketing today. They’re perennial best-sellers on the Dark Web, where buyers and sellers negotiate in bitcoin for companies’ logins and passwords – often with specific financial firms, called out by name in “credentials wanted” ads. Organizations are waking up to the value of taking a Zero Trust approach to securing their businesses, which is a great start. Passwords are still the most widely relied-on security mechanism – and continue to be the weakest link in today’s enterprise security.  That needs to change. According to the Wall Street Journal, the World Wide Web Consortium has recently ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip passwords altogether.

MobileIron is also taking a unique approach to this challenge by introducing zero sign-on (ZSO), built on the company’s unified endpoint management (UEM) platform and powered by the MobileIron Access solution. “By making mobile devices your identity, we create a world free from the constant pains of password recovery and the threat of data breaches due to easily compromised credentials,” wrote Simon Biddiscombe, MobileIron’s President and Chief Executive Officer in his recent blog post, Single sign-on is still one sign-on too many. Simon’s latest post MobileIron: We’re making history by making passwords history, provides the company’s vision going forward with ZSO. Zero sign-on eliminates passwords as the primary method for user authentication, unlike single sign-on, which still requires at least one username and password. MobileIron paved the way for a zero sign-on enterprise with its Access product in 2017, which enabled zero sign-on to cloud services on managed devices.

Conclusion

Mobile devices are the most quickly proliferating threat surface there are today and an integral part of everyone’s identities as well. Thwarting the many breach attempts attempted daily over mobile devices and across all threat surfaces needs to start with a solid Zero Trust framework. MobileIron’s introduction of zero sign-on (ZSO) eliminates passwords as the method for user authentication, replacing single sign-on, which still requires at least one username and password. ZSO is exactly what enterprises need to secure the proliferating number of mobile devices they rely on to operate and grow in a Zero Trust world.

%d bloggers like this: