If we take a stroll through the streets of London we are bound to witness the effects of the mobile computing revolution. Individuals now have the power to shop, conduct business, entertain and collaborate – all at their fingertips. Mobility is having a transformative influence on how we work and interact, but as we explore the art of the possible, we must guarantee that the trust relationships we have – and the ones we will have – are not compromised.
The question that then arises is: How do we secure our mobile engagement? Market forces increasingly demand an answer. Analysts at IDC recently reported that in Western Europe a majority of companies rely strongly on mobile devices to access corporate resources or services in a mobile environment. But, as organisations explore their options, it is also important to note that in the mobile channel, security value needs to be demonstrated so that it complements rather than hinders user experience. Ill-advised security procedures may result in either non-compliance or non-participation – neither of which is the desired outcome.
The answer to the question posed, then, lies in exploiting context for mobile security. Mobility affords significant contextual insight that can be employed for tailoring the security posture for each mobile interaction. Think of your own daily mobile activities. The uniqueness of each interaction is a function of your location, the networks you employ, the time of day and even the state of your device – along with potentially many other contextual attributes. The systems that support these activities can employ these contextual attributes to assess relative risk and modulate the security procedures or application behaviour to more effectively balance security with user experience. For example, when a transaction is performed in a context of elevated risk, the solution may employ multifactor authentication. Or, if the risk is above a certain policy-based threshold, certain capabilities may be disabled. Additionally, the context gives these systems the ability to barter security value when some inconvenience is unavoidable, providing an opportunity to possibly educate the user on security best practices, or at a minimum, alert the user to the risk.
Enough about the concept, let's make this tangible with real scenarios. A research study by Ovum revealed that mobile access to electronic health records (EHRs) is the most prevalent mobile health application – with more than 50 percent of health care organisations having already installed this functionality. If a health care institution wants to differentiate based on quality of care by giving its doctors and nurses mobile access to patient records, then it would have to do it responsibly while also simplifying the experience. The healthcare institution can take contextual attributes into consideration to enhance security – so only users within a certain distance from the hospital can access patient records (given that doctors and nurses will be in near proximity), or only users who are on-duty are allowed access, and other similar policies. Context-based security adaptation need not only be employed for access policy governance. Anyone who has used a mobile banking app realises that to simply access balances the app can use stored credentials. However, if requests are made for the account number or money transfers, then the user is prompted for additional identify information.
Looking ahead, we will witness the use of context to further enhance the security of mobile engagement. Analysis of historical transactions can help detect anomalous behaviour in real-time, which may be a sign of fraud or malicious activity. We are creatures of habit, so a major deviation in the period of access, or irregular time of access, could be indicators to prompt greater security measures. Context can also be used to optimise the performance of security protocols. For example, secure network connections can be torn down when the mobile user diverts attention to another application. This has the benefit of not only conserving battery power, but also preventing a malicious third party attempting to break into an open communication session.
So is your organisation beginning to look beyond the device when charting out a holistic mobile security strategy? It might just be time to put your users' context to work for you and deliver an adaptive security posture that builds trust while delivering excellence in user experience.
Vijay Dheap is an IBM master inventor and currently leads mobile security strategy and Big Data security intelligence solutions for IBM.