Storing sensitive corporate information on potentially thousands of mobile devices greatly increases an organization's
attack surface, so it is critical to set up systems to limit that exposure.
The great challenge of mobile security is that each mobile device can have multiple wireless interfaces, including cellular, Wi-Fi, Bluetooth and potentially near-field communication. Any one of them can be used as an entry point. Mobile devices are easily lost or stolen, and they can be infected with malware that could render normal security methods useless.
Fortunately, there are techniques such as mobile information management (MIM) to manage and secure both data and applications, but they typically come at a cost and with some level of inconvenience to users.
There is a pretty good chance that 'trust' won't lead to 100% compliance.
Mobile information management 101
Securing data on mobile devices is usually the first step organizations take in getting their mobility exposure under control, and a number of measures can be brought to bear. The first step in mobile information management is to require that all data on mobile devices be encrypted and accessible only with a strong password.
The initial versions of Apple's iOS and Google's Android operating systems lacked strong device encryption, but those weaknesses have since been addressed.
Apple implements encryption automatically when you choose a power-on password. It will also encrypt when you use the iTouch fingerprint scanner, but that, too, requires the device to have a password.
In Android, you first select a password and then turn on encryption in Settings. The challenge is: How do you know the user actually did it?
The two approaches to ensuring that encryption is set are "trust" and "verify." Trust means that you inform users that activating encryption is mandatory for anyone who is storing corporate data -- including things like email -- on mobile devices and then trust that they will actually comply.
In any enterprise mobility program, the organization should have a written policy that spells out the rules and responsibilities for using mobile devices that the user must read and sign.
Of course, given that entering passwords is a bother, there is a pretty good chance that "trust" won't lead to 100% compliance. You could conduct spot-checks on users' phones and enforce a penalty for noncompliance, such as loss of mobile privileges for some period of time for first offenders. If your organization has workers scattered all over the country, however, spot-checks become rather impractical.
If you need to verify that mobile encryption is being used, you have a couple of options. Push email systems such as Microsoft's Exchange ActiveSync or IBM's Notes Traveler can enforce policies like power-on passwords and password strength requirements. If a device is out of compliance, it can be blocked from sending or receiving email.
For a more comprehensive solution, users can implement a full mobile device management (MDM) system. Microsoft's MDM offering is housed in its System Center Configuration Manager, and IBM's is called the Endpoint Manager for Mobile Devices. IBM also recently acquired independent MDM supplier Fiberlink.
Beyond those, there are any number of third-party offerings from VMware (which acquired MDM vendor AirWatch), Citrix (which acquired MDM vendor Zenprise), SAP (which acquired MDM vendor Sybase), MobileIron and Good Technology.
Besides enforcing password and encryption policies, MDM systems allow administrators to manage other features on the mobile device, typically via a client they install on the device. Mobility policies should spell out the requirement for such a client to be in place on both company-provided and user-owned (bring your own device, or BYOD) technology.
In part two of this series, learn how MIM must take lost or stolen devices into account.
About the author:
Michael Finneran is principal at dBrn Associates, an advisory firm specializing in wireless, mobile security and unified communications. Along with providing consulting assistance to carriers, equipment manufacturers and end-user organizations, Finneran is a frequent speaker at industry conferences including InterOp, Enterprise Connect and the UC Summit. He has published over 300 articles, as well as numerous white papers and market reports. Finneran is a member of the Society of Communications Technology Consultants International, and he has a master's degree from the J.L. Kellogg Graduate School of Management at Northwestern University.