Last Thursday's tweet jam (#CISmcc) displayed a spirited discussion among industry experts on mobile security and current approaches to managing it. In case you missed the conversation, you're in luck! Below is a recap of the event, and you can learn more on the topic of mobile security and identity management at the upcoming Cloud Identity Summit, July 19-22 in Monterey, CA. If you want to review the entire discussion, go to #CISmcc on Twitter. Make sure to click on the "All" link at the top of the column.
The full list of participants ranged from security and enterprise tech reporters to industry analysts and included:
@paulmadsen: @ron_miller sounds like you are saying 'need more advanced ways of authenticating .. based on ...' Not same thing as identity #CISmcc
Q3. How do enterprises integrate data access and security in today's mobile connected world? What effect does BYOD have on this?
All participants agreed on the importance of identity as a subset of all things for securing mobile, apps and data.
@xmlgrrl: #CISmcc A3 Assume the worst, adopt #ZeroTrust posture, & prepare to elevate trust selectively. Problem is 3D: BYOD, SaaS, non-employees.
@bmkatz: A3. Enterprises need to start focusing on data first, and then IDAM, then app and device last #CISmcc
@paulmadsen: A3 'controlling access' requires mechanisms at the server and local storage #CISmcc
Q4. What role should identity play in securing mobile devices, apps, data? How does multi-factor authentication fit?
This was a hot topic as participants debated the role of identity and the role of multi-factor authentication. They agreed that security of mobile devices is all about identity and lamented on the difficulty of multi-factor authentication today.
@editingwhiz: A4: High-level security of mobile devices is all about identity, how could it NOT be? #CISmcc
@ron_miller: A4 As a user I find multi factor authentication as currently constructed to be hard to use. #CISmcc
@editingwhiz: @ron_miller I'm with you, Ron. We need somebody to come up with a simpler, more intuitive MF authentication product. It CAN be done. #CISmcc
@grittygrease: Every new authentication factor that requires user interaction is a burden and comes at a cost #CISmcc
@mark_diodati: #CISmcc Q4) identity is a subset of all the things for securing mobile, apps, data. An important subset.
@SMFulton3: #CISmcc A3: 1) Secure the user's connection with the virtual desktop with multi-factor auth.
@SMFulton3: #CISmcc A4: 2) Secure the user's session with that virtual desktop with session-level encryption, regardless of how crappy. #OpenSSL
@SMFulton3: #CISmcc A4: 3) When the user moves, the session breaks. The desktop pauses, the user picks up another device, re-auths, resumes.
Q5. In five years, what best defines mobile security? What are biggest threats to eliminate & what stubborn ones remain?
Everyone agreed that in the future there won't be several types of security, but there will be a consolidated "security."
@JohnFontana: Q5: Sand boxed data and apps. SSO for native applications. FIDO infrastructure. First-tier Biometric/MFA. Context. #CISmcc
@ron_miller: A5 Good question. :) Security becomes part of the mobile experience, not something you do. #CISmcc
@xmlgrrl: #CISmcc Q5: Heck, by then, everyone will have BYOD&BYOI and be using (biometric) wearables if not implants. :) It will just be "security".