Smart-phones have quickly become yet another indispensable part of modern business. Features such as wireless email, Web browsing, personal information management and network access to corporate resources allow for quicker and better decision making and greater productivity.
However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smart-phone device when away from the office, and therefore outside the confines of their organization’s secure environment.
This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smart-phone’s undoubted benefits, it is important to address smart-phone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.
The essentials of a smartphone, mobile security policy
This means your mobile security policy needs to mandate:
• Device passwords with a minimum length, complexity and update frequency.
• Data encryption, depending on its sensitivity or classification level.
• Password-protected inactivity timeouts.
• No access to read-only parameters.
• Limited access to riskier features, such as Bluetooth and instant messaging.
It is also recommended only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.
However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smart-phone device when away from the office, and therefore outside the confines of their organization’s secure environment.
This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smart-phone’s undoubted benefits, it is important to address smart-phone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.
The essentials of a smartphone, mobile security policy
This means your mobile security policy needs to mandate:
• Device passwords with a minimum length, complexity and update frequency.
• Data encryption, depending on its sensitivity or classification level.
• Password-protected inactivity timeouts.
• No access to read-only parameters.
• Limited access to riskier features, such as Bluetooth and instant messaging.
It is also recommended only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.
One area that has been seen as frustrating and complex by users and administrators alike has been setting up a VPN connection on a smartphone. End-to-end encryption from the smartphone, over the transport medium, to corporate resources is essential to prevent over-the-air data leakage, and thankfully vendors are upgrading products to make the whole process far easier.
Network security company Astaro Corp. claims its users can now set up and use the iPhone’s IPsec VPN capabilities with no technical knowledge, while SSL VPNs from Sonicwall Inc. offer clientless remote access for smartphones.
The Mobile VPN in Microsoft’s System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.
Depending on the nature of your mobile workers’ voice calls, you may want to consider using devices developed for the National Security Agency’s Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified “Top Secret,” as well as restrict access to “Secret” email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.
The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.
If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?
Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they’re still Internet-connected computers, so don’t let them become a double-edged sword.
Network security company Astaro Corp. claims its users can now set up and use the iPhone’s IPsec VPN capabilities with no technical knowledge, while SSL VPNs from Sonicwall Inc. offer clientless remote access for smartphones.
The Mobile VPN in Microsoft’s System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.
Depending on the nature of your mobile workers’ voice calls, you may want to consider using devices developed for the National Security Agency’s Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified “Top Secret,” as well as restrict access to “Secret” email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.
The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.
If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?
Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they’re still Internet-connected computers, so don’t let them become a double-edged sword.
Way cool! Some very valid points! I appreciate you penning this article and the rest of the site is really good.
ReplyDelete