Determining device configuration policies
Your mobile device security policy has an immediate impact on the types of configuration policies that you will apply to the mobile devices in your network. For example, the security policy might state that all devices must have a lock password with certain requirements. Or the policy might state that all devices must have full disk encryption. Either way, you need to decide on a detailed set of configuration policies while rolling out your mobile device security solution. We cover this topic in detail in Chapter 4 and show how our case study organization, AcmeGizmo, configures policies on its devices in accordance with its enterprise mobile device security policy.
Figuring out how you’ll connect devices to your network(s)
Another integral part of your overall mobile device security strategy is connectivity to the corporate network. Your organization has most likely already deployed a VPN of some sort (such as IPSec VPN or SSL VPN) for remote access into the network from laptops running Windows, and perhaps even Macintosh and Linux. As you expand to mobile devices, you’ll find that some VPN solutions support the wide range of mobile operating systems, and others do not. Therefore, you need to evaluate the current state of affairs and determine whether your existing VPN meets your needs as you expand the scope of your remote access solution. In addition to choosing a VPN, you need to make other decisions, such as what type of authentication to enforce from mobile devices and how much access to provide to users in various employee groups. These are critical decisions, and we cover this topic in detail in Chapter 7.
Devising an endpoint security strategy
The number and types of threats facing mobile devices are growing quickly as these types of devices become more popular and begin to contain much more sensitive, and potentially valuable, information. That is exactly why it’s so important to deploy an endpoint security solution as you start to allow mobile devices into the network, just as you have probably done for traditional systems, such as laptops, desktops, and netbooks on your corporate networks. Antivirus and personal firewall capabilities need to be at the heart of your endpoint security strategy for mobile devices. These and other endpoint security technologies are discussed in Chapter 10.
Planning a strategy to deal with loss and theft
No matter how many policies you apply and how much security you enable on the mobile devices in your network, some of them will be lost or stolen. When such situations arise, you not only need technology to help you deal with these events but also require processes and procedures to deal with them quickly and effectively. Whether you allow users to track, lock, and wipe their own devices or whether your helpdesk team does that, everyone involved needs to know exactly what to do when a device is lost or stolen. Chapter 11 deals with this topic in detail.
Seeking vendor info and requests for proposals
After you educate yourself and identify your deployment team, look at various vendors to come up with a short list of mobile security vendors that you can invite in for further evaluation. Note that different vendors cover different areas of functionality, with no single vendor covering all possible functionality. You will likely need to deploy more than one product to accomplish all your organization’s goals.
Different organizations take different approaches to narrowing the list of vendors. Some organizations initiate design/sales meetings with interesting vendors to see how each vendor implementation fits with their organization’s goals. Other organizations create requests for proposals (RFPs) that give vendors a list of questions that they must respond to in writing. Regardless of the approach, the goal is to identify which vendors offer products that have sufficient functionality to meet the key goals of your mobile security deployment.
Implementing a pilot
You can gain a lot of information from deploying your mobile security solution to a small group of users prior to a wide rollout. Many plans have failed in the implementation phase due to unforeseeable issues. Start with a pilot group that consists of a small, but representative subset of your user population. Be sure that you include users with a variety of device types that you will allow into your network. Also, include members of every business group that will access the network because different applications and security requirements might result in different user experiences. When you add end users to the equation, you get a good sense of how seamless the mobile security solution will be for users as a whole, how well your organization can deal with deployment problems, and whether the chosen vendor can meet your needs.
Assessing and reevaluating at regular intervals
Congratulations! You’ve successfully rolled out your mobile device security implementation, and your users are all happily connecting to the corporate network from their devices of choice — iPhones, Android devices, and so on. So, now what? Vacation? Retirement? Put your feet up on the desk? Not so fast; network, security, and user requirements evolve over time. While these changes happen, your mobile security strategy must also change. After you complete the deployment, ensure that your users are happy, that your team can effectively manage and support the deployment at scale, and that as threats to mobile devices evolve over time, your mobile security solution continues to meet your organization’s security goals. Continual reassessment is a key part of any technology adoption, and you need to make it a part of something as critical and visible as mobile devices.
Introduction: AcmeGizmo Enterprise Smartphone Deployment Case Study
Many of the chapters in this book end with a case study. The storyline is ongoing and follows a fictional company named AcmeGizmo. At this organization, much like at many other organizations, employees have widely adopted mobile devices. You join the story as Steve, the CIO, asks Ivan, the IT manager, to come up with a strategy for securely allowing these devices into the network.
Every chapter that includes a case study takes a close look at the decisions that Ivan makes in order to accomplish this goal.
AcmeGizmo is a vertically integrated, global manufacturer of widgets. Its 8,000 employees span the range from employees on the manufacturing line in their factories to a retail sales force working in their stores and kiosks.
