This tip is a part of the SearchSecurityChannel.com resource guide, Securing mobile devices: A resource guide for solution providers.
Mobility is ubiquitous. You would be hard-pressed to find an organization that does not rely upon mobile devices or smartphones to meet the demands of everyday business. As a solution provider, you may be called upon to help your customer evaluate its existing mobile platform security posture, or consider how security factors into the purchase of new devices. You need to be armed, not only with a suitable range of wireless technologies, but also with the security services necessary to protect the confidentiality of data stored on these devices.
In this tip, we will take a look at some of the major areas you should compare when contemplating mobile device security for your customer. We'll also do a mobile platform comparison, looking at the capabilities of the following platforms:
- Blackberry from Research In Motion Ltd. (RIM)
- iPhone from Apple Inc.
- Android, which was developed by and open source project group led by Google Inc.
- Devices running Microsoft's Windows Phone
Mobile device security policy: Device management
Just as you wouldn't dream of deploying laptop or desktop computers without technology that allows you to manage their configurations remotely, you also should have a mobile platform security device management strategy. In order to ease the administrative burden, convince your customers to standardize on a single mobile platform for the devices it owns and issues to employees. Otherwise, you'll find yourself running two or more management systems and attempting to keep policies synchronized across them. While this isn't impossible, it adds unnecessary complexity to your environment.
A mobile platform security management product should allow you to set password and screen-locking policies, as well as control other security features, such as device encryption and remote-wiping. BlackBerry is the standout in this area, reflecting RIM's longtime focus on the enterprise market. The BlackBerry Enterprise Server (BES)'s management tool allows you to control device settings and remotely wipe lost or stolen devices. It also goes a step above and beyond other devices by creating an encrypted end-to-end circuit for all data communications between the device and BES, running on a Windows server in your data center.
If your customers are clamoring for iPhones, you can leverage similar features when the devices are used in conjunction with a third-party mobile device management tool, such as Microsoft Exchange ActiveSync. ActiveSync allows you to manage device policies, remotely wipe devices and enforce encyrption between the iPhone and the Exchange server. You can also use ActiveSync to manage other devices, including Microsoft Windows Phones, Android devices and BlackBerrys.
Up until a few months ago, the lack of a vendor-supported management console was a major barrier keeping Android devices out of the enterprise. Google has attempted to fill this gap with the recent release of Google Apps functionality, which allows administrators to remotely lock and/or wipe devices and configure password policies.
Mobile device security policy: Device encryption
An effective mobile device security policy should also address the issue of encryption. While all platforms allow the encryption of data while in transit over the network, their functionality differs when it comes to stored data. BlackBerry devices have long supported the encryption of user content stored on the device by enabling the device's 256-bit AES content protection feature. With the release of iOS 4.0, Apple significantly upgraded the encryption capabilities of the iPhone by protecting the file encryption key with the user's password. This puts the iPhone on par with BlackBerry devices. Android and Windows Phone devices lag far behind in comparison, with no support for the encryption of stored data other than that which might be offered by individual applications.
If you're concerned about the potential theft of data stored on a device before you are able to remotely wipe it (and you should be!), steer clear of Android and Windows devices in the enterprises you support at this time; BlackBerry and Apple smartphones are a better choice.
In addition to the standard device management and encryption questions you may hear from your customers, you should also encourage them to think about GPS (Global Positioning System) privacy issues, especially if they are in a business where the location of specific individuals may reveal important competitive information. While GPS privacy may not be a significant concern to every business, there are certainly sectors where location-based information is critical. How would it affect your customer's business if a competitor was able to track the movements of the customer's sales force, identifying both existing and potential clients?
As your customers approach you about decisions related to mobile platform security, you should be prepared to address the the security issues of the different platforms. Offer your customers a clear assessment of the security capabilities and managed security services of the major platforms. If you're able to influence their platform selection, consider encouraging your customer to standardize on BlackBerry. BlackBerry devices currently offer the strongest set of security services, followed closely by Apple iPhones.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.