Remotely controlling device security policies: The ability to remotely set device policies (including password policies, inactivity timers, application policies, and so on) enables you to control and change device policies from a central application on your network.
Imagine you log on to a management console within your network and set a new password policy, requiring users to have a certain password strength. This policy should then propagate to all the connected mobile devices in your network, requiring all users to conform to your new password policy.
Other items in this area include planning for backing up and restoring corporate data on the device, encrypting sensitive content, controlling the types of applications installed on the device, and taking action when the device is lost or stolen.
Enforcing granular access control for users connecting from mobile devices: After you’ve put a plan in place to secure mobile devices, think about what types of applications you want users to be able to access from their mobile devices, and for what groups or users. For example, you should grant application access only to those users who absolutely need access to those applications. Granular access control refers to policies that control access to finance-related applications only to your corporate finance group, and HR applications only to the HR group, and so on. Managing and enforcing granular access to applications and data are critical for a successful mobile policy implementation.
Sophisticated smartphones can be used to access corporate e-mail, web-based applications on browsers such as the intranet, or even client-server applications such as Oracle or SAP. You might want to consider which of these applications you are willing to enable on mobile devices, and for which users.
This also includes enforcing strong authentication and authorization policies for users when they log in from mobile devices. Ideally, you want to enforce the same authentication methods from mobile devices, including multifactor authentication (authentication based on two or more factors), as you do on regular laptop or desktop computers.
We discuss these areas of your mobility policy in more detail in the sections that follow.
Protecting mobile devices from malware
Applications are deployed to mobile devices such as tablets and smartphones from respective app stores or markets. The number of app downloads from such markets now ranges in the billions on smartphones worldwide.
When your company’s employees use third-party apps for applications like online banking, checking corporate e-mail, and playing interactive games with their friends, these devices become appealing targets for hackers. Because many of these devices run relatively new operating systems like Android, Symbian, and iOS, hackers fancy their chances of exploiting platform vulnerabilities to steal information from these devices.
Market research shows a rapidly increasing occurrence of mobile malware from 2008 to 2010. This increase is in line with the corresponding rapid increase in device options available in the market. So, if you are going to allow smartphones to access your critical corporate data, it would be prudent to plan for a scalable (adaptable) and reliable way of protecting them and your network from malware.
There are two broad options available for providing threat protection on smartphones and other mobile devices:
Client-based mobile endpoint security software
Cloud-based software
We discuss these options in more detail in the following sections.
Client-based mobile endpoint security software
In this type of deployment, an actual client software app protects the device from viruses, malware, spam, and other threats. This is similar to how client endpoint software is deployed on regular Windows computers. Software available for mobile devices is usually designed to run in the background, scan the device periodically for threats, and introspect (analyze) data received on the device for viruses and malware. Such software typically alerts the user when a threat is detected, and automatically quarantines or deletes the source of the threat as well. Symantec, Trend Micro, F-Secure, McAfee, and Juniper offer client software–based mobile security solutions.
Software applications are typically deployed to mobile devices via the following two ways:
Downloaded via the app store by the users themselves or deployed via a mobile device management system by the IT department.
Deployed automatically over the air (OTA) from a server that the device connects to. This approach typically happens with no user intervention.
Virus signatures are typically updated in a central system periodically. Then devices either download the signatures at regular intervals or they’re pushed out to devices periodically.
With client-based software, there are some basic things to watch out for while shopping for a suitable mobile endpoint security solution:
Determine what device resources are used by the software. You certainly do not want to deploy client software that drags down the performance of the device. So look for the following attributes while narrowing your options:
• Size of the client software: Needless to say, the smaller the client, the better.
• CPU utilization: The software should run as unobtrusively as possible, reducing any impact on the user’s activity on the device. If running the application slows down the entire device, then it is apparent that the application is taking up a lot of system resources to function.
• Memory utilization: The software should consume as little memory as possible. Again, like the impact on CPU utilization, when an application consumes too much memory, it drags down the performance of the device in general.
Avoid software that is ported to a mobile platform from Windows. Beware of software options that are essentially desktop endpoint software ported for the mobile platforms. Porting in the software development world refers to the process of customizing software for a different platform than what the software was initially designed for.