Exploring legacy smartphone deployment
Historically, AcmeGizmo has provided many executives and salespeople with company-issued BlackBerry devices. From these devices, employees can access their e-mail, calendar, and contacts, in addition to a few select intranet sites. Here’s an overview of the network:
BlackBerry Enterprise Server (BES): AcmeGizmo has been very comfortable with the secure nature of its BlackBerry deployment. In addition to the devices themselves, it has a BlackBerry Enterprise Server (BES) in its network that helps it manage and secure these devices. The BES provides VPN and authentication for the BlackBerry devices, which securely connects the remote device to the network and secures all data as it transits the network to the corporate data center. In addition, the BES is the primary tool that AcmeGizmo’s IT staff uses to manage policies and configure BlackBerry devices. The policies range from password complexity policies to application provisioning and blacklisting policies.
Connect PC VPN: AcmeGizmo has a fairly standard deployment for remote laptops, all of which are Windows-based. For this, it has an IPSec VPN appliance from Connect PC. The VPN appliance handles encryption and authentication, in addition to several other critical remote access features. AcmeGizmo also has a suite of desktop management tools that help it manage policies on the remote laptops and ensure that those machines are appropriately patched and configured. (Connect PC is a fictional company.)
Secure PC Endpoint Security Suite: AcmeGizmo has invested heavily in an endpoint protection suite from Secure PC, which includes antivirus and personal firewall software. (Secure PC is a fictional company.)
The only devices permitted to access the AcmeGizmo network remotely are AcmeGizmo-owned and -managed BlackBerry devices and Windows laptops. Figure 1-4 shows the legacy AcmeGizmo network, with BlackBerry
devices connecting to the BES, and Windows laptops connecting through the Connect PC VPN. A legacy network is the network that AcmeGizmo put into place prior to implementing the mobile security strategy that Ivan designed as a result of reading this book.
Figure 1-4: AcmeGizmo legacy network.
Enter the smartphone explosion
About a year and a half ago, however, a rapid shift began to occur. It all started the day that Brooke, the CEO, purchased the latest and greatest iPhone. Upon arriving in the office the next day, Brooke stopped by Steve’s office and essentially demanded access to her e-mail from the new iPhone. Not wanting to upset his boss, Steve asked Ivan to figure out how to make this happen as quickly as possible. The challenge was that a lot of AcmeGizmo’s IT security investments were of little use when attempting to secure the device and its access to the network.
For its desktops and laptops, AcmeGizmo has traditionally worked with Secure PC, the leading endpoint security vendor, to purchase its entire suite of functionality, including antivirus and personal firewall components. Unfortunately, Secure PC’s sales rep confirmed for Ivan that it doesn’t currently have a solution for smartphones, but that it’s “on the roadmap,” offering very little help for Ivan in his current situation.
Ivan next took a look at AcmeGizmo’s VPN platform from Connect PC, the leading IPSec VPN solution. As with Secure PC, Ivan quickly determined that Connect PC had not added support for smartphone platforms like the iPhone.
As Ivan’s frustrations began to mount, the number of issues that he anticipated began to grow. He realized that none of his systems could properly handle this smartphone problem. He had no way to enforce appropriate configurations on these devices, as the BlackBerry Enterprise Server was extremely feature-rich but covered only BlackBerry devices. He had no way of controlling or enabling application distribution, no way of wiping data from a device if it was lost or stolen, and so on.
So, Ivan took a step that many IT managers have taken. Under immense pressure from his boss and from the CEO, he deployed the mail server so that it was directly accessible from the Internet, enabling the CEO to access her e-mail, calendar, and contacts. Luckily, the mail server included some functionality to control the device itself, including the ability to set a password requirement and remove sensitive data from the device if it was lost or stolen. Unfortunately, that was about it. Many of the advanced policies and the layered security approach that Ivan had spent a lot of money and countless hours deploying for AcmeGizmo’s laptops and desktops were useless for these smartphone platforms. Ivan felt that what he had deployed was somehow insecure, and that he was taking a great risk by allowing the CEO to access so much sensitive data from her iPhone. Figure 1-5 shows the revised network, which allows the CEO’s smartphone to access the network.
Figure 1-5: Revised AcmeGizmo remote access network.
As the next couple of months went by, Ivan began to notice an increasing number of unapproved mobile devices in the company cafeteria, in meetings, and in the hallway. This made him suspicious, so he went back to take a look at the mail server logs. What he found surprised him — there were more than 500 unapproved devices accessing the mail server without his knowledge! Word had gotten around that this type of access was possible, and people had started using it.
Upon reporting this finding to Steve, the CIO, Ivan was asked to drop everything and make mobile device security his top priority. It was apparent that end users wouldn’t easily give up their new smartphones, and the increase in productivity was something the company would definitely benefit from. Plus, Steve viewed it as a cost-savings measure. Many of these users were previously on company-sponsored phone plans with their BlackBerry smartphones and were now paying for their own service. The company BlackBerry bill had gone down by almost 20% in the past three months!
