Five things to consider for a mobile security policy

Mobile is the new endpoint in IT. But organizations are still struggling with mobile security. Aaron Rhodes of Neohapsis lists five steps to take when developing a corporate mobile security policy

Last week, news broke that Samsung was pushing into the federal space and is close to inking a deal with the FBI and the U.S. Navy. While that story hinges on the shift from BlackBerry to Android and Apple in the secure mobile space, it also singles out the fact that BYOD isn't a buzzword — it's a reality within IT operations.

However, as the network expands outward from the office walls into hotels, conferences, and even the home, the IT department (or the security staff within) gains additional workloads as they are charged with protecting new assets and lines of information.

According to research from Forrester, 29 percent of the global workforce are information workers. Information workers use three or more devices, work from multiple locations, and use several apps in order to get the job done; a familiar description to anyone who has ever managed an IT department.

[Related: Should security be responsible for BYOD policy?]

In fact, Forrester notes that before the end of the year, BYOD will impact more than 600 million employees worldwide, all of them falling under the category of information worker. Such growth will see enterprises moving to alter existing policies or adapting new ones in order to include mobile.

In an email exchange with CSO, Aaron Rhodes, Senior Security Consultant at Neohapsis, a security and risk management firm that specializes in mobile and cloud, offered five steps that all organizations need to take when developing corporate security policies that focus on or include mobile.

  • Set a strategy:
  • "Start mobile initiatives with a fully fleshed-out out plan; your strategy should take a holistic view of security with an overarching security framework. Inventory the types of data your mobile workforce accesses on phones and tablets, and treat smart phone and device security just like you would internal systems on the network," Rhodes said.

    When it comes to an "overarching security framework the idea is to make sure that smart devices that store sensitive data have a home within the rest of the organization's security policies and strategy, Rhodes explained when asked to expand on his statement.

    "Simply, a section of the policies and process decisions should be devoted to mobile devices. Consider the mobile IT footprint of your organization in the context of the rest of your assets."

    Questions to answer for such considerations include what types of access do the various mobile devices on the network have? What types of data are stored on them? Who is using them? How are they currently being managed, is that enough or does it need to change?

    When it comes to treating smartphones as if they were internal systems, Rhodes said that one example is to at how similar mobile devices are to the systems already in place on the network. It's a simple fact that mobile devices can maintain connections to internal corporate assets and services, and those channels and the devices that use them need to be protected and managed.

    "A smartphone may contain a mobile VPN client which allows the user to access internal resources on the corporate network such as internal web applications in the same way they would from an internal desktop machine on the company LAN," he said.

    Addressing another point, CSO asked Rhodes to offer his advice for creating an inventory of data, as well as his advice for such steps when it comes to prioritizing and Mobile Application Management / Mobile Device Management. His first thought turned to risk, noting that it is important to identify the types of exposures that could cause harm to the company. For mobile, the most common event is the loss of a mobile device due to a mistake on an employee's part or outright theft.

    [Video: Tips for creating a mobile device security policy]

    "The MAM/MDM solutions that I've worked with have policy options which can help to mitigate the risks from corporate data leakage when devices go missing. Policies such as requiring encryption of on-device email, PIN number entry, and even 'remote wipe' features can help when a device is lost," he said.

    "As far as prioritizing the exposure of mobile devices compared to the rest of the infrastructure, it's important to keep improving the overall security posture of your network, and considering mobile devices another piece of that."

  • Plan well:
  • "Set a specific timeline, with goals and milestones along the way. Put aside time for research, too. If you're getting new products such as MDM/MAM (Mobile Device/Application Management) systems, consider which is the easiest to integrate with your current IT architecture," Rhodes said.

    Expanding on this, CSO asked Rhodes to list examples of things to avoid and/or look for when it comes to research. For example, what are some areas that may seem harmless, but are actually signs of incompatibility or something that may cause problems down the line?

    "One thing to look for when considering your mobile management strategy is to determine if you already have existing tools that fit the bill for managing your mobile devices. Get involvement from the technical leadership on your IT staff, and determine what capabilities you may already possess," he explained.

    "For example, Microsoft Exchange has capabilities to interact with mobile devices and enforce security policy on them to improve the security of mobile email. When you are shopping for MDM/MAM solutions, realize there are a plethora of offerings out there. [Perhaps] an existing vendor you already use has an MDM offering that could make integration easier. Examine the feature sets, and make sure that the mobile devices in use at your organization are supported."

  • Establish policy:
  • "Creating and administering guidelines will help prevent confusion about how company data and email can be used on mobile devices, and this in turn will encourage users to exercise caution. More importantly, if there's a problem, they can't claim ignorance," Rhodes said.

    When asked for his suggestions on enforcement by CSO, Rhodes said that there are two primary ways for this to take place. The first is via technical controls that are implemented to prevent security problems — such as encryption, PIN codes, the ability to wipe the device remotely, and so on.

    "Additionally, there is a user awareness component to computer security that should be remembered as well. Building good habits in your users through awareness training and reminders can help improve your organization's security as well."

    Moreover, CSO asked Rhodes to list some of the more common line items in such policies:

  • Mobile devices must be password protected
  • Mobile devices must use device encryption before accessing corporate e-mail
  • Mobile devices may not be "rooted" or "jailbroken"
  • Mobile devices must be managed by the corporate IT department using the corporate approved MDM system
  • Train:
  • "Most people simply aren't aware that their actions on mobile devices (company-owned or not) can have dire consequences for the entire organization. Teaching your employees about the risks and how to mitigate them can help avoid catastrophe," Rhodes said.

    Some examples of said risks include code running from untrusted app stores, also known as side loading, running programs received from untrusted parties via email, failure to use passwords, losing a device, and ignoring popup warnings when using an untrusted Wi-Fi connection.

    But when it comes to the awareness training, what are some areas that are essential for organizations to focus on?

    "The phrase 'if you see something, say something' comes to mind. Simply telling employees that there are risks, and giving them good contact points to call in case they have a security-relevant event (lost device, malware, etc.) is critical. Prevention is important but not foolproof, so having proper response processes in place is essential."

  • Comply:
  • "Keep compliance requirements in mind when deciding company policy. Remember, all company data housed on mobile devices is subject to the same regulatory mandates as other IT systems," Rhodes said, concluding his top-five list.

    During the research phase mentioned previously, this should be one of the main things to look for when it comes to MDM / MAM offerings. It's important to note how well such offerings can be implemented on the existing infrastructure, and the kinds of additional overhead they'll produce.

    "Compliance rules do tend to drive security requirements in organizations that fall under them. Some MDM/MAM offerings have special features of their products which support legal requirements. Using existing infrastructure is definitely important as well. If a system is put in place that fits well into your infrastructure, it is more likely that operators will use the system to its full capability to improve security."

    Insider: How a good CSO confronts inevitable bad news
    Join the discussion
    Be the first to comment on this article. Our Commenting Policies