Several vendors offer endpoint security software for Windows platforms. When you shop for mobile endpoint security software, make sure that the mobile endpoint software was designed from the ground up for each specific mobile platform.
Investigate options that allow for simple deployment of the software to mobile devices. You don’t want the IT department to have to deploy the software manually to every mobile device used by employees. A simple deployment mechanism like OTA or availability in the app store is probably most desirable.
Cloud-based security
In this type of deployment, the actual threat protection happens in the cloud or centralized data center of the endpoint software vendor. Traffic to and from the mobile devices is redirected on the device to the cloud for malware detection.
Typically, this option includes no client-side software and relies instead on each application to take appropriate action when a threat is detected. For example, content downloaded from websites is inspected in the cloud before it’s delivered to the mobile device browser. If a threat is detected in the web content, the cloud service indicates so, and the browser displays an appropriate message to the user. Zscaler, ScanSafe (now owned by Cisco), Symantec, and McAfee offer cloud-based mobile security solutions.
If this cloud model of endpoint security is what you need, make sure you analyze the following aspects of the solution:
Security between the mobile device and the cloud service: If both Internet traffic and corporate traffic (such as e-mail and intranet browsing) are sent to the cloud, you should make sure that the traffic is flowing over a secure tunnel. You don’t want anyone sniffing on the traffic that may carry sensitive data. Be sure to check with the cloud service vendor regarding the security between the mobile device and the cloud service.
Latency introduced by the cloud service: If data sent and received by the device hits the cloud service before heading to its destination, make sure that the cloud service is rapid in its response. Otherwise, the user experience on the mobile device will be adversely affected. The latency is apparent from the user experience
when the cloud service is enabled, compared to the situation when it is not enabled. If the cloud service adds a lot of latency, then the user’s browsing and other application access are slower.
Many cloud-based solutions offer protection against web-based threats for information accessed via web browsers. Mobile devices, however, are not only vulnerable to threats via web browsers but are also susceptible to receiving malicious content via MMS, SMS, or e-mail. Be sure to investigate options that provide holistic device protection for your employees’ mobile devices.
Managing device policies remotely
Now that you’ve thought about securing the mobile devices on your network from threats like viruses and malware, it’s time to plan for remotely enforcing policies for device management or security.
No matter how powerful the endpoint security software is on the device, the following types of user behavior pose direct risks of losing valuable data on the device:
Not locking the device
Not setting a secure password (for example, having “1234” or “abc123” for a password!)
Storing passwords in third-party apps, such as online banking apps or an Oracle app that can directly access the latest sales pipeline
You get the idea. We’re talking about device security etiquette, about taking the simple yet often-ignored steps for protecting vital data stored on the device.
There are two broad categories of actions you will need to take on mobile devices in your network:
Mobile device management: Remotely managing the devices, including enforcing the need for a passcode or deploying a set of corporate-approved mobile apps to them.
Remote device security: Remotely securing the devices, including taking preventive action when the devices are lost or stolen.
Configuration and application management
Similar to how you deploy software systems to manage desktop and laptop computers, you need to think of software that can manage the diversity of mobile devices available in the market.
For example, the BlackBerry Enterprise Server is an excellent candidate, but it falls short on one major area: It is a solution only for the BlackBerry. It doesn’t help manage other types of devices, such as those running iOS, Android, or Windows Mobile.
Remote device management policies typically include configuration management and application management as follows:
Configuration management: Involves deploying IT-approved software versions of supported mobile platforms. It is ideal to find a single solution that can manage the configuration for a heterogeneous mix of mobile devices. If you cannot find a single solution that can do so, try to minimize the number of systems you would need to deploy. Configuration management includes things like managing the OS version of mobile devices and application and security patches, or supporting any other desired corporate policy.
Application management: Involves controlling the apps deployed on mobile devices. If you’re worried about mobile devices on your network running apps that you’ve never heard of or apps that are known to be insecure, plan for deploying application control policies to those devices. Such policies include viewing an inventory of all applications installed on devices in your network and being able to view the details of each application and the devices running it. You should also be able to select a particular application and either uninstall it from users’ devices or send messages to users that those applications are not corporate-approved and must be uninstalled.
