General Data Protection Regulation (GDPR), Network and Information Security Directive (NIS), Second European Payment Services Directive (PSD2) – 2018 will see the implementation of a number of regulations that will most certainly introduce new demands on your cyber security strategy. These demands will refer increasingly to the themes of strong authentication and protected access to data.
With all forms of strong authentication – such as Multi-Factor Authentication (MFA), Adaptive Authentication or Risk-Based Authentication – now becoming a widely used method of accessing corporate IT systems, it is surely all the more important in a professional mobile environment. In this paper, we will explore six key reasons for using strong authentication in a professional mobile environment.
1.Fulfilling regulatory requirements
This entails satisfying certain regulatory requirements, which are not limited to users of fixed workstations. It should be noted that the use of strong authentication will not in itself fulfil all aspects of these directives and regulations, but it will contribute significantly towards helping an organisation achieve compliance.
PSD2: Revised European Payment Services Directive
- Objective: to promote innovation, competition and efficiency within the market and more specifically to modernise payment services within Europe for the benefit of consumers and businesses.
- Effective date: 13 January 2018, with a transition period of 18 months after publication of the regulatory technical standards in the Official Journal of the EU, which postpones their official application to September 2019.
- Obligation relating to data access: strong authentication is mandatory for online payments of over 30 euros and for setting up standing orders and direct debits. Account aggregation and payment service providers will also be required to use strong authentication when connecting to banks and retrieving users’ data.
GDPR: General Data Protection Regulation
- Objective: to standardise the European legal framework on protection of personal data.
- Effective date: 25 May 2018
- Obligation regarding access to data: going beyond the principle of consent for the collection and retention of data, this new regulation extends the responsibilities of organisations and their requirement to ensure the security of their customers’ information. Organisations must make every effort to effectively secure their Information Systems and associated access. This will be of particular concern to companies with workforces using mobile devices, which represent a significant threat. Strengthening access security through the use of strong authentication is a first step towards attaining the security standard required by the GDPR.
NIS: Network and Information Security Directive
- Objective: to give each member state the means to better protect their organisations and essential public services against cyber attacks. An extension to the cyber security mechanism for operators of critical infrastructures introduced by the French Military Planning Act (LPM) in 2013, this Directive further strengthens the protection of various other bodies that are critical to the everyday lives of citizens.
- Transposition of the Directive in France: 9 May 2018.
- Obligation regarding access to data: the Directive sets objectives, although it does not impose any specific means and the security measures that will be required of operators of essential services (OES) are yet to be stipulated. Nonetheless, a ‘control and audit’ strand is predicted and the requirements in terms of the security of devices and strong authentication will be more stringent.
2.Opening up the Information System (IS)
in total security
Information technology has advanced considerably in recent years, both in terms of technology (widespread use of Cloud computing, upsurge in BOYOD and the use of mobile devices; connected objects, etc.) and in terms of practicality (remote working, opening up to partners, etc.). It has become unthinkable for a modern organisation to partition its Information System and to restrain itself within its physical perimeters.
However, opening up the Information System is a major issue for organisations undertaking a digital transformation. Effectively, we now need to deal with users who access services both internally and externally to the IS, and this not just from inside of the organisation but from outside of it too. Integrating access from mobile devices, whether controlled or not, is a real issue we need to contend with. Whether or not we accept BYOD, the personal use of mobile devices by users is not always in keeping with good practice and calls for increased vigilance.
As each new door opens, the Information System needs to be controlled and made more secure. The need for strong authentication to permit and track access to the Information System is clearly evident, and all the more so in a professional mobile environment. The same degree of care for security should apply: prevention against the risk of attacks, protection against the loss or theft of data and authentication all need to be strengthened, whether we are logging into a cloud-based service or accessing our business applications remotely.
3.Balancing ergonomics and security to free mobile users from password constraints
Mobile users demand a seamless, secure digital experience, and come to expect the same practical habits that they are used to in their everyday lives. It is almost inconceivable nowadays for users to repeatedly enter passwords for multiple applications on a mobile device. Providing optimised ergonomics without compromising security involves the adoption of a simple and unique authentication function. There is a genuine risk that users will look to work around or disable any security functions that they find too restrictive. By adopting authentication methods suited to mobile environments in terms of both security and ergonomics, users will be won over and organisations will then be able to reduce security risks, such as using weak passwords or saving passwords in the browser.
t is now possible to find innovative solutions that will free users of constraints, whilst simultaneously raising their awareness of the security policy in place within their organisation.
4.Reinforcing the systems architecture approach within the Information System
Organisations are increasingly focusing their approach on the architecture of their Information Systems, and leaning towards an infrastructure that is open, productive, scalable and based on current market standards. Organisations need to avoid scaling up the number of solutions used to protect access or locking themselves into complex specific developments. Sharing and standardisation are key requirements for any successful digital transformation.
System designers and architects now recommend using a reference authentication infrastructure within the IS, based on market standards, in order to ensure proper application of an organisation’s security policy and interoperability with the innovative technologies which they connect with.
It is possible to strengthen an organisation’s application security by delegating the authentication and access control functions to a dedicated security infrastructure. Where strong authentication is required to access certain applications containing sensitive data, the same secure process must apply to both users inside the organisation, and an external roaming user base connecting via a mobile environment.
5.Guaranteeing control and traceability for mobile access to the Information System
For any organisation, controlling, securing and tracing access remains a top priority. An organisation must have continuous 360° visibility of all access to its Information System, and mobile usage cannot be allowed to operate outside of the security rules already in place.
Regardless of the device being used or the location of the user, it is vital to ensure that access to the organisation’s Information System is gained by way of a properly secured entry port. Strengthening the authentication mechanisms, Single Sign-On and the access control rules within a mobile environment facilitates greater control and traceability. Strong authentication builds trust, as it guarantees the user’s digital identity.
The risk of the organisation’s information assets being compromised is considerably reduced. Similarly, the traceability of all user authentications, authorisations and delegations will help to facilitate regulatory auditing requirements
6.Limiting the risks associated with vulnerability of mobile devices
Leaked data, theft or loss, dubious mobile apps, there is no doubt that mobile devices are vulnerable. Although ingrained in our everyday lives, we are not always mindful that these devices may contain confidential information that is potentially sensitive for the organisation, or that mobile devices have the ability to provide users with a number of access points into an organisation’s Information System. In addition, a smartphone is easily lost or stolen.
Strengthening authentication on workstations is common practice, so why not strengthen user access from mobile devices? We must be mindful that, according to security experts, it is not just that cyber criminals are able to attack a smartphone itself, but that it is now their target of choice, to unlawfully access an organisation’s Information System. Using strong authentication is therefore a sensible and proactive step to avoid managing passwords and to subsequently avoid exposing these passwords to attacks from the Internet.
Deputy General Manager – Ilex International