To adequately protect smartphones, you need to apply data protection principles. Sure, it would be more fun to jump straight into software and security tools--and we'll get to those--but technical controls are simply the means to enforce a security program.
Policies are the backbone of comprehensive security, and consistency is critical, since misconfigured devices not only lead to expensive and time-consuming help desk calls, they can also open security holes on mobile devices. We'll touch on vital security principles as they relate to smartphones throughout this Rolling Review (for more on building a security policy, see list, "Go Ahead And Copy" below right).
Policies provide a foundation against which more tangible technical controls, such as disk encryption, antivirus, or password locks, can be applied to help support documented controls. For now, organizations with limited smartphone adoption should immediately view their security as a special case and leverage existing laptop security practices. Longer term, incorporate smartphones into the security program fold by broadening some of your main security policies, then supplementing with a few purpose-built documents that address the specific nuances of these devices, including:
Security policies define the security posture for the organization and typically link to supporting documents. Ensure that high-level mobile device requirements are clearly stated.
Data classification policies group information into sensitivity categories to identify how it should be handled. Since smartphones don't always support all security controls, devices may not be able to properly protect very sensitive information. This is particularly true for data provided via e-mail that may reside in attachments or be stored locally on devices.
A WLAN policy is vital because wireless access is supported by many smartphones; even with 802.1X/ EAP controls such as PEAP, mobile devices may have unfettered access to the corporate WLAN. A WLAN policy will govern how or if access is permitted, define if a special network has been designated for smartphones, and reiterate minimum security controls.
These policies provide the benchmark against which software controls will be applied to protect devices and the information they contain. Ongoing management and operational controls still will be needed to ensure that your smartphones are properly managed, updated, and maintained.
In the coming months, we'll look at security controls for common phone operating systems, including Research In Motion's BlackBerry, Apple's iPhone, Microsoft's Windows Mobile, and Symbian. Regardless of the platform or control being discussed, our objective will be to show how to protect and maintain the security of smartphone infrastructure.
Richard Dreger and Grant Moerschel are co-founders of WaveGard, a vendor-neutral security consulting firm. Contact them at [email protected].
See more rolling reviews at: