Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers, we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editor at: rprescott@rcrwireless.com.
You’re a security IT professional, and you think you’ve taken the steps to try to make your network secure. You feel relatively confident, safe even, as you walk the corridors of your organization. Then across the office, you hear a sound—it’s faint at first. Then you hear it again, this time from the executives’ offices. Now you can’t escape it—it’s the sound of employees bringing their own mobile devices to work. Every “chirp,” “bing” and personalized ringtone represents a different device, operating on a different platform, accessing different information and taking it right out the front door.
You can’t fight mobility. It’s here. And employees expect to be able to use the device of their choice to work from anywhere. In most cases, mobility is a good thing and brings with it increased productivity. But as an IT professional, you need to prepare for the associated security risks. Often, the most effective approach is a holistic one that enables productivity while mitigating threats. And because your job also depends on efficiency, you are going to want the most effective solutions that also have the lowest possible total operation cost.
The basic goals for creating mobile security in the face of the consumerization of IT shouldn’t be limited to just protecting the devices but should also involve securing accessible company data once it becomes local to the device. There are three steps IT professionals can take to stay ahead of risks: mobile device management (MDM), supplemental security and emerging security measures.
Step 1: Mobile Device Management (MDM)
MDM is the most basic thing you can do to protect your company, regardless of whether your employee has an iPhone, Android, Blackberry or some other obscure platform for their mobile device. There are vendors that can help you with this, but be sure that any MDM solution you adopt can do the following:
- Application management—you should be able to know, and if necessary restrict, what the device is downloading and running.
- Configuration management and resource control—you want control over what that device connects to, what it takes pictures of and its passwords.
- Detection of jailbroken or rooted devices—these devices are inherently more risky.
- Device recovery and loss mitigation—track it, lock it down, wipe it clean.
- Support and service management—quality tech support pays dividends in the long run.
However, MDM is not enough on its own. Users need to help maintain network security too, by being made aware of your corporate mobile policies and ensuring they are following them. Signed agreements acknowledging that employees understand their rights and responsibilities as well as the company’s rights are crucial. Still, MDM and policy together won’t keep all threats out, and this is where supplemental security measures step in.
Step 2: Supplemental Security
Even if your employees aren’t going to be doing anything other than checking email with their mobile devices, you should also consider more than just securing access. You will want to have some additional data protection on hand in the fight for mobile device security. This effectively means that you should control what data can make its way onto mobile devices in the first place.
Also, there is an ever-increasing back alley of mobile Web and application-based threats that you will need to keep an eye on. While mobile malware hasn’t historically been much of a concern, times are changing. With mobile devices overtaking desktop computers in popularity, mobile attacks are anticipated to be the next big thing in cybercrime. You are going to need the latest real-time threat intelligence to stay ahead of the curve.
Step 3: Emerging Security Measures
This is the fun part of IT security. This is the new stuff, the latest cutting edge technology that makes you sound like a cyber-security superstar just by mentioning it in a meeting. Early adopters of such technologies tend to have a very low tolerance for risk, have extremely sensitive data or face very strict regulatory requirements and usually have an intestinal fortitude not seen among mere mortals. But that sounds like every enterprise professional IT guy, doesn’t it? Some emerging security measures to consider include:
- Application and desktop virtualization. Let’s be honest, this just sounds cool. But with view-only access and desktop virtualization solutions, you never allow sensitive data to leave the data center in the first place; clearly providing a superior degree of protection.
- Self-defending apps are also coming into their own. Organizations that have this luxury can design applications that incorporate encryption and key management functionality from the start. These apps are inherently more secure as they rely less on native platform features and data storage locations for protection.
- You may also want to look into whether you want to go agent vs. cloud for deploying your supplemental threat and data protection capabilities.
- Another option includes deploying a sandbox to create an isolated zone on the mobile device where users can work with enterprise resources.
- You can also create an always-on VPN that routes all data traffic back to headquarters or the cloud via an encrypted tunnel.
Is your head spinning yet? Are you ready to smash all those mobile devices into tiny bits to ensure your network and data remain safe? Take a breath. Security in the world of mobile devices really just requires a little extra vigilance in the end. If you can keep your organization focused on your security objectives, then the battle is half won. For the other half, there are vendors who can help you create a holistic, layered approach that will deliver a high degree of efficiency with a low overall total cost of ownership. Soon you’ll be walking the corridors with your head held high again, confident in your organization’s mobile security.