Ivan was asked to figure out a mobile device security strategy for three different groups of employees: executives, enterprise salespeople, and, generically, all other employees who have mobile devices and wish to access e-mail and data from them. Throughout the book, we discuss the choices that AcmeGizmo has made in several key areas, corresponding to the following chapters:
In Chapter 4, we illustrate the security policies that Ivan has developed for the smartphones accessing the AcmeGizmo corporate network.
Chapter 5 ends with a discussion on AcmeGizmo’s control of applications, as well as its struggles with whether to monitor employee use of smartphones.
Chapter 6 discusses some of the special concerns that arise when AcmeGizmo attemps to provide access to some members of the Finance department who have access to point-of-sale transaction data for their retail stores. Ivan has a particular concern about their ability to meet Payment Card Industry (PCI) Security Standards Council compliance standards.
In Chapter 7, AcmeGizmo decides to move forward with an SSL VPN solution, a consolidated product that can provide remote access from Windows laptops and various smartphones at the same time, simplifying operations.
The case study section in Chapter 10 shows how AcmeGizmo leverages a mobile security offering to embed endpoint security into every one of the smartphones accessing its corporate networks.
Chapter 11 illustrates what happens the day that Ed in engineering loses his smartphone, which has the company’s next-generation widget designs on it (certainly something AcmeGizmo does not want getting into the hands of its competitors).
Finally, in Chapter 12, we talk about the backup and restore strategy that AcmeGizmo implements for its smartphone devices.
Chapter 2
Why Do I Care? The Mobile Device Threat
In This Chapter
Recognizing the seriousness of mobile device security
Understanding the risks of having a compromised mobile device
Assessing the available tools
Planning to keep your devices secure
In the present day, employees are king, bringing with them (into the network) not one, not two, but sometimes three or more personal devices that have little or no corporate-approved applications; and yet they connect to the corporate network and chat, e-mail, talk, network socially, and connect to the cloud. It’s a bad horror movie, The Invasion of the Devices, and you’re the hero who’s being overrun.
These devices are highly customizable (unlike enterprise-issued laptops, which typically have a lot of restrictions tied to them in terms of what applications the employee can install). Therefore, the employee has a personal attachment to these devices and swears by them both at work and outside of work. And this phenomenon, which could be brushed off as an anomaly just a few years ago, is fast becoming the norm in enterprises, so you need to take notice.
Mobile device security isn’t a problem that you can just wish away. Employees will do things they shouldn’t, such as pick up malware from a free app they just downloaded to their BlackBerry. That leaves you — the IT professional with corporate responsibilities — to be accountable for preventing security breaches where possible and remedying a breach after it happens.
This chapter helps you understand the threat posed by unsecured mobile devices and explores the tools available to help secure them. In this chapter, you discover what the impact of smart devices in the enterprise means for maintaining data integrity, network utilization, user productivity, secure communication, device manageability, and compliance capabilities. And you find out how taking an assessment of security challenges is compounded by the device invasion. And finally, you discover what measures you need to put in place to secure the new enterprise mobile environment. To do that, first you must understand the problem that exists and make a case of why you should not quit, but form a plan to assimilate the invading hordes.
Recognizing the Scope of the Threat
If you have been on any planet but Earth, you can be forgiven for not having noticed the smartphone explosion. The rest of us who exist in Earth’s modern, connected society recognize this phenomenon. Smartphones will soon be arrivin
g at your workplace in droves, if they aren’t already there.
A smartphone is just one type of mobile device that may show up in the workplace. Employees may also use other mobile devices (netbooks, tablet computers, or any other form of Internet-connected device) on a daily basis.
Despite the influx of mobile devices, their mere presence in the enterprise is not the problem. But considering the habits and practices of mobile device users who co-mingle work and personal activities helps you begin to outline the scope of the problem. For example, the devices your company’s employees use to read their work-related e-mail may also be the devices they use to post pictures and status updates on Facebook. Such practices expand the scope of your company’s responsibility for managing and monitoring mobile device use.
Consider the following interconnections and interactions that happen through mobile device use.
Loss, theft, and replacement
Your employees’ mobile devices may change hands for a number of reasons, exposing your company data to others.
Three main characteristics define the demise of a mobile device:
Loss: Mobile devices are tiny, and your employees can lose them a lot easier than they can a desktop computer. Mobile devices can easily slide out of your employees’ pockets or purses.
Theft: These devices are very attractive to thieves because of their popularity and resale value.
Replacement: Your employees like to periodically upgrade their old phones to newer, sexier devices, and, as a result, sell or give away the older devices. So why do you care? Because these devices frequently contain proprietary enterprise information that can fall into the wrong hands.
Mobile Device Security For Dummies Page 5