Stephen J. Bigelow, Features Writer
As mobile devices become more powerful -- with faster processors and more memory -- users depend on them to carry larger amounts of sensitive corporate data. Mobile devices are also smaller, lighter and much easier to lose through carelessness or theft. All the while, regulatory requirements for safeguarding sensitive data are tightening. This puts IT departments in a vice -- provide network access for mobile users, yet protect the corporation and its data.
Consequently, security plays a huge role in mobile device management. The first installment of this Hot Spot Tutorial highlights common issues encountered with mobile devices and their implications on the corporate network. The second installment covers strategies for mobile device management. This final installment looks at mobile device security.
Ensuring mobile device security
The biggest security threat posed by mobile devices is data loss due to the loss or theft of the device itself. The loss of unprotected, sensitive data can expose a company to significant legal, financial and business penalties. At the very least, smaller mobile devices like smartphones should be password-protected. Smartphone users often dislike the inconvenience of password protection, but it's a feature that prevents ready access by unauthorized users. More sophisticated mobile devices like PDAs and laptops should employ strong password protection at the initial logon as well as returns from standby and idle operating modes. In addition, encryption tools should be deployed to safeguard sensitive files or create an encrypted partition on the device's disk.
Mobile devices should also include a "remote wipe" capability, allowing administrators to send a command to the device that will erase everything on it -- including IT policies, applications and saved data -- and set the mobile device back to its factory defaults. A remote wipe should be performed shortly after a device is reported lost, ensuring that a thief does not have the time to copy sensitive data from the device.
"If the devices you're allowing to connect to your network don't have remote wipe capabilities, you have a significant security risk," said Dave Sobel, CEO of Evolve Technologies, a solution provider located in Fairfax, Va.
Another important issue is intentional data theft perpetrated by employees who have inappropriate access rights on the network. The traditional network perimeter has essentially vanished, and data theft can occur regardless of the employee's location. You may want to recommend that clients reevaluate the way that permissions are assigned throughout their organizations. For example, rather than assign sweeping permissions that may not correlate well to particular jobs, clients should balance trust with job responsibilities and assign minimal trust to all employees -- locking down as many corporate data resources as possible.
Employee data leakage is most common with small, easily concealable USB flash drives, according to Adam Gray, chief technology officer of Novacoast, an IT professional services and product development company in Santa Barbara, Calif. It's important to implement device control on the network and endpoints to prevent USB devices from being recognized and to log and report on the presence of USB devices attached to the network. Acceptable use policies should also encompass USB devices to help end users understand and ensure compliance with company requirements or restrictions.
Finally, organizations need to understand that mobile devices are often run outside of the corporate network or connected through other private or public networks where few (if any) security precautions are implemented. As a result, it's easy for some mobile devices to fall out of synchronization with current patch levels, signature databases and so on. This can leave the mobile device vulnerable to threats and exploits, which can then be introduced to the corporate network.
"You need to enforce NAC and 802.1X," Gray said. "NAC will verify that the [software] pieces you put into place out in the field are working and make sure that you are staying up to date." Every organization should have a plan in place to deal with errors or problems when devices returning to the network don't pass muster. Network access control technology is one answer.
Tools for mobile device security
Any security strategy for mobile devices should start by using the tools on the device itself. For example, mobile users should be required to employ password protection on their devices -- an obligation that can be reinforced within written acceptable use policies. In addition, IT personnel or solution providers must carefully provision or configure the device within the corporate network and be ready to initiate a complete device wipe when a theft or loss is reported.
However, there are other third-party tools that solution providers can offer clients to further enhance endpoint mobile device security. Novell Identity Manager and Symantec Mobile Security software are two common additions to the security arsenal.
"Things like [Novell's] identity management products give us all of the capabilities that we need for provisioning access to all of these resources like email, SAP, business line applications and so on," Gray said. "Symantec provides us both the availability and the disaster recovery pieces." The combination of both products offers a complete endpoint security suite for mobile devices.
Tools like Symantec's Norton Internet 360 provide antivirus, antispyware and other endpoint security features for laptops, while smartphones can be protected with specialized security tools like Norton Smartphone Security.
Windows-based enterprises may deploy server-side tools like Microsoft Windows Rights Management Services (RMS) intended to work with RMS-enabled applications to protect critical information through persistent policies -- guarding information whether the user is connected to the network or not. The policies basically remain with the information, so users that do not have the appropriate rights cannot access the data.
Encryption tools also play a vital role in mobile device security, so solution providers must look for ways to help secure clients' data at rest and in motion. Many operating systems found on laptops include encryption. Linux supports several different file and file system encryption schemes, and encryption is also employed on the FileVault product for Mac's Panther OS. BitLocker is a whole disk encryption tool integrated into Windows Vista Ultimate, Windows Vista Enterprise and Windows Server 2008. IceLock from HyBlue Inc. is another encryption tool touting centralized management and a monitoring agent that can keep the system secured when unauthorized use is detected. "You can break in or log onto that machine, but until you send the IceLock password, essentially all the data points will look empty," said Scott Gorcester, president of Moose Logic, a solution provider headquartered in Bothell, Wash.
Smartphones and PDAs also require encryption support, and solution providers can draw from numerous products like SecuBox from Aiko Solutions, offering software-based 256-bit AES encryption on the fly. Other tools include AlertBoot: Smartphone and PDA Encryption from Data Guard Systems Inc. and GuardianEdge Smartphone Protection from GuardianEdge Technologies Inc.
Involving end users in mobile device security
Any kind of security will require the proper deployment of tools, configuration of policies and permissions and so on. But solution providers all agree that the end users themselves should be included in the client's overall security posture. Even the most aggressive and comprehensive security controls can be circumvented by an employee that is unable (or unwilling) to follow the necessary procedures.
"The end user has to have the keys to get to their data, so you're entrusting them with a certain level of access that they need to know how to protect," Gorcester said, citing common user breaches such as passwords and PINs taped to the bottom of laptops.
There are several opportunities for solution providers. First, create security protocols that will protect the client's sensitive corporate data without being excessively onerous to their users. Periodic reviews and adjustments of the client's security posture can be a source of recurring income for solution providers. Finally, solution providers can offer training -- train each client in the proper use of security tools and processes, and ensure that their users understand the importance of each safeguard.