Strategy: Securing Mobile Data

Do you have a security policy governing data access via mobile devices? Unless things have improved considerably since we asked readers this question last summer, it's even odds you don't. The problem is, employees are using smartphones in their jobs, whether the security team is on board or not. In a July InformationWeek survey, 82% of smartphone owners said they use their devices to read business e-mail, 80% surfed corporate Web sites, and 61% accessed enterprise data.

And don't look to business managers to stifle this trend: 74% of users said they foot their own cellular bills, and 65% paid for the devices out of their own pockets. More productivity at little or no cost to the business. So what's not to like?

Plenty, actually. Mobilizing employees increases productivity, but the security risk is dramatically heightened without IT involvement. Yet just 31% of readers said corporate IT supports smartphones and PDAs. We understand the logic: When the enterprise doesn't own the devices, it can't regulate what users buy. Supporting a mishmash of systems is a nightmare. That's why for years we've advised readers to stay ahead of this trend. Those who didn't now find themselves in an untenable position. While the enterprise might not own the physical assets, it does own the data that end users are storing on them. As soon as corporate information lands on a smartphone, it becomes a business asset that needs to be secured.

CIOs have two options: Freeze out mobile devices by preventing installation of synchronization programs like ActiveSync, disallowing access to corporate servers from mobile devices, or lock down USB ports on corporate PCs. Of course, employees will waste time trying to circumvent these roadblocks. A better route is to put the correct mix of policies and technological enforcement in place to keep your data safe while realizing the benefits of mobility.FIRST COMES THE POLICY Mobile encryption has come a long way, but technology is only half the story. At press time, there were more than 3,300 used BlackBerrys listed on eBay. If one of them were loaded with sensitive data, there's little technology can do. Define a corporate policy that covers device selection, provisioning, deployment, use, maintenance, recovery, and disposal. Resist the temptation to treat executives' devices differently. Your organization is only as secure as its weakest link, and a smartphone is more likely to be lost than a laptop. Executives are no more immune than anyone else, and they may carry more sensitive data.

When writing your policy, start with basic data protection measures such as encryption and power-on passwords, and ensure that devices can be remotely wiped in case they're lost or stolen; most push e-mail, device management, and security systems provide this. More granular policies include mandating VPNs and forcing users to be in compliance with antivirus, firewall, or other security software.

Security policies aren't static; they must be periodically updated to address the changing needs of the business and as newer technologies are implemented. Impress on users that the loss of a device goes beyond the cost of the physical asset.

Does implementing usage policies mean enterprises should take over device procurement? Maybe. It's easier to enforce policies and deploy security software when you own the physical asset. Of course, there's a reason IT shies away from issuing mobile devices. The smartphone market is consumer-driven, which means accelerated hardware revision cycles. Mobile security and management vendors do a good job supporting the most popular devices, but advanced hardware security capabilities, like locking down cameras or disabling SD card slots, are spotty. If you let employees store data on their own devices, the best solution is to compromise by issuing, and continually updating, a menu of hardware that your mobile security vendor supports.

Steps To Keep Mobile Data Safe1. SET A POLICY

2. ENCRYPT DATA 3. BE READY 4. WATCH FOR BIOMETRICS 5. NOT TAKING THESE STEPS? Then consider locking down corporate PCs so users can't install synchronization software. No sync, no sensitive data on mobile devices.

Speaking of security vendors, to read their marketing materials, dodging the pitfalls of deploying mobile devices calls for some hefty investments--so you'll need to determine how many threats are really applicable to your enterprise.

So, follow the risk. The first task is preventing data loss, and just how much information each device contains may surprise you. Smartphones, despite their support for cellular connections, often cache corporate data so it will be accessible even if the user is out of coverage or needs to operate the device with the radio off, as on an airplane. Generally, e-mail will be stored, and Web browsers may save local copies of business Web sites. Corporate applications run the gamut, from acting solely as a presentation layer to access database systems to caching forms, or even entire sections of a database, depending on how the app is engineered.

The first line of defense is encryption, either of folders or the full device, including removable storage such as SD cards. There are trade-offs here: Encrypting all device storage ensures that you won't miss any data, but it can negatively impact performance. Encrypting select folders leaves performance intact but requires continual asset classification to make sure the correct data is being encrypted. Because device speed is increasing and given that users may inadvertently store sensitive data in unencrypted folders, full disk encryption is best.

Much has been made about the need for virus protection on mobile devices. All the major players--including Kaspersky Lab, McAfee, Symantec, and Trend Micro--have some sort of mobile virus protection in their portfolios. Thus far, however, most of the viruses and malware in the wild have been proof of concepts aimed at the Symbian platform, with a handful of Windows Mobile exploits. But Apple's iPhone may be a harbinger of what's to come. Many of the efforts to "unlock" the iPhone to install third-party apps or allow the device to run on other carriers have come through classic exploits like buffer overflow attacks. While Apple has thus far been diligent at patching, there've been some demonstrable exploits to show how the same methods used to unlock the iPhone can be used to subvert the device.

"The thing that concerns me is how easy it is to release malware to a mobile device. Something as simple as taking a BlackBerry and downloading a ring tone to it may be a potential vector," says David Brown of Forsythe Solutions Group, a technology consultant. The key word is "potential." So far there hasn't been an exploit like Brown describes, nor has there been anything close to the impact of the Blaster or Code Red worms released on a mobile platform. In some ways, mobile devices have enjoyed security through obscurity; a fragmented OS landscape helps, too. However, as smartphones become more connected to enterprise networks and desktops become increasingly secure, attackers will focus their sights on mobile devices as the path of least resistance to data. You may not need mobile virus protection yet, but it's worth evaluating for a deployment in the next 12 to 18 months, particularly if you find smartphones rising in profile within your company.

HOLISTIC APPROACHWhile the number of point products aimed at addressing your business' mobile security issues can seem overwhelming, there are many established players in this field. To get a feel for what these suites can do, we took a few offerings for a spin in our lab. Trust Digital, which partners with GuardianEdge--certified by the General Services Administration Data At Rest Tiger Team for laptop security--and has won several government and private-sector contracts, sent us its latest smartphone security client, and Trend Micro sent a copy of its forthcoming mobile security suite.

Both Trust Digital's Smartphone Security Management Software and Trend Micro's Mobile Security 5.0 armed us with a variety of methods to secure our mobile devices. The most interesting feature is SSMS's trusted applications model. Rather than a simple whitelist or blacklist to define what can or can't be run on an application, Trust Digital can determine which applications may work with certain data types. For example, we could specify that only Microsoft Word could access Word documents. This can be useful in protecting against malware. One of the main differentiators between Trust Digital and Trend Micro is that TMMS 5.0 is managed from the same console as Trend Micro's desktop security product.

We liked both Trend Micro's and Trust Digital's encryption models. Enterprises can define encryption keys that are limited to an individual device or on a group basis, so data can be shared. The only problem is that only one policy can be enforced per device, so a user can't have her onboard memory encrypted with a unique encryption key, say, while an SD card is encrypted with a shared key so it can be passed to other users. Trend Micro and Trust Digital also include table-stakes features such as hardware lockdown and remote wipe. Trust Digital throws in software distribution capabilities, but, as it's a security-focused product, it lacks some of the advanced inventory and reporting features found in the mobile device management systems we reviewed back in April (see Analysis: Mobile Device Management ).

Continue to the sidebar:
Advances For Mobile Security On Horizon More Strategic Security:
Tech Road Map: One Token To Rule Them All0