Mobile
News
2/17/2012
01:32 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

7 Ways To Toughen Enterprise Mobile Device Security

Smartphones extend the network perimeter like never before, but also give potential attackers new entry routes. Consider these get-tough strategies.

What's the best way to secure mobile devices used in the enterprise?

Start by realizing that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse.

Here's where to start.

1. Create Strong Security Policies.
While it might sound basic, having mobile device security policies in place is a necessary first step. "Establish the appropriate controls, aligned with your corporate policies, and that make sense for [your] type of organization," said Tony DeLaGrange, a senior security consultant at Secure Ideas and instructor for the SANS Institute, via phone. For example, an organization in a highly regulated industry may specify that all data stored on employees' mobile devices, as well as any removable media used with those devices, be encrypted. Businesses in other industries, however, may think that approach is overkill.

[Managing devices is crucial, but it doesn't have to be costly. Read Centrify Sets Mobile Device Management Free.]

2. Apply Existing Security Policies To Mobile Devices.
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device that's allowed to connect to the corporate LAN. "If I've got the same accessibility in a small device, then you need to think about it in the same manner," said DeLaGrange. Also weigh whether Bluetooth file-sharing will be allowed for mobile devices, and if jailbroken devices should be blocked from accessing the network altogether.

3. Enforce Security Policies.
The next step is to enforce your organization's policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially you have a bring your own device (BYOD) to work policy.

4. Inventory Mobile Devices.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. "Is that a security requirement? Well, understanding what we have is important," said DeLaGrange. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it's time to reconsider your policies, or else verify that the devices are being appropriately blocked.

5. Proactively Wipe Devices.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn't connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.

6. Weigh App Whitelisting.
One technique for preventing mobile devices from being exploited is to restrict exactly which apps employees can install on their devices. "If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, oh my God, you're just inviting a malicious application into your organization," said DeLaGrange. "So a lot of companies look toward whitelisting, and from a security perspective, that's really great. But from an end-user perspective, it's not so good." Notably, if the in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.

7. Beware New Breach Notification Laws.
Almost every state now has data breach notification laws on the books, which require that any exposure of sensitive data involving state residents be publicly disclosed. Such rules are also growing more stringent, and may soon have mobile device repercussions. "There are two states--Nevada and Massachusetts--that have laws that, I won't say clearly spell out, but at least have indications that you need to encrypt data," said DeLaGrange. Does your business have customers in either of those states? If so, security managers, he said, "need to determine--with help from their IT staff and legal staff--is this going to require that we encrypt all customer data on our devices?"

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Richard Rosen
50%
50%
Richard Rosen,
User Rank: Apprentice
2/22/2012 | 4:56:55 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
In regard to encryption becoming mandated, that alone will not ensure compliance with regulations requiring breach notification in my opinion. To avoid this unpleasantness (I'm being mild) data wiping with confirmation would be required.

And there's a practical reason, not just to meet compliance. Here's an example: a bank did the right thing encrypting data on its laptops (applies to smartphones also). So when one was stolen, no concern, right? But what happened is the employee used a sticky note for the encryption password for the usual reasons: too complicated to remember, changed too often, etc. With data wiping in place, as soon as the device is reported stolen, erase the data and no reporting requirement and no loss of data that could harm a company.

I suggest including monitoring activity on laptops and smartphones. This helps deal with either intentional or inadvertent loss of sensitive information. Also provides accountability in terms of productivity as well as quality control of communications.

Richard.Rosen@SnapguardCorp.com
juldear
50%
50%
juldear,
User Rank: Apprentice
2/22/2012 | 2:51:42 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices? Check out SANSG«÷ inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is co-chair of this event.
juldear
50%
50%
juldear,
User Rank: Apprentice
2/21/2012 | 6:58:03 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices?

SANS is hosting its inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is a summit co-chair. http://www.sans.org/info/98386
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.