Taking Measures: Ensuring Mobile Device Security, Part 2 – Mobile Device Access Security
In the previous installment of our series on mobile device security, we examined important aspects for maintaining data integrity on mobile devices and for mobile worker solution deployments. In this article, we look at the key components related to mobile device access security.
When it comes to this form of mobile device security, a number of internal and external controls exist to provide device protection. From contactless and insertable smart cards to fingerprint scanning and Trusted Platform Module (TPM), each of these approaches help guard identity and access rights, and further support privacy protection in a mobile environment.
Our customers who rely on enterprise mobile devices are in diverse business sectors, from the insurance, healthcare, and finance sectors, where regulations and other factors require high levels of protection, to industries such as energy and oil and gas, where field service technicians regularly exchange proprietary data. As we look more closely at access security methods and applications, in general, we find a number of commonalities as well as unique attributes that set each of these approaches apart.
Smart Cards and Mobile Device Authentication
While password protection on mobile devices is commonplace for enterprise mobile computer users, there are many environments where two-factor authentication (e.g., something you have like a smartcard, fingerprint or face, and something you know, like a password or PIN) is preferred. Two-factor authentication represents a critical second line of defense against unauthorized access to booting up a device and logging in to a confidential network.
Sensitive corporate and customer data can be found on mobile worker devices in markets like insurance, utilities, healthcare, finance and countless others. In these situations, smart cards offer two possible solutions.
While contactless smart cards can be used by merely touching a card or fob to a reader embedded in the device, with the user then being authenticated, they can also be used in a two-factor capacity. From a two-factor standpoint, a contactless approach is easy to use, but likely not as secure as using an insertable smart card. Using a contactless solution, when the user leaves their computer, they need to log off or the unit will need to time-out before data is safeguarded.
Insertable solutions require the card to be inserted into a reader embedded in the mobile device for access to be granted. Once removed, the user is automatically logged out. This solution may be less convenient but at the same time is potentially more secure since, in our experience, users working in sensitive environments are more likely to take their card with them when walking away from their computer.
Taking a Biometric Approach: Fingerprint Scanning
Biometric approaches, such as fingerprint scanning, represent an additional authentication feature that take advantage of each person’s unique identifier. Fingerprint authentication is being used not only to unlock mobile devices and handhelds, but also to ensure the integrity of other types of transactions.
We’ve found that in the healthcare industry, for example, some hospitals use biometric technology, such as fingerprint recognition, to identify patients and guard against patient identity theft.
For our customers in other high-risk industries, such as precious metals mining, maximum security might entail using a three-tier authentication approach. The field technician would be required to insert a smart card into the rugged laptop, enter a password, and then scan a finger to gain access.
While the potential exists for data hacking through fingerprint duplication, the process is cumbersome and with recent safeguards in place, such as sensors that detect blood flow, the chances of gaining access through this method is remote.
Federal users nearly all have Common Access Cards (a type of smart card) which allows them to access many endpoints on the network, where fingerprint readers are more common on units that are assigned to a single user who can register their fingerprints on that device.
The benefit of a smartcard over a biometric solution is that the readers can be less finicky (less likely to reject an authorized user) and easier to administer, especially remotely. Biometrics, on the other hand, are much harder to lose or forget at home.
Relying On Trusted Platform Module (TPM)
Proving that a platform is trustworthy and has not been tampered with as well as authenticating a laptop user are key attributes of the Trusted Platform Module (TPM). The TPM is provided using a separate chip in a laptop for this purpose. It’s responsible for securely storing passwords, certificates, and encryption keys. The TPM can also detect unauthorized configuration changes made by malware and block any access to necessary applications until the issue is remedied.
Similarly a Mobile TPM on MicroSD chip cards are now available for some handheld computers. The MicroSD chip holds passwords, digital certificates and encryption keys adding a layer of security to the handheld device or phone.
As an example of how TPM applies, digital signing represents a process whose integrity must be assured, and it can be made more resilient with TPM. This is especially critical in terms of secure emailing or document management.
Consider a field-based insurance scenario where an auditor is assessing damage to provide FEMA compensation for property damage after a natural disaster. Having a TPM chip in place helps to ensure the integrity of all remote interactions. Moreover, if a device is lost or stolen, a TPM chip provides authentication for a trusted boot pathway (i.e., BIOS, boot sector, etc.). If any changes are detected in the device hardware or software configuration, an authorized recovery key must be generated and applied before bootup of the machine can continue. This helps ensure the integrity of the data and interactions for insurance and other legal documentation.
In our experience working with companies that emphasize mobility, access security represents an important concern as it relates to protecting both critical business data and the hardware itself. The increased use of mobility across the business spectrum makes e-authentication, data security, and device protection more essential than ever. In the next installment of our series, we take a close look at connectivity security and greater reliance on external networks.
Panasonic Toughbook and Toughpad devices are purpose built to meet the environmental, workflow and security needs of enterprise mobility customers. Toughbook and Toughpad mobile computers include various enterprise-level security features enabling its customers to address their data security, access privileges, connectivity security and device security needs. For more information, visit the Panasonic website.