The security of mobile devices in the enterprise can be an overwhelming and difficult-to-manage prospect. Striking a balance between functionality and security is critical to a successful strategy. Recognizing the risks that these devices pose and then mitigating them is an important first step to security overall.
A proper security strategy will be specialized for an individual environment, but the core components within that plan follow some general essential elements. This article describes the most basic steps in developing your security strategy for mobile devices. In many cases, the considerations extend to any endpoint, regardless of platform. Whether you are talking mainly laptops, mobile phones, tablets, or any mix of those and other devices, the principles apply across the spectrum.
- Policies and Procedures: Most organizations have a tangible policy and procedures document either in hard copy or electronic format. Historically these types of documents cover the topic of fixed PCs, and on occasion, include laptop and other mobile devices such as smartphones. Existing policies are a great place to start and revise for mobile devices as needed. The resulting policies then become extensions of a known, existing set, therefore minimizing learning and enforcement difficulty. Some existing policies may go unchanged as a number of scenarios illustrate. Adding software that is not licensed by the organization is one example. That makes practical sense and extends to mobile platforms as the ramifications of support, security, and compliance remain. Another example would be the sharing of devices or credentials, again very easily applied and extendible to the mobile platform.
- Awareness: Any security program would be destined for obsolescence without proper training. Training of users takes on critical importance for the mobility audience. For one, the technology is different in nature from the traditional PC base, meaning a wealth of support ramifications based on this fact alone. This is shadowed by the realm of mobile device support. Remote users need to be more informed on their platforms than ever before. Integrate that into your training and policies.
- Audit and Control Systems: As the challenges of compliance come into play, policies need to be maintained. Address these policies with the planning and implementation of tools that perform auditing, monitoring, and forensic tasks. Knowledge of events that occur during remote user’s workflow is critical to an organization. This knowledge can help identify weaknesses and areas where policies and procedures may need revision.
- Architecture and Process: This topic covers the processes used to support the policies you develop for portable devices. It may include everything from security standard verification on various devices or address the procedures around managing Public Key Infrastructure (PKI) or Virtual Private Networking (VPN). This component can be quite vast and include related procedures as just mentioned. The key is to spell out the support model and supporting systems for security, focused on the technology and user base. In many cases, due to resource availability, an organization’s standpoint on some of these may actually be a statement of limited availability and support.
- Security products: With a general plan in hand, an organization can review the various products that are available to meet their mobile security needs. There are an overwhelming plethora of choices on ways to secure your mobile endpoints, so it can be very easy to get lost. One key to navigating this step is to review the requirements you have come to expect, and evaluate what products meet those needs, all the while evaluating what kind of support is required for each, effectiveness, and naturally, the cost.
In the realm of mobile platforms there are a number of modern security features to consider.
- Anti-Malware/Anti-Virus tools: The concept of the computer virus has been around for a long time. It has taken hold of the public psyche and this continues today. Unfortunately, this view is limited in definition. Newer, more sinister threats have emerged since the early days of scanning hard drives against signature files. From internet worm infections to spyware to rootkits, to phishing attacks, the threat is better characterized as malware. Infections happen through all kinds of different vectors, take for example a malicious software webpage or a Trojan-infected USB drive. Some of the biggest problems for the enterprise have always been user education, as users may not understand the importance of using proper anti-malware tools, and the difficulty in management of the software, as updating and reporting of utilities on remote computers can be tedious. Carefully review your technology and software that addresses these needs and consider the benefits of a unified management structure. It’s a little bit counter-intuitive considering you may be “putting all your eggs in one basket”, but modern security products are very resilient, robust and the benefit of a unified management structure makes the administration of thousands, if not tens of thousands, of devices a much more manageable undertaking.
- Baseline Building: How does your standard laptop or tablet stand up to common security standards? Are open shares or unneeded services running on it? On other mobile devices, do you allow “rooted” or “jailbroken” devices to access applications or the network? These are among the many great questions in regards to what standard you set on your endpoint technology. What is the baseline? Rooted devices introduce a world of unknown variables that pose a significant risk by means of screen-grabbing, file grabbing, keylogging, and other nefarious vectors into the organization’s information assets. Mobile devices in general should be provided on a standard, hardened image and enforced by policy and technological means. Several remote application access technologies can even check to see if a device is rooted, lacks anti-malware tools, or other compromises prior to allowing access by the end-user.
