As I think back to the many discussions I’ve had around the topic of mobile and the impact on corporate networks, I can’t help but think about the potential number of devices each person uses on a daily basis. In the past, most organizations had a 1:1 mapping of users: devices. One can quickly envision that could grow to a 1:3 (or more) mapping over the next few years.
One aspect that could drive that number — and drive it fast — is BYOD or “Bring Your Own Device” to work. A few months ago, Computer World wrote an interesting article around this topic. The author, Jaikumar Vijayan, referred to Unisys and how they are embracing BYOD.
“… employees will be allowed to use pretty much any mobile client device of their choice so long as they abide by an Acceptable Use Agreement (AUA) according to Patricia Titus, the chief information security officer at Unisys.”
The next part caught my attention.
“One of the main components of the AUA is a requirement that users allow a PKI device certificate to be installed on their personal devices … The certificate will be used to authenticate the device to the Unisys network each time the owner tries to access the network.”
In this situation, it is clear that a digital certificate is required to gain network access. This allows the organization to keep tabs on what devices are accessing their network. And if users require access to sensitive information, a multifactor authentication approach is used (e.g., smartcard, one-time passcode/OTP, biometric, etc.). As I stated in a previous post, “Mobile as a Credential,”
“Many organizations want to enforce, not only WHO is accessing their networks, but WHAT. Digital certificates are a great way to accomplish this. Whether it’s for VPN access, Wi-Fi, etc., many routers/VPNs already accept certificates as a form of authentication. And given the recent breaches, strong authentication, along with a layered security approach, is the very least we can strive for. “
Based on the author from Computer World, Jaikumar Vijayan:
“Unisys is among a growing number of enterprises implementing such polices to deal with what Titus [CISO of Unisys] calls the "consumerization of the IT infrastructure."
This, no doubt, highlights what we have seen in the industry. Clearly, consumerization is a big topic, and authentication always comes up (amongst other things). In “Mobile as a Credential,” I mentioned RSA’s view:
“RSA has certification authorities but Curry [RSA CTO] says nobody has approached them about using digital certificates on the mobile device. People have talked about putting the pieces together but I don’t know if there’s any commercially-viable offerings out there,” he says.
I still wonder why RSA hasn’t seen this demand, and that they are unaware of what solutions are in the market. Clearly, mobile and consumerization is here to stay, and organizations need help.
Nevertheless, organizations are taking BYOD seriously. In order to execute on BYOD successfully, organizations need to consider a number of items such as:
- Acceptable use policy (or in the Computer World article, as Unisys calls it, “AUA – Acceptable Use Agreement”)
– What users can and can’t do … and legal implications
- Mobile Device Management: How deep do you want to go?
- Data segregation and protection (Personal vs. Corporate data)
- Strong Authentication
– Whether it is accomplished by certificates and/or other multifactor methods
– I’d say go for Device (Digital Cert) + User Authentication (determine what works best for you, OTP, Mobile as a smart card, etc.)
Are you considering BYOD?