With BlackBerrys and iPhones getting huge headlines as they battle for mindshare, and hundreds of Windows Mobile, Palm and Symbian devices already on the market, network managers need to address the security issues these popular devices create.
While Plan A (ban all use of mobile devices for government data and government networks) is one option, a more customer-friendly Plan B is to use policy and technology to provide mobility, securely. These tips will help you achieve the right balance while securing devices and data.
We’ve said it before, but it bears repeating: Fashioning a policy for mobile devices is a critical first step. Without policies, you end up with an anything-goes, no-boundaries environment that opens you up to liability for loss and encourages employees to solve their own problems.
Policies should focus on four key areas: device selection and provisioning, device deployment and configuration, device use and maintenance, and device recovery and disposal. The most fundamental decision you’ll build into the policy is ownership: Who is in control of mobile devices? Whether you pay for devices or not, it’s critical to decide who chooses the device and who manages it.
Generally, if you take control of the device lifecycle, you can use mobile devices securely. If you take a pure hands-off approach, then the interactions between these devices and government networks and data must have strict limitations.
A policy begins as a written document, but some areas (such as provisioning, deployment and configuration) can be enforced using technology. Software is available for different device families that can automate and enforce policies. However, no policy will be successful without end-user buy-in, meaning that you must include security awareness training and a formal acceptable-use policy that end users understand and sign.
Mobile-device networking is almost entirely wireless, which brings up the usual concern for interception of agency data. Don’t waste your time trying to decide what’s important and what’s not. Instead, define all organizational data as critical and require that it be encrypted in transit, whether over wireless LANs or cellular data services.
Devices can be encrypted at the application layer or the IP layer. Each has benefits and drawbacks. Application- layer encryption requires each application to support encryption, which is easy for web-based applications but can be tricky for others. Because application-layer encryption is enforced at the corporate firewall, it opens a larger attack surface to the Internet and limits you to applications that can be addressed over the Internet. However, the low level of user interaction required and device independence makes this a popular option.
IP-layer encryption requires a compatible virtual private network client to be installed on each device. Using a VPN client gives you higher application independence but lower device independence and can be intrusive and annoying to end users who just want to grab their e-mail on the go.
Choose application-layer encryption if your primary requirement is for a single application, such as e-mail. If you have several applications you want to push to mobile devices, IP-layer encryption using VPN clients is the obvious choice.
Misconfigured Bluetooth is the greatest unmitigated threat to mobile devices. Configure the technology to accept connections only from trusted, paired devices and turn Bluetooth off when you’re not using it.
Because the most common security problem is device loss, the most critical requirement for device security is that no data remain unencrypted on the device. Unfortunately, device manufacturers don’t care about this (yet), so you will have to use a third-party package from a manufacturer such as Check Point or PGP to ensure that everything is encrypted. While all devices will eventually have built-in encryption, solving the problem today requires add-in software.
Be careful about other potential leaks as well. Short Message Service (SMS) messages can contain valuable data, as can phone directories. Measure the risk of disclosure against the convenience of pushing these hard-to-encrypt data stores out to devices. Web browsers will cache data (including webmail messages), so be sure they are set to flush the cache upon exit.
Mobile devices are considered fat and easy targets by malware writers. While such attacks are highest in Asia and Europe, there’s no reason to believe that you’re protected if you live elsewhere. To operate safely you will need antimalware software. You can choose a pure-play mobile-device tool from your current antimalware manufacturer or, for larger deployments, add a complete device management package that will cover not just antimalware but also device provisioning, application configuration, backup, remote device wipe and unlock, and other over-the-air (OTA) management tasks.
But it’s better to avoid malware altogether, so this is also an area where mobile-device policy can be helpful. While mobile devices are smaller and seem innocuous compared with desktop PCs, the advice you already give your Windows users is just as applicable: Don’t open attachments you aren’t expecting; don’t download and install untrusted applications; don’t share your work device with your kids; and make sure you backup any important data regularly.
The ubiquity of mobile devices has heightened the risk of data loss. Case in point: More than 100,000 notebooks, cell phones and PDAs are lost each year in taxis in Chicago. Passwords pose one of the simplest and most effective defenses against a lost device becoming a data loss headline.
Forcing end users to enter even a simple four-digit password before they can use their mobile device can stir up a hue and cry equivalent to asking for their firstborn. But hold your ground. Something as simple as a password makes the data on the device much more difficult to read and extract.
You’re not gaining full protection, which would require encryption and a longer password. After all, a determined hacker can extract even encrypted data from a device without a password. But a password turns a lost device from a treasure trove of internal agency information into something much less interesting, which is exactly what you want.