This is similar to certifying certain applications as safe applications, depending upon the criteria of your choice. This could enable you, for example, to deem certain apps forbidden within your network, or restrict all mobile apps to a predefined list you come up with. If you desire some level of application enforcement and control, be sure to evaluate vendors that can restrict applications installed on mobile devices to a predefined set.
Backup and restore: Make sure you think of a way that you can back up contents of mobile devices running in your network. This is as important as backing up contents of desktop and laptop computers. Having a sound system in place for this critical function could make a great difference in improving the productivity of mobile device users, who should be able to replace devices easily if you back up their data.
This function enables backing up data from employees’ mobile devices and allows seamless restoration of data, potentially to a replacement device running a different mobile platform. If your enterprise IT can do so, it’s a valuable service for employees, as well as an assurance to you that users will be productive immediately after moving from one device to another. This is like replacing laptop computers for users, with their data restored immediately to the new laptop.
Chapter 12 describes the backup and restore policies in more detail, including the selective backup of certain content on corporate-issued versus employee-owned devices.
Security of lost and stolen devices
There are various actions you need to take when an employee reports a lost or stolen device. You should be able to do the following:
Remote lock: Remotely lock the device so nobody can log in to it.
Remote alarm: Remotely set off an alarm so that the device makes itself heard!
Remote location: Remotely find the device using its GPS capabilities.
Remote wipe: If all else fails, and if you are sure the device is lost, you should be able to wipe the device clean of all or selective data.
So protection against loss and theft is an example of securing devices remotely when corporate data is at risk of being lost on them. Other types of security policies include setting password policies, such as the required strength of the password, or setting an inactivity timer to automatically lock the device.
Even after deploying a best-of-breed security solution for mobile devices, make sure that employee carelessness does not become the weakest link in your security implementation. Be sure to set password policies requiring a password on every mobile device, and impose an inactivity timer on every mobile device. Doing so prevents the leaking of corporate data via eavesdropping or other means when mobile devices are not sufficiently secured.
Enforcing granular access control
If you’ve taken the advice we give earlier in the chapter, you’ve begun to devise a plan to secure mobile devices from malware and viruses, and you’ve also planned on managing these devices remotely, including being able to remotely wipe or lock them. The third step of ensuring that these devices are corporate-ready is to enforce granular access control on users connecting from these devices.
You may not want to enable all mobile device users to have the same access privileges as they do on their regular Windows or Mac computers. For example, you may not want all mobile users to have full network access, including access to your corporate customer relationship management application that tracks the latest sales deals. You may want to enable only access to e-mails or certain web-based applications to some groups of users.
Another key item of access control is the authentication policy itself. To allow users to access corporate stuff from mobile devices, you should not relax any security policies of enforcing strong authentication on these users. You should think of the authentication methods to enforce on mobile device users and the backend systems you will need in place accordingly.
Finally, the key to a scalable mobile infrastructure is to have a single place of managing all your policies of access control, authentication, and policy enforcement. If you have a VPN solution in place, you probably already have policies in place that control the access to applications to specific groups of users. This is the key piece that binds it all together: How should you leverage the policies on such a centralized VPN system to mobile security?
The following sections discuss the key elements of implementing a flexible access control solution for mobile devices.
Authenticating users
The most fundamental requirement to allowing mobile devices within the enterprise is to have
a solution in place to authenticate the users of those devices. It is common to use the following methods to authenticate mobile device users:
Authenticate using username and password.
Authenticate using a certificate deployed to the mobile device.
Authenticate using one-time passwords or security tokens. One-time passwords expire after a single usage, thereby preventing hackers from attempting to use a password after it has already been used once. Such passwords are usually deployed using tokens, either hardware dongles from vendors like RSA or software applications that issue a unique password every time.
Authenticate using smart cards.
Many enterprises implement dual-factor or multifactor authentication systems, which means that multiple authentication methods are cascaded one after the other, to enforce strong authentication. For example, a user may be prompted to authenticate using her username and password, and then prompted again to authenticate using her one-time password and PIN.
Ideally, you want to leverage the same authentication infrastructure to authenticate mobile devices as for regular Windows, Mac, or Linux systems. For example, if you’ve already deployed RSA SecureID two-factor authentication for regular desktop and laptop systems, enforce the same level of security on mobile devices as well. This will save you time, money, and hassles.
Mobile Device Security For Dummies Page 9
