The bring-your-own-device (BYOD) trend benefits enterprise productivity while decreasing costs
Certificates are used to regulate mobile access to enterprise data and systems
Enterprises struggle to distinguish compromised certificates from valid ones
Enterprises must be able to identify, issue, and revoke certificates even on employee-owned devices
While more and more employees are using their own phones, tablets, and other mobile devices for work, these practices often keep enterprises in the dark about mobile device access to enterprise data and systems. Digital certificates can shed light on enterprise access issues but only when certificates are properly managed and secured.
One good thing about cell phones is this: You're not as likely to run into people in the dark as you were before cell phones became ubiquitous. Nearly every face you see at night is bathed in the soft blue light of a cell phone. But illuminating people's faces isn't the only good thing about the phones' ubiquity. Mobile devices have done enterprises a few good turns.
Most enterprises welcome mobile devices because they allow people to work anytime, anywhere, and enterprises benefit from this increased productivity. You could even say that mobile devices have become indispensable to enterprises.
But there's a problem lurking here: Employees use mobile devices to access enterprise systems and often store enterprise data on them. I personally have a cell phone, an iPad, and a laptop, all of which have access to our corporate email system (and other corporate systems). This abundance of connected mobile devices is not unusual.
Access to enterprise networks usually involves certificates, of course, but how do the enterprises know for sure who owns the certificates? What happens if employees lose the devices or the devices get stolen? Enterprises need to be able to revoke access privileges as soon as a mobile device goes missing.
Clearly, enterprises must have some way of knowing which certificates, on which devices, belong to which employees. They must also have a means by which they can identify and remove compromised certificates, even on devices that do not belong to them. And they must have the ability to control—that is, issue or revoke—certificates at a moment's notice. For example, if I were to call our helpdesk and report that someone stole my backpack one dark night, our helpdesk would have a mechanism for immediately revoking the certificates on each of my stolen devices, thereby preventing access to corporate systems. In other words, it would have a kill switch for the certificates that are located on these devices.
Unfortunately, most enterprises do not have such capabilities. Lacking them, they are as blind and as vulnerable to hidden cyberattacks as were people strolling down dark alleys in the days before cell phones.
What is your enterprise’s BYOD policy? If employee-owned devices are allowed, how does your business shed light on and control enterprise data and system access on these devices?