The progression of the desktop as we've known it has been interesting: We've gone from a world dominated by Windows PCs to a slew of iPhones, BlackBerrys and Droids that are currently flooding the market -- and your network. Market research firm IDC
Given the prevalence, computing power and usage of smartphones in the enterprise, you now have the virtual equivalent of parallel desktop environments to support. You can't ignore these mobile devices anymore. The question is what are you doing to keep them locked down?
Managing the security of BlackBerry devices has been a no-brainer for years. Centralized management of encryption, wireless policies and remote wipe via BlackBerry Enterprise Server are about as good as it gets. But the BlackBerry isn't the device you need to be worried about. It's all the others that everyone's so smitten with that you have to focus on.
Newer smartphones (such as the iPhone, Droid and pre-Version 7 Windows Mobile-based systems) often lack enterprise-ready applications. Until recently, there haven't been many vendors that network managers and desktop admins have been happy with. Ditto for Microsoft. That's starting to change with applications like Good for Enterprise -- iPhone, Mobile Active Defense and, perhaps, more enterprise-ready features in Windows Mobile 7.
The consequences of not securing smartphones have not been so clear for many people -- especially those in management. The common arguments are "We don't support those devices," and "We can't tell our employees what to do with their personal systems." That's a short-sighted and dangerous approach at best. If these mobile devices are being used by your employees and contractors to send/receive email, store files and so on -- regardless of who bought them -- you'll have to deal with any business problems that result when something goes wrong.
The reality is that your business data is now being exchanged among computer systems that are effectively of your control. The Droid, iPhone and related consumer-focused devices just don't have the built-in features to keep things in check. And, in my opinion, a power-on password is not enough -- especially considering that many smartphones have a Micro SD chip chock full of data that's readily accessible by anyone who comes in contact with the device.
On top of that, you have to deal with the cloud applications used for data backup, storage and synchronization. It's an endless matrix of information systems complexity. And it's something that can't be ignored any longer.
Even if enterprise solutions don't exist, there are ways for you to gain some semblance of control and visibility for these devices. Random security policies and disparate controls involving passwords and ad hoc encryption are a start, but they're not enough. Here are additional steps you should take.
1. Determine what sensitive information you've got and where it's located. Emails, files and personal information are likely on many, if not most, of your mobile devices.
2. Determine how this information is at risk.
3. Implement the necessary standards, best practices and technologies, keeping in mind that a centrally managed and automated system is a must.
4. Revisit mobile security regularly because the vulnerabilities and threats will continue to evolve.
The new enterprise desktop is here to stay, and things are only going to become more complex. Secure your mobile devices now -- once and for all.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, author and speaker at Atlanta-based Principle Logic LLC. With over 21 years of experience in the industry, he specializes in performing independent security assessments revolving around compliance and minimizing information risks. Beaver has authored/co-authored eight books on information security including the newly-updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Beaver through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
This was first published in October 2010