Mobile Device Security
- 1. Mobile Device Security Crafting a mobile device strategy that fits your organization’s needs while protecting information assets
- 2. Mobile Device Trends Smartphone shipments in 2012 are projected to be at around 631 million units, up from 468 million in 2011 Tablet sales in 2012 are expected to nearly double last year’s tally of 60 million, at 119 million units Apple’s iPad platform is expected to account for 60% of those tablet sales PC hegemony over the market as the primary computing device in business is being challenged
- 3. Frequently forgotten factoids about mobile devices They’re little computers; processor, memory and storage, just like the desktop or laptop PC in your office A would-be thief is more likely to steal a smartphone or tablet than a laptop If your device is stolen, and lacks both a passcode/PIN and data encryption, whatever’s on the device might as well be posted on Facebook Without a means to remotely manage a device, you have NO recourse in protecting/erasing sensitive data, should the device be lost or stolen
- 4. Mobile Device Security: Key Considerations Will my company furnish the devices, or will we allow BYOD (Bring Your Own Device)? What about both? Where will sensitive data reside? On the server(s) or on the device itself? How is the information accessed?
- 5. Company-furnished devices Cost for cellular service and repair/replacement of lost/damaged phones is generally borne by the company Makes sense for organizations that publish the mobile phone number of these devices in the phonebook, on websites or in marketing materials Be as draconian as you’d like in managing these devices (they’re property of the company). No Facebook, Twitter, YouTube, etc.; just business. Erase at will if necessary.
- 6. BYOD (Bring Your Own Device) employees use their personal smartphones/tablets to access email and applications, which they're already familiar with (little to no training) employees bear the cost of service and repair/replacement when necessary a more measured approach to governing the encryption of information stored on the device, and the recourse with which to protect the data should the device become lost or stolen
- 7. BYOD cont’d Example: An employee uses his/her personal device to access company email, where sensitive information sometimes crosses. Whereas a company-provided device could be erased without question, an employee's BYOD likely has personal contacts, personal email, music, etc. A mobile device strategy should outline clear boundaries as to how far a company can go to protect its data. In this case, a mobile device policy could be designed in such a way, that only the company email access for that device is revoked, and the data removed, with no impact to other apps/services on the device.
- 8. Company-furnished device versus BYOD conclusion Different levels of device management can be applied to both classifications of device, whether you want to completely lock the device down, or you want the user to freely use the device as he/she wishes, as long as the device meets security requirements
- 9. Where the data resides Server: This is always preferable to any sensitive information residing on the device. Risks of data compromise are mitigated through PIN/password enforcement, and revocation of access to applications, services and data can be easily revoked on the server. More on this later. Device: We strongly discourage saving sensitive information on mobile devices, but if it can't be avoided, more stringent password/PIN requirements and encryption, coupled with the ability to erase the device in the event it's lost or stolen, protects against losses on this front.
- 10. How the information is accessed Email: Through mobile device management, we can encrypt data as it's stored on the device, revoke email access when warranted, and protect access to the device with passcodes or PINs. Desktop applications: Using technologies such as Citrix XenApp or Microsoft RemoteApp/Remote Desktop, we can provide secure access to programs and data residing on the server, without any of that information actually being stored on the mobile device. This is the preferred method for accessing your line-of-business apps. The actual processing of data resides on the server at all times, and you're simply viewing/interacting with it on your tablet or smartphone.
- 11. How the information is accessed cont’d Web applications/webclips look and act like apps, but are really websites that are optimized for viewing on your mobile device. Similar to the Citrix/Terminal Services method for accessing apps and data, the data does not get stored on the mobile device, but instead just viewed. Transactions still take place on the server.
- 12. Wrap-up Though the rapid adoption of mobile devices had initially provided flexibility and opportunities for businesses, it's also opened up businesses to old fashioned computer security risks, just on a newer class of devices. The methodology for securely incorporating these devices, whether company-owned or personally owned, is taking shape and should become a part of your overall IT strategy, in the same way you'd secure a desktop or laptop computer.