The increasing reliance on mobile devices and applications is driving the need for mobile certificates to ensure that devices and applications are secure, authenticated, and encrypted for enterprise users. But failing to protect mobile certificates—to whom they are issued and when they need to be revoked—opens the door to unauthorized access, data leakage, and intellectual property theft. The fact is that keys and certificates of all kinds, including mobile certificates, are being targeted to initiate and continue attacks every single day.
However, research published by Forrester Research uncovers that IT security professionals are not fully aware of the implications of what is required to protect mobile certificates. This creates gaps in understanding how to perform the most critical functions necessary for securing mobile certificates.
IT Security’s Role in Protecting Mobile Certificates
A study by Forrester Research found that a majority of IT security decision makers rely on digital certificates to secure their mobile applications and systems, such as VPN, Mobile Device Management (MDM), email, WIFI, SSL/TLS mobile applications, and Mobile Application Management (MAM). Nearly 80% of IT security professionals acknowledge they own the responsibility for protecting mobile certificates. And two-thirds or more of IT security decision makers believe they should own responsibility for security functions, including certificate issuance, policy, updates, deployment, and revocation.
Gaps in Security Awareness
Although most agree that they are responsible, 77% of IT security professionals who responded to the survey said that they have very little visibility into the applications, users, use cases, and security of mobile certificates, and 71% said they do not have full control. But what’s even more shocking, one of the most important functions—detecting anomalies—is a task that IT security is not prepared to perform. Only 38% claim they have the ability to detect mobile certificate anomalies, such as duplicate certificates, or active certificates issued to terminated employees, both of which can be used for unauthorized access.
IT Security Does Not Have Full Visibility or Control of the Use of Mobile Certificates. Source: Forrester Research – IT Security’s Responsibility: Protecting Mobile Certificates
Closing the Gaps
So what can you do to close the gaps that exist in mobile certificate security? Forrester Research recommends the following steps that enterprise organizations should take to protect mobile certificates:
Establish common policy across applications and desktops, laptops, tablets, and phones
Identify all sources of certificates
Map all found certificates to a single user and establish a baseline
Enforce policy for all mobile certificates
Detect anomalies like duplicate certificates or unrevoked certificates for terminated employees
Respond quickly to anomalies with kill-switch-like revocation
Prepare to quickly remediate when incidents like Heartbleed occur that require all certificates to be rekeyed, reissued, and revoked