With the introduction of cool mobile devices available for the corporate world, executives feel their existing blackberry out of fashion. For a while, blackberry devices ruled the corporate world for mobile communications. They are efficient and highly secure.
Blackberry security is still considered the gold standard for enterprise mobile communications. However, with generation Y taking over the corporate world, enterprise infrastructure have a hard time meeting their demand to have social networking and other mobile applications available on their mobile devices. RIM’s product is no more preferred; rather it is now one of the options that should be available to the corporate users.
There is also increasing demand among employees to use their personal mobile devices (individually liable) for enterprise use. They view pervasive wireless LAN (WLAN) and mobile cellular coverage as “must have” capabilities and consider smartphones as “must have” tools that would help integrate their personal and professional lives.
Until recently every enterprise had a web address advertised along with their products. Now, their applications are showing up in mobile device application (app) store and their mobile web addresses (example m.mycompany.com) are advertised along with their web address (example www.mycompany.com) increasing their competitiveness.
So how do we secure such diverse devices while making them available for corporate use?
Before we delve much into how to secure mobile devices, let’s understand what we mean by mobile devices. According to Wikipedia, a mobile device is a pocket-sized computing device that typically has a display screen with touch input and/or a miniature keyboard.
There are two types of mobile devices – vendor locked and Operating System (OS) based.
Vendor locked mobile devices uses proprietary operating system sourced from the manufacturer. Examples of vendor locked mobile devices include Blackberry, iPhone, iPad, Playbook, etc. These devices are more attractive to the corporate world because they are easy to manage.
OS based mobile devices use an operating system sourced from a software vendor. The software is not at all tied up with the hardware. As long as the hardware provides the right user interface, the software will function efficiently. Examples of such operating systems are Android and Windows Mobile.
Enterprises should be able to install, update, configure, backup, and remove enterprise mobile application. The application is installed should be tested, verified and approved before deploying it for enterprise use. Access to such application should be controlled based on user entitlements.
Security controls such as authentication, encryption, device-wipe and firewall support should be available. Authentication is the first line of defense against unauthorized access. It enables the ability to provide power-on authentication, strong passwords, action selection for a maximum number of failed login attempts, device lock, an inactivity timeout, and certificate delivery.
Encryption is the second layer of protection from unauthorized disclosure of information on the mobile device and on the removable media contained in it. Encryption must be coupled with an authentication mechanism to be effective.
The ability to remotely wipe out information inside the device helps reduce the risk of unauthorized disclosure in case of lost, stolen or removed-from-service devices. A complete wipe of the device is possible for enterprise-owned ones. However, in the case of employee-owned (individually liable) devices, the enterprise should be able to only wipe out enterprise information leaving other information untouched (selective wipe). Mobile devices should also be able to wipe out information contained in it if the user exceeds the maximum number of failed login attempts or if the device is not used for some period of time.
Mobile devices should be protected from malware either by using host-based antimalware solution or by subjecting all traffic originating from the device through a network-antimalware gateway before entering the enterprise network. Firewalls between the enterprise network and mobile device should be able to understand and monitor application layer packets.
Enterprise should be comfortable defining, monitoring and enforcing enterprise mobile policies. It should be able to create user groups (such as executive policy, fiscal policy, etc) and should be able to define, provision and enforce security policies for application access, data encryption, data classification and securing data in transit.
Enterprise should consider having a policy for acceptable use of corporate-owned devices for personal use. It should maintain separate liability policy for employee-owned and corporate-owned devices. Policies should be managed for each and every type of hardware supported by the enterprise.
Blackberry OS, Windows Mobile (WinMo), iOS, Android, and Symbian are some of the mobile device operating systems. Enterprise should choose an OS and the hardware that it is comfortable supporting. It should be able to update the operating system as well as enforce approved software (including version) on the mobile device before granting access to the user. It should be able to disable and enable the use of removable media (example SD cards) and to detect and isolate jailbroken devices.
If possible, the enterprise should have the ability to control (disable and enable) the use of mobile device hardware such as camera, Wi-Fi, Bluetooth and GPS and also to monitor hardware statuses such as battery life, memory usage, and CPU. In addition, the enterprise should be able to retrieve asset tracking information such as serial number and asset tags.
Enterprise helpdesk should be capable of troubleshooting, report generation, historical analysis, and problem triage of a mobile device incident.
Mobile Device Management (MDM) Solution
Not all of the above functional requirement, for example, policy management, are met by the mobile device vendor off-the-shelf and requires a Mobile Device Management (solution) to manage some of the functions. It must consider an MDM solution that would support existing managed and unmanaged mobile devices that are permitted to connect to the enterprise network.