Smartphone Security: How To Manage Rogue Mobile Devices
A single unsecured smartphone can jeopardize the security of your entire organization. Here's how to manage the risk by using firm IT policies and mobile device management software.
May 29, 2008
There was a time when only the IT shop had the smarts to hook a smartphone into the enterprise network and grant it access to services such as mobile email. Today, that's just not the case. Just about any average Joe can run to his local wireless retailer, buy a smartphone, and have it configured to receive his enterprise email before lunch the next day. That should scare you.
There's no arguing against the power of smartphones. They are great enablers of productivity and can help the busy professional stay on top of office communications when he or she is not there. Smartphones are slowly becoming an enterprise necessity, but they are a tool that can just as easily expose your business to a bevy of threats.
For those not schooled in the risks, smartphones are the back-door deployment that can provide hackers -- or the competition -- with access to your network. The good news is that there are myriad tools for IT to use the thwart both sanctioned and unsanctioned mobile deployments from putting your business on the line.
Employees: Your Biggest Threat
In order to keep up with the Joneses, Jim, sales guy extraordinaire, went out one weekend and bought himself a Windows Mobile smartphone. Using the simple Microsoft tools, he finagled it to get his work email synced to the device all by himself.
Armed with his newly found communicative powers, Jim hit the road on a big sales trip that took him through multiple cities. After several weeks, there were hundreds of emails resting quietly on his device. They included contracts, sales quotes, pricing schemes, and other information you wouldn't want your competitors or customers to know about. One night, the smartphone fell out of his pocket while he was boarding a plane in a crowded airport.
Whoever finds the device will have instant access to all of Jim's emails and your corporate information. Begin security nightmare.
Shedding light on internal communications with some emails isn't the only risk here. Smartphones are often connected to back-end systems that contain proprietary enterprise data. Odds are, your execs wouldn't want that information accessible to anyone but the appropriate employees.
"Typically a rogue device is one that an employee purchases on their own," said Shari Freeman, director of product management for Sybase iAnywhere's Afaria group. "The main thing they want to do is get enterprise email and perhaps access to enterprise data. More and more companies are starting to require that if a user wants to have mobile email pushed to a device, that the device be secure, because of the confidential nature of email."
The ABC's Of Mobile Security
Where there are mobile security tools to help minimize risks, the end user also has to bear some responsibility for securing their device. And so does IT itself. Here are a few hard and fast rules to live by in conjunction with mobile security solutions.
Use VPNs: One potential weak link in remote employee communication with back-end systems is the method they use to connect. Hopping onto the Wi-Fi hotspot at Starbucks or other open public network is looking for trouble. Using VPNs that require users to authenticate and connect through secure tunnels protects data in transit.
Block Access To Public Wi-Fi: Because public Wi-Fi can be so unsecure, use security programs that block your employees from accessing them at all unless in absolutely trusted environments, such as the office. Rogue Wi-Fi networks that pose as legit services can really be a fake portal that a hacker is using to snare information from the unwitting user.
Make Strong Passwords Mandatory: Typing in passwords--especially on a smart phone--to access email or files is a pain, but it's an easy way to prevent people from breaking in. Of course, it won't work if your employees use "password" as their password.
Strictly enforce passwords that include capital letters and make it mandatory to stick a number or two in there.
Don't forget to have users change passwords every 30 or 60 days.
Make sure the device is set to engage the password for log on or sign on. Set it at a reasonable time, such as 5 minutes.
Give the employee time to get things done, and perhaps go back to their smartphone without having to re-key the password every time they touch the smartphone. This one is a little bit of a two-edged sword, however. One of the top reasons for calls to IT is to get forgotten passwords. Be prepared to trade some IT support time for this added measure of security.
Block Removable Storage: Mass storage in the form of CF, SD or microSD cards is cheap and easy to remove from an unattended smartphone. Security tools can prevent even authorized users from downloading files or other data to removable storage. You can also choose to enforce encryption on removable storage if it is necessary that employees be able to transfer files back and forth. This way, only approved corporate devises can decrypt the information and access the files.
