Solution provider takeaway: With the adoption of mobile devices becoming more prevalent in enterprises and other businesses, solution providers have the opportunity to offer mobile device security services to protect corporate data and other information normally safely hidden behind a corporate firewall. But properly securing mobile devices may be more complicated than you think. In this tip, you will learn about the best practices of offering
mobile device security services, including mobile device selection and network intrusion prevention systems (IPS).
More and more businesses are using mobile devices to increase productivity by enabling a mobile workforce to access critical IT services and corporate data -- anywhere, anytime. While that creates ample integration opportunities for savvy solution providers, many are finding that supporting those sophisticated devices introduces a whole new series of concerns -- including mobile device security.
Making the business case for mobile device security services
Most businesses are aware of the consequences of improperly secured PCs. That logic can be applied to the sophisticated mobile devices that are permeating those same businesses. In other words, it is not that difficult to make the sales argument for securing mobile devices.
Adding fuel to the security fire is the fact that the very nature of mobile devices poses a much larger security threat to any business that leverages the technology. These devices act as a portal into proprietary corporate intellectual property and have the ability to mobilize data that normally would be safely contained behind a firewall within a corporate network.
The threats to mobile device security are numerous, ranging from the interception of data and the unintentional dissemination of data to the theft of a device containing sensitive data. The devices themselves are also subject to security problems, including viruses, spyware and other forms of malware infestations. While malware may be detrimental to the device, there is an even bigger concern -- the device may be able to infect other devices on the network and spread infections behind the corporate firewall.
For solution providers, all of those security negatives add up to an integration positive. Solution providers can not only integrate mobile devices but also offer mobile device security services to keep data secure. They are also building new revenue by generating services that affect the whole breadth of IT security.
Mobile device security management policies and best practices
Creating a secure mobile workforce starts with identifying best practices for deployment and management of mobile devices, the data stored on those devices, and the users who access corporate information with those devices. One of the first things to consider comes in the form of selecting which devices should be allowed access to corporate resources. For example, many devices such as iPhones, Droid phones and SideKicks are consumer-level devices. While those devices can be integrated into a corporate network, they usually lack the firmware and software applications that provide business-class security. On the other hand, devices like BlackBerrys or Windows Mobile devices are designed to support more complex security solutions, making those devices a better choice for secure remote access.
Selecting the proper device is only part of the battle. Solution providers will want to make sure that the default settings on the device are set to the highest level of security. In most cases, that means incorporating encryption and setting passwords/user authentication schemes -- both of which can be enforced with defined policies.
Another element to consider is controlling the applications that can be installed on a mobile device. Solution providers may want to sell management and policy control solutions that control the installation of applications and then prevent unauthorized applications from being accessed or utilized when connected to the corporate network.
Another area of contention comes down to what to do if a device is lost, stolen or simply falls into an unauthorized user's hands. To battle that problem, solution providers can look to remote wipe services that can "destroy" all of the data on a device if it goes missing. Remote wipe capabilities are usually part of a larger mobile device management solution, and solution providers will find that there are plenty to choose from, ranging from hosted services to onsite management suites.
Solution providers should also consider the corporate firewall as another line of defense. Solution providers should be able to quickly create policies that limit access to particular services or protocols when a user is "remoting" in via a mobile device. For example, by identifying the device and the user, a policy could be created to prevent that device/user from accessing a corporate accounting system but still allow access to email.
Protecting corporate data is a two-way street -- solution providers will not only need to protect the mobile device but also control what that device can access. That concern spells out a large opportunity for solution providers in the form of network intrusion prevention systems (IPS). Those systems help to validate and authenticate remote workers while checking for anomalous behavior and using that information to identify and block intrusions. While intrusion prevention is more of a corporate data protection solution, the technology does become more and more important once a mobile workforce is introduced into the equation. Network IPS is a must-have for organizations serious about allowing mobile device access to corporate resources.
Many solution providers will find the implementation of mobile devices relatively easy, and it is that "ease" that can create the largest problems, especially when it comes to security. This is why it's important for solution providers to identify opportunities around mobile device security and create the proper combination of products and services to protect their customers' intellectual property while still making a healthy profit.
Frank J. Ohlhorst is an award-winning technology journalist and systems professional specializing in testing, deploying and analyzing products and services. He writes for several technology publications. His website can be found at www.ohlhorst.net.
This was first published in January 2010