- Firewall Technology: Quite often, mobile endpoints end up being used at unknown remote locations. It is important to address this vulnerability as WiFi “hotspots” provide free network access in many retail and commercial venues. The problem with this is that much of the traffic taking place on these networks is visible to unknown parties. The next bullet point covers encryption, but at this level it is important to know that endpoints become scannable and their presence on a foreign network can be a magnet for compromise or network sniffing activity. So it is important to feature and use some basic level of software firewall, based on the standard, hardened image before setting endpoints loose in the wild. On Windows systems, the operating system provides a limited and generally sufficient native firewall, but there a host of other products that introduce manageable and dynamic features to this type of concern. Again, this will depend on your identified needs, potentially utilizing an analysis on the mobile range of the user base and the risk that introduces.
- Encryption: In the event a PC or other mobile device is lost, it is important to consider the fate of the information on it. Organizations have been typically addressing this concern with encryption technology. With the critical information on an endpoint encrypted, the task of keeping that information from the eyes of snoopers is largely satisfied. And while encryption won’t retrieve the information for the organization or the device itself, there is a significant certainty that the data will not be easily compromised. There are a number of significant enterprise products in this space as well, and you will want to focus on those that offer centralized and unified management. It is also important to consider the benefits and caveats of full device encryption versus selective encryption. Full device encryption offers simplicity in that the entire device may be fully encrypted and thus minimizing the management required by the end user or system settings. It may introduce an element of sluggishness as strong encryption introduces some overhead, so plan accordingly. Selective encryption protects selected folders or stores on a device and potentially any portable storage that may attach to it. The user experience may be a little quicker but potentially adds a user burden in requiring practice and vigilance in storing information to the selected protected folders. There are also varied levels of encryption that have different ramifications in relation to their complexity. Generally, the more complex the underlying algorithm, the more secure the encryption. The takeaway on that is using more complex encryption typically means finding an acceptable performance impact. There are several vendors in this space with offerings, for laptops Microsoft provides BitLocker for data at rest, for other mobile platforms, Credant offers extended encryption features into the mobile space.
- Virtual Private Network (VPN): All remote users should connect to your network through a virtual private network (VPN). VPNs offer encryption and defenses against intruders. Based on their security policies, organizations have the flexibility to set strict limits on access available through VPN connections and the ability to disable access for remote users when necessary. This technology set is well-known and implemented throughout the industry with a number of de-facto standards. Look to address your specialized needs if applicable when reviewing VPN offerings and as previously mentioned, look to management advantages in the features.
- Physical Security: Without doubt, physical security takes on a whole new level when you apply it to mobile devices. The most significant gains can be made from user training and in doing so addressing the risks of theft and compromise. In certain cases, policy may even look at security devices such as locks, motion detectors, or alarms that can protect devices. Biometric devices are often fallible as they are typically configured as layers to underlying credentials.
- Device Tracking: Locating and finding lost or stolen devices has a presence in this mobility picture. A number of technologies can track missing laptops and mobile devices. Recently a number of cases have come to public awareness where a stolen system was tracked or “dialed home” and the culprit was discovered. These systems can send GPS, IP information, routing information, telephone numbers, even an email status home with this information undetected to the possessor of the device. Often known as “lo-jack” for various devices, they have applications across the mobile set.
- Presentation technology: This is a dynamic and evolving field where technologies can generally be described as having a presentation element. Terminology such as VDI, streaming apps, hypervisor, and names like Citrix and VMware come to light and bleed into concepts like cloud computing. Each of these deserves and certainly has extensive coverage materials, but in summary they all extend into the mobile environment and present unique security elements. VDI technology for example presents a desktop environment within a remote session, putting all the control, management, and security aspects within a standardized centralized delivery. Application streaming technology is comprised of application-specific presentation interface that involves little to no endpoint presence. These can be launched from a Web page, shortcut, icon, or published application. Again, all these technologies are significant and offer worlds of benefits, and typically involved advanced infrastructure, design, and delivery systems. Evaluate these technologies in light of user functionality and continually consider the security elements they each provide.