Mobile devices have changed the way business is conducted, giving enterprises and employees flexibility to stay connected, whether in the office or on the road. As mobile devices continue to play a greater role in enterprises, greater amounts of data will flow through these devices and applications. As a result, we expect the surge in mobile traffic to continue to grow over the next few years.
The ever-increasing use of mobile devices also expands the corporate attack surface and creates serious security risks, privacy concerns and vulnerabilities, which malicious actors can exploit to steal sensitive and personal information and impersonate unknowing victims. As the use of mobile devices and applications continues to grow, the rate and sophistication of attacks on popular mobile platforms also grows, and the need for mobile authentication becomes more prevalent.
Mobile devices and mobile applications are becoming more dangerous threat vectors against the corporate network. Indeed, the instances of mobile threats continues to increase. In 2023, Kaspersky mobile products and technologies detected:
- 33.8 million malware, adware, and riskware attacks
- 1.3 million malicious installation packages
- 154,000 mobile banking Trojans
SSL/TLS Certificates and Their Prevalence on the Dark Web
To counter these threats, enterprises are turning to certificates to secure mobile devices, applications, and users. Digital certificates authenticate mobile users to applications, VPNs, and WIFI networks. However, many organizations have little to no control or visibility into their mobile certificate inventory and they’re unaware to which mobile certificates their users have access. And this lack of visibility results in lack of control, which means that organizations cannot fully control the access granted by certificates, risking unauthorized access.
A number of security risks from misused or orphaned mobile VPN certificates to unauthorized access by terminated employees or contractors can be easily exploited. Plus, with several different IT teams managing different parts of the mobility stack, there may often be gaps in management and security that can be exploited. These gaps will hamper your ability to detect misuse—especially if you are not equipped to detect mobile certificate anomalies, including incorrectly issued certificates. Cybercriminals take advantage of mobile certificates and pose as trusted users, thereby infiltrating your network and stealing intellectual property.
Mobile Device Management (MDM) helps organizations securely manage mobile devices with capabilities such as enforcing passcodes, encrypting data, and remotely wiping devices in case they are lost or stolen. MDM also enables the tracking of device compliance with security protocols. MDM may also help with data protection, which may involve encrypting data on devices, setting up secure containers for corporate information, and implementing policies to control data access and sharing—all of these functions require ready access to a Public Key Infrastructure (PKI).
A great way to curtail cybercriminal attacks on mobile devices is to integrate your PKI very closely into your MDM solution. That way, you can avoid the impact of rogue mobile certificates by ensuring that your MDM enforces secure authentication, encryption, and digital signatures for mobile devices. In addition, PKI integration within MDM systems enhances security, control, and compliance for managing mobile devices in enterprise environments. By leveraging digital certificates for authentication, encryption, and secure communication, PKI enables MDM platforms to effectively manage and secure a diverse fleet of mobile devices.
However, it’s still important to remember that mobile certificates issued to users serve as trusted credentials for secure access to your critical networks, applications, and data. So the biggest threat to your enterprise isn’t necessarily the mobile malware, but rather the unauthorized users who may access your information. Integrating your MDM with a cloud-based PKI can help you regain control of authenticating your mobile users to avoid mobile attacks.
Here are 5 ways your PKI helps prevent unauthorized access of misused mobile certificates.
- Get visibility into your entire mobile and user certificate inventory
When your PKI and MDM are working in lockstep, you’ll have clear insight into your full mobile and user certificate inventory. With a cloud-based PKI, you will have access to up-to-the-second data that will help you identify duplicate, orphaned, and unneeded certificates. By mapping users to the certificates they are issued, you can identify certificates that are exposed to unauthorized user access. This will enable you to establish a baseline of known certificates and normal usage. - Automatically enforce policies for mobile certificate issuance
Issuing certificates to mobile devices and mobile applications according to centralized IT security policies is paramount. Integration with a centrally managed PKI will allow you to enforce cryptographic policies that control attributes such as key length, validity period, and approved CAs and by applying workflow processes to mobile certificate issuance, you can reduce your organization’s attack surface. - Go beyond Mobile Device Management capabilities for certificates
MDMs alone cannot remove potentially orphaned or compromised mobile certificates. As organization adopt new mobile applications, they must have the ability to enforce IT security policies to establish norms and detect mobile certificate-based anomalies such as orphaned or duplicate certificates. Integrating your MDM with a cloud-based PKI provides enhanced security for mobile device authentication to corporate resources such as the corporate WLAN. Digital certificates can additionally be used to secure mobile device communication channels, protecting them from data theft and data loss, man-in-the-middle and phishing attacks, and more. Furthermore, users do not always receive mobile certificates through MDMs. They may request certificates using other tools or even multiple CAs. Therefore you must implement a PKI solution that is capable of enforcing certificate and key policies consistently across your entire environment. - Immediately revoke mobile certificates when authorized use is concluded
In the event that an employee is terminated, leaves the company without notice, or reassigns, you should immediately revoke all mobile and user certificates associated with that employee in order to prevent unauthorized access to your network. Also, keep in mind that wiping a mobile device using your MDM solution is not sufficient, because the employee could have made a copy of the certificate and key before leaving the company. A tight integration with a cloud-based PKI will help you rapidly revoke all certificates associated with a given, whether deployed through an MDM solution or some other means, is critical in these situations. - Ensure secure end-user self service
If your organization enables users to request certificates using enrolment portals, you must provide a secure self-service portal that enables your end users to quickly request certificates for WIFI, VPN, email, browser, or other applications. When integrated with your MDM, your PKI can help you govern user certificate issuance to ensure certificates comply with security policies, to eliminate guesswork on the part of inexperienced users, and to prevent errors.
As mobile devices continue to become more prevalent, it is important for you to take a strategic approach to securing your organization’s mobile device certificates. Following these 5 steps will help you to avoid misuse of these certificates and protect your organization against trust-based attacks that use mobile devices as an attack vector.
Venafi Zero Touch PKI is a modern, scalable, and effortless cloud-based solution that integrates seamlessly with all major MDM Solutions. This PKI as a Service (PKIaaS) alternative will free up your PKI and IT teams to focus on higher value MDM goals. The service provides well-defined interfaces that integrate with all your MDM technology partners. So, try Venafi Zero Touch PKI today and see for yourself.
(This post has been updated. It was originally published by Patriz Regalado on May 27, 2014.)
TLS Machine Identity Management for Dummies
Related posts