Educate Employees: Employees need to understand what is at risk. It does no good to enforce all sorts of policies that employees feel are simply onerous Big Brother-like controls. If they don't believe security is important, they might be tempted to skirt the rules. Conducting seminars that highlight the dangers of mobile technology is one way to help convince people that there's something more at stake than simple embarrassment. Some companies require employees to be responsible for lost or stolen hardware. What if their culpability extended to the information lost on such devices? That might force them to be a bit more careful.
Educate IT: "The learning curve is getting better," said Sybase's Freeman. "The awareness of the security issues really started with laptops, especially with all the press stolen laptops gets. Companies are paying more attention to smart phones and are realizing the smart phones can have the same data and need to secure them in the same way."
Encryption is Key: Device encryption is easy with mobile device management tools such as Sybase's iAnywhere Afaria or Odyssey Software'sAthena. You can also choose to encrypt individual files to make it even harder for people to break in.
The key is to require that all smartphones go through IT.Better Security Through Software
There should always be a clearly defined plan, or a goal when it comes to mobile security. The idea is to give the help desk and IT staff the tools they need to support the mobile workers, whether it is a line of business deployment or it is just mobile email. Having online remote control so IT can peek under the covers to see what's going on and solve issues is key. This way, you won't end up with a frustrated user and a frustrated IT team.
"The number one thing companies are looking for is security and encryption because they are worried about lost or stolen devices," said Sybase's Freeman. It's a good thing the number of tools IT can use to secure smart phones seems to grow every day. One long-time contender is Sybase's iAnywhere Afaria product. Afaria focuses on mobile device management and security.
From a functional standpoint, what that means is keeping software up to date, tracking the hardware and software, configuring settings, keeping files up to date, securing access to mobile devices, and securing the data on them. Smith Micro and Odyssey Software make similar products.
Mobile device management software such as that from Sybase, Smith Micro, and Odyssey lets IT control every aspect of a smartphone. Want to enforce passwords? Easy. Need to disable access to a smart phone's camera? No problem. Have to require VPN security? It's in the bag.
If your enterprise uses Research In Motion's BlackBerry Enterprise Server and accompanying devices, a lot of the tools IT needs are already available. RIM knows that security is mobile priority number one, and has built a plethora of device management features into its products. It's simply a matter of activating them and setting permissions for different user subsets.
Microsoft's Exchange ActiveSync server provides similar levels of control for Windows Mobile smartphones. It has 45 different functions that can be turned on or off, such as requiring complex passwords, or remote device wipe.
Smith Micro's Device Security Management Suite uses an on-device agent to control security, enforce policies, and manage software updates. "IT creates a policy and adds it to the server," explains Tom Matthews, VP and general manager of security and connectivity for Smith Micro. "Because we have a client-server solution, the policy is then pushed to the device. It receives this policy and the agent that resides on the device can take action and report information back to the server. The device can then be forced to load or unload applications, update virus software, or reset a password."
"Because there is growing prosumer use of smart phones," said Matthews, "the whole strategy behind policy control is so you can identify users. You'll need to be scanning to see if a rogue mobile device is being used on your network."
Odyssey's product does these things, but also collects network information. "When you have hard data, that helps the mobile operator find problems faster and in turn helps the enterprise customer," said Mark Gentile, President & CEO of Odyssey. Odyssey's Athena software makes sure companies have appropriate licensing. This way, from a support perspective, they know what versions of applications are on the smart phones. It also helps provision software updates, certifications, and policies all over the air.
Endgame
With the proper tools in place, securing your enterprise from the threat of mobile devices is manageable. Combined with the right set of policies, employee education, and software controls, there's no reason why smartphones should leave the back door open to the whimsy of hackers and ne'er-do-wells.
About the Author
You May Also Like