Rolling Review: Smartphone Security

Today's mobile device platforms are ubiquitous and powerful, and IT needs to get a handle on locking down data. In this Rolling Review, we'll see which vendors best do just that.
To adequately protect smartphones, you need to apply data protection principles. Sure, it would be more fun to jump straight into software and security tools--and we'll get to those--but technical controls are simply the means to enforce a security program.

Policies are the backbone of comprehensive security, and consistency is critical, since misconfigured devices not only lead to expensive and time-consuming help desk calls, they can also open security holes on mobile devices. We'll touch on vital security principles as they relate to smartphones throughout this Rolling Review (for more on building a security policy, see list, "Go Ahead And Copy" below right).

Policies provide a foundation against which more tangible technical controls, such as disk encryption, antivirus, or password locks, can be applied to help support documented controls. For now, organizations with limited smartphone adoption should immediately view their security as a special case and leverage existing laptop security practices. Longer term, incorporate smartphones into the security program fold by broadening some of your main security policies, then supplementing with a few purpose-built documents that address the specific nuances of these devices, including:

Security policies define the security posture for the organization and typically link to supporting documents. Ensure that high-level mobile device requirements are clearly stated.

Data classification policies group information into sensitivity categories to identify how it should be handled. Since smartphones don't always support all security controls, devices may not be able to properly protect very sensitive information. This is particularly true for data provided via e-mail that may reside in attachments or be stored locally on devices.

Go Ahead And Copy
If you have yet to develop a security policy, consider borrowing from these sources:

Documents run the gamut from a basic introduction to computer security to highly specialized topics:

ISO 27001 and 27002 represent the evolution of the 17799 security framework:

Developers of the well-regarded CoBIT documents:

Useful pointers for documenting policies:
Mobile device policies provide details on how mobile devices should be supported, protected, and used. They may include required software, rules on whether only company-owned smartphones are allowed, and guidelines for remote access.

A WLAN policy is vital because wireless access is supported by many smartphones; even with 802.1X/ EAP controls such as PEAP, mobile devices may have unfettered access to the corporate WLAN. A WLAN policy will govern how or if access is permitted, define if a special network has been designated for smartphones, and reiterate minimum security controls.

These policies provide the benchmark against which software controls will be applied to protect devices and the information they contain. Ongoing management and operational controls still will be needed to ensure that your smartphones are properly managed, updated, and maintained.

In the coming months, we'll look at security controls for common phone operating systems, including Research In Motion's BlackBerry, Apple's iPhone, Microsoft's Windows Mobile, and Symbian. Regardless of the platform or control being discussed, our objective will be to show how to protect and maintain the security of smartphone infrastructure.

Richard Dreger and Grant Moerschel are co-founders of WaveGard, a vendor-neutral security consulting firm. Contact them at [email protected].

Smartphone Security Rolling Review
About This Rolling Review:
This Rolling Review will cover security controls spanning Apple's iPhone 3G, Microsoft Windows Mobile phones, RIM BlackBerry, and Symbian OS devices. We'll show how to build a set of security controls to protect and maintain a smartphone infrastructure by focusing on the major vulnerabilities facing IT and available software to help mitigate these risks. We'll look at access controls, such as passwords and biometrics; secure containers for password management; encrypted "at rest" data storage; network security controls; antivirus/anti-malware; and policy enforcement. To help baseline pricing, the review will make a few assumptions: The cost of the smartphone isn't included. Infrastructure and voice and data plans are in place. For applications that run only on the phone, 200 licenses will be used. For apps that require back-end server support, only the licensing/software cost will be included. The cost of the hardware, operating system, and other operations will be excluded.

We're looking forward to reviewing smartphone security products from companies such as Check Point, Kaspersky, McAfee, PGP, Symantec, and Trend Micro, with more entrants to be named in the future.

We'll test applications and security controls in a range of settings, including an isolated enterprise-class testing environment and within the context of existing company operations, with a focus on usability.

InformationWeek's Rolling Reviews present a comprehensive look at a hot technology category. This installment focuses on securing smartphones. For consideration, contact the authors.
Rolling Reviews present a comprehensive look at a hot technology category.
See more rolling reviews at: