Mobile devices pose several security threats to enterprises. In part one of this two-part series, we looked at...
the risks of mobile devices; now, we'll explore how to keep your environment safe.
Unauthorized network access, unlicensed applications and viruses (including malware and spyware) are constant threats to any environment, and while it's almost impossible to prevent the physical loss of mobile computing devices, several solutions can help you stop unauthorized access to data on these devices.
Perhaps the best -- and most common -- method to protect a network from remote access is to implement a virtual private network (VPN), since a VPN is secure from endpoint to endpoint. First introduced in Windows 2000, it has proven to be a reliable security technology. Most remote users, myself included, have a corporate VPN application on their computers for establishing secure connections to the corporate network. A smart card and a PIN are usually required for access. This is secure for the most part -- but it's a pain. If you have a flaky network connection such as a hotel wireless connection, every time the VPN drops, you have to open it up, reconnect, enter your PIN, etc.
Windows Server 2008 R2 includes a feature called DirectAccess, shown in Figure 1. A DirectAccess server is configured in the corporate network, which manages access to the network from remote devices. It shields the users from making all those connections. Enrollment as a DirectAccess client is provided via group policy, and once enabled, it makes the VPN connection behind the scenes when needed. For instance, if a user clicks on a link to an intranet site, the DirectAccess configuration knows this is the corporate network and connects to the server, which then allows access to the network resource.
One nice thing about the DirectAccess connection is that by default it permits a "split tunnel" configuration. The user can access the remote network and the local network simultaneously, and the connection to the Internet does not have to go through the VPN tunnel.
However, DirectAccess is that it requires IPv6 to be implemented in the entire network. Luckily, there are IPv6 tunneling technologies -- such as 6to4 and Teredo -- that encapsulate the IPv4 data inside an IPv6 packet.
In addition, there are some third-party VPN products such as LogMeIn Hamachi, which is offered free for noncommerical use. It is a pretty slick product -- after a simple installation and configuration, I just put a Remote Desktop Protocol icon on the desktop with the remote computer's IP address. Then, I simply double-click the icon, and a secure connection was instantly made.
Identify the users who need access to restricted data, and find phones that can send encrypted data. Employees who don't need such access can use cheaper phones. One size doesn't need to fit all, but it is important to provide secure, encrypted access for phones of users who access restricted company, customer and partner data.
One of the biggest headaches for administrators is securing portable storage devices. A USB drive that hangs from your keychain can hold 32 GB of data. Other larger (but still pocket-sized) drives can hold 500 GB or more. Losing one of these could be a disaster. Microsoft provided a great solution in Windows 7 and 2008 R2 called BitLocker To Go. This easy-to-use feature encrypts the portable device and requires a password to unlock it. It is fairly portable, so it's easy to use. The BitLocker product available in Windows 2008 can encrypt drives as well.
A major management problems for mobile devices is patch management. Most patching products require the user to be logged into the VPN connection to get group policy updates, security patches, antivirus updates and more. By contrast, DirectAccess requires the device only to be connected to the internet.
Microsoft's Mobile Device Manager has been around for a couple of years, and its three primary features include the following:
- Device management and enrollment: Employees can replace a device, use a wizard to connect and enroll the device, and then have software and policies pushed down. These policies can be modified by admins as needed and pushed to all devices or just a few, based on need. Using a graphical user interface based on Microsoft Management Console 3.0, the administrator can track inventory, enrollment status and history.
- Mobile VPN:This is a secure link from the device to intranet resources.
- Software distribution: This can be pushed down to the devices for new apps, updates, etc. File encryption can also be enforced and managed.
Microsoft's new Intune product is a System Center cloud application that manages patches, updates, malware cleaning, application licensing and more. Intune is currently in beta and has some interesting features including an extremely simple enrollment. Once you sign up for the Intune service (free right now), you can download an agent package for Windows XP, Windows Vista and Windows 7 clients. This package contains a certificate built as part of your enrollment. Push the package out to each client, and install it. After a quick install and reboot, the client shows up in the console in a browser window, as shown in Figure 2.
In my case, Intune instantly found that my two devices needed patches and antivirus protection, and it identified in detail each security patch needed. Intune also provides malware protection, or you can use your own.
Not only do you need technology for mobile device security; you should also establish security policies -- the paper kind. These policies will drive how you assess the risk and apply solutions to limit those risks. As before, one size doesn't fit all. Not everyone needs a phone to send encrypted data. Not all of your users will need to access the corporate network from a customer or partner's network. But they will have a variety of devices. Here are some suggestions:
- Identify classes of uses by access needs, job functions, etc.
- Identify confidential data and which class(es) of users need access to each data store.
- Limit data access to only those who need it.
- Identify locations from which customer data will be accessed. Are these locations secure? What needs to be done to secure them?
- Users should be educated -- not only in how to implement and use the security technology on their devices, but also why they need to be careful. Explain the risks to the company, to customer and partner data, and to themselves personally.
- Identify products such as antivirus, malware cleaning and firewalls that will meet your needs and your budget. Examine firewall configuration. Sometimes, in a rush to get something to work, admins tend to poke holes in the firewall. A firewall is a waste of money if it's full of holes and exceptions. Again, the VPN is an ideal solution because it does not require firewall configuration and yet is secure.
Mobile devices pose security risks and must absolutely be managed. There are plenty of good tools and technologies to help address them, but policies must be designed, established and followed to ensure protection of company data and network access.
ABOUT THE AUTHOR:
Gary Olsen is a systems software engineer in Global Solutions Engineering at Hewlett-Packard. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Directory Services and formerly for Windows File Systems.