The pervasiveness of mobile devices, along with the digital transformation, presents tremendous opportunities for enterprises to extend their networks and deploy productivity enhancing applications. Mobile devices have changed the way business is conducted, giving enterprises and employees flexibility to stay connected, whether in the office or on the road. But as the use of mobile devices and applications grows, the rate and sophistication of attacks on popular mobile platforms also grows, and the need for mobile authentication becomes more prevalent. Unfortunately, the pace of change is so rapid it makes the environment difficult for enterprise IT to manage. The ever increasing use of mobile devices expands the corporate attack surface and creates serious security risks, privacy concerns and vulnerabilities, which malicious actors can exploit to steal sensitive and personal information, and impersonate unknowing victims.
It is, therefore, imperative that enterprises can trust the data and applications on their mobile user devices as well as the end user to whom a device belongs. Enterprises should be able to control device configuration, distribute and monitor client-side software, mitigate vulnerabilities, and control data risk. Mobile security management should also take into consideration the particularities of mobile devices that distinguish them from traditional desktops, since they can be easily lost or stolen and are not protected by the physical perimeters of the enterprise.
To tackle this, a variety of Mobile Device Management (MDM) platforms have emerged to remotely provision devices, track inventory, manage applications and enforce policy on the mobile device; including a way for an enterprise to remotely wipe or disable a device in the field. Only by managing the mobile device as closely as a desktop can the enterprise trust the device as an extension of its network.
Management capabilities by themselves don’t necessarily result in great security. Without good authentication a secure mobile device ecosystem is incomplete. Most security professionals agree that user name and password access is not a sufficiently strong method of authentication for enterprise IT assets even if an MDM is used. Security workarounds for password weaknesses, such as requiring users to frequently change their password, often have quite the opposite results as users resort to writing their passwords down so that they can be remembered.
Here is where digital certificates come into play. Best security practices require the provision of strong security credentials so that the user of a device can be trusted both on the enterprise’s network and with enterprise applications. Digital certificates not only verify the identity of the individual, they validate the device and secure the transportation of this information.
Digital certificates are time tested, successfully securing networks and data for nearly two decades. They are based on public key encryption technology, which makes them an excellent choice for strong authentication. Digital certificates are well supported by laptop, tablet, and mobile smartphone operating systems. In addition most enterprises networking and software applications—such as secure VPN, email, and website secure access through SSL—support digital certificates. It’s the flexibility of having one credential that can support a variety of enterprise authentication security tasks that makes certificates so widely accepted and used.
Digital certificates provide a far better user experience on mobile devices compared to typing user name/password because of the limited keyboard space. They are the ideal form of transparent authentication since certificate-based authentication doesn't require any extra steps from the user. In addition, digital certificates are well supported by virtually all enterprise MDM solutions. Although it is true that it is not mandatory to use digital certificates with MDM, it should be noted that without using a digital certificate the communications to authenticate a user and validate a device would be done in an insecure manner.
Digital certificates work great on BYOD for both employees and the employer. They can help maintain user privacy while preserving control over corporate networks and data. Organizations can simply revoke the certificate if the device becomes lost, stolen, or the employee leaves the organization.
Finally, digital certificates help organizations avoid the need to implement an invasive, expensive and all-inclusive solution. Setup and installation of digital certificates does not require extensive IT support and is easy for the end user, sometimes even requiring no end-user interaction. Additionally, the enrollment process is easy regardless of the platform or operating system.
While certificate support may be built into the applications on the mobile device, IT needs an effective way to manage the certificate lifecycle from the enterprise side. This includes getting the certificates securely onto the device as well as renewing them and revoking them when necessary.
Unfortunately, the truth is that businesses face a lot of problems in their quest to authenticate their mobile devices, which leads to poor mobile certificate management.
According to various studies, poor certificate management can result in lack of asset visibility. If you do not know what you’ve got, you cannot manage it effectively and efficiently. The lack of visibility results in lack of control, which means that organizations cannot fully control the access granted by certificates, risking unauthorized access. A subsequent problem is the existence of cross-team security gaps, as several different IT teams manage different parts of the mobility stack which often creates gaps in management and security. Finally, the above create an inability to detect misuse, since a minority only of organizations can detect mobile certificate anomalies, including misuse or incorrectly issued certificates.
In order to close the gaps in managing digital certificates, a Public Key Infrastructure (PKI) is required. The main function of PKI is to distribute the certificates (and the associated public keys) accurately and reliably to users and devices, and to manage the certificate lifecycle. In selecting a PKI to provide these critical capabilities, organizations must choose between deploying PKI software in-house or outsourcing PKI services to a reliable provider.
Utilizing a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) platform can further enhance the deployment experience of digital certificates on mobile devices, as well as provide enterprises additional features and benefits of implementing security across devices. The integration of an MDM or EMM platform with a PKI solution helps enterprises streamline the process of deploying digital certificates to end users' devices by automatically provisioning digital identities onto devices without end-user interaction.
An enterprise must carefully decide which approach to use as the success of a PKI deployment is dependent upon how easy it is to use and manage, and how seamless the user experience is. In addition, the method must be able to scale to the needs of the enterprise as it expands its usage of these credentials around the globe on a wide variety of applications and devices.
In response to these pressing issues, Venafi created a new solution that safeguards the machine identities used on endpoints that access enterprise networks and resources. With Venafi Enterprise Mobility Protect, organizations can protect the machine identities on mobile endpoints by managing device certificates through a central certificate security platform.
The Venafi Enterprise Mobility Protect delivers comprehensive certificate visibility, issuance, distribution, and policy enforcement, as well as the control needed to terminate access for unauthorized users and employees. The enterprise-class machine identity protection solution for mobile devices also maximizes flexibility by supporting all industry-leading certificate authorities.
“Security teams can be confident that all machine identities used for mobile devices, laptops, desktops, VPNs, WiFi and NAC authentication are secure,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “This allows all machine identities for mobile devices to be protected and comply with policy throughout their entire lifecycle, regardless of who owns the device or which team issues and manages the machine identity.”
Want to learn more? Check out the Venafi Enterprise Mobility Protect web page.