Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/16/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Snapshot: OS, Authentication, Browser & Cloud Trends

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

As cloud and mobile adoption skyrocket, businesses seek new and stronger ways to protect applications and data. In some ways, many have grown smarter about data access and security. In others, research shows they still have some work to do.

The 2019 Duo Trusted Access Report amasses data from 24 million devices, 1 million applications and services, and 500 million authentications across North America and Western Europe to unearth trends in technology and cybersecurity. Its findings show a rise in Windows 10, greater biometric adoption, and an increasingly mobile workforce reliant on cloud. But researchers also found businesses running outdated operating systems and popular browsers.

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%. Remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. "It was a big explosion of shadow IT," he adds. "It really got away from a lot of the organizations." Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Inside Authentication Trends

SMS-based authentication has continued to fall. Less than 3% of businesses use SMS authentication in 2019, compared with 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of devices scanned have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scan, and Windows Hello.

"It's good to see where people have alternatives, they're using less direct SMS authentication," says Wendy Nather, director of advisory CISOs at Duo Security. While most businesses (68%) surveyed rely on Duo Push for primary authentication — researchers scanned Duo customers to collect their data — she notes it's interesting to look at secondary methods across industries.

The profiles and percentages of authentication methods tend to vary across different verticals depending on the circumstances, Nather continues. Heavily regulated areas such as the federal government are more likely to use a hardware token to establish trust, while phone calls are common among healthcare, higher education, and non-federal government organizations.

Hardware tokens are "generally still seen in high-discipline environments, where the risk case makes sense and where they can afford it," she explains, pointing to government and finance. Healthcare's reliance on phone calls "has a lot to do with the situation in healthcare institutions and clinics," she adds. "From a logistics point of view, it's easier for a doctor or nurse on staff to pick up a phone line rather than try to fumble for any number of mobile phones."

Businesses are tightening control on access from specific places. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The top five restricted locations are China, Russia, United States, India, and France. Duo says the US is the third most restricted location due to companies based outside the US not allowing authentication outside their home country.

More than half (51%) of companies using Duo have blocked at least one authentication from a restricted location. Other common enterprise policies include requiring users to have a screen lock (27%), disk encryption (22%), and disallowing access from anonymous IP addresses (20%).

OS and Browsers: Windows 10 Grows, Android Outdated

Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is declining overall, some industries are still hanging on. Those fastest to adopt Windows 10 are wholesale and distribution (86%), business services (80%), and nonprofits (70%). Those still mostly relying on Windows 7 include transportation and storage (62%), computer and electronics (54%), and healthcare organizations (52%).

As work goes mobile, it's shifting the balance for OS popularity: Windows remains the dominant enterprise OS, but its usage fell 8% year-over-year to hit 47%. In the same time frame, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1%, hitting 17%.

"When we see more adoption and more use of mobile devices, we may be seeing an ergonomic trend," Nather says of Apple device popularity. "When users have a choice of what device they're going to use on a particular task, this is what they tend to pick."

Android was the leader for out-of-date devices; 58% are not running the latest security patch. Overall, operating systems are more frequently updated in 2019 than in 2018, but Android continues to be the least updated, followed by macOS (51%), Chrome OS (39%), and iOS (38%).

Google Chrome is the most popular enterprise browser; Internet Explorer comes in last. A Chrome zero-day discovered in March 2019 has motivated businesses to improve browser security. Following its disclosure, Duo saw a 30x increase in denied authentications and 79% increase in policies limiting access to data and applications from the latest browser versions.

"What this says to me is organizations are using this as part of their incident response process," says Nather. "They were protecting themselves even if they couldn't control devices, and saying everyone has to update. It's a great step forward in terms of giving control back to CISOs."

Microsoft Edge is the most out-of-date browser, with 73% of devices running an outdated version. Internet Explorer is the most up-to-date version; however, since the latest version of IE was released in 2013, businesses still relying on it should consider switching to another browser. Still, as Nather points out, IE remains a "mainstay" in many organizations.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.