5 Steps for Achieving Effective Mobile Security Governance

Advanced mobile devices—iPhone, BlackBerry and other handhelds—have created a growing wireless mobility environment for business, personal communication and entertainment. However, their growing use has also led to a faster increase in the depth and breadth of mobile security threats. Using a mobile device to access corporate information systems can potentially create a hole to corporate security if not protected and used properly. In a recent report from CSI, the theft or loss of corporate proprietary and customer information by mobile devices is nearly half of all sources. Data breaches are real to nearly every organization of virtually any size, from the big multinational corporation to the small to medium business, including device loss, theft, misuse, and unauthorized access to corporate network and data disclosure.

Enjoying many advantages in productivity, efficiency and flexibility, many current security efforts in organizations may lag behind exposures and risks. Organizations are either not fully aware of existing security issues facing the organization or simply treating these issues as a sole IT task. Very likely, such issues often remind IT managers to look into a number of technologies or software tools, such as firewall, antivirus software, file encryption, etc. Not surprisingly, this often leads to an insufficient or failed effort. Merely focusing on technologies cannot conquer the organization’s weaknesses in employees’ behavior, and inherent gaps in policy and management processes.

Rapid development of mobile technologies and applications has increasingly changed the way organizations do business, as well as their risk management environment. To effectively minimize an organization’s security risks requires a corporate wide effort in security strategy, policy development, employee training and revised IT infrastructure. Here are five steps of how to achieve effective mobile security governance:

Knowing Your Mobile Environment Risks

Using mobile devices to get a job done anywhere as you move is a great benefit to many organizations. But the reality is that organizations at the same time also face a variety of unprecedented exposures and risks. These risks are a result of potential exploitations of weaknesses in technology, organization and its employees. Each year, millions of mobile devices are lost, stolen or discarded with personal information still in device memory. Loss of a mobile device that contains personal identity and network access credentials opens an organization for unauthorized network access and intrusion. Mobile data disclosure of business confidential information and personal records puts an organization at high risk of legal and regulatory compliance.

To develop an effective mobile security strategy, it is essential to understand an organization’s mobile security risk profile. The fundamental questions include:

• What are the corporate mobile data assets that require protection?
• What, how and where the corporate data systems are accessed by mobile employees?
• How mobile devices are being used, protected and managed?
• Do employees know the procedures in responding to an incident?

To fully determine an organization’s mobile security posture, a comprehensive security assessment against an organization’s specific business environment is needed.

Developing an Effective Mobile Security Policy

Lack of an effective mobile security policy is a fundamental root cause for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and temporary contractors.

The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include email, sales force automation, field service applications, dispatching, extended CRM, etc. These applications can drive productivity and revenue growth if deployed and managed securely.

An effective security policy needs to clearly translate regulatory compliance requirements into organization’s risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user’s responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move.

In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account of any new security threats associated with business environment changes.

Ensuring Employees’ Responsibility and Awareness

The employee is a great factor for both good and bad in mobile security. In a recent CSO survey, 28% of all mobile users use their mobile devices to access the Internet, and 86% of them admitted to having no mobile security. A careless or security-unconscious user can easily put an organization’s confidential information at risk.

Lack of mobile user training and awareness is a major factor that contributes to many user errors and incidents. A less-trained user may not even know a procedure to handle security. In some cases, a mobile user may simply bypass any required configuration procedures in order to get a job done.

Employee education and awareness should become a valuable corporate culture. A well trained employee can help an organization to greatly minimize mobile security risks. [See also Security Awareness Programs: Now Hear This!] It is critical that all security policies should get buy-in from lines of business leadership, end users and support team across the organization.

Organizations should put employees in a driver seat for an effective security governance effort. They can become a most critical layer of security defense in any risk mitigation strategy.

Establishing a Baseline Security Configuration

As the use of mobile technologies in business increases, more and more critical business and sensitive personal information is being collected, processed and transmitted over shared wireless networks. Mobile devices need to be configured adequately to protect the device itself and data on it from unauthorized use, data disclosure and malicious attacks.

During a planning phase of mobile device deployment, all devices should be considered to meet a baseline requirement in terms of corporate security policy. A baseline security configuration may include:

• Password protection at power-on
• File or directory encryption
• VPN for email and internal network access
• On-device firewall
• AV software
• Latest security patches

Enforcing the baseline security configuration for all devices can help an organization to establish a bottom-line of defense from each device. Similar to an Internet facing device hardening, on-device resources, wireless interfaces, e.g. WiFi, Bluetooth, RFID, wireless printer, and application functions should be minimized to reduce the likelihood of wireless attacks.

Building a Mobile Aware IT infrastructure

Organizations may have well defined IT tools in place to manage enterprise systems (e.g., servers, networking and storage). As advanced mobile devices become increasingly used in business applications, their roles have been quickly shifting from email access to business-oriented transactions with back-end database systems (e.g. ERP, CRM and SFA). In the meantime, the growing business mobility is taking traditional IT boundary outside an organization’s perimeter.

Organizations need to implement strong authentication and user role-based data access and distribution. Strong password enforcement, including two-factor authentication (e.g. software token) for a particular user group for additional security, should be performed. Existing network-based segregation or zoning should be revised to be data centric and extended to mobile users and devices.

To avoid increased integration cost, and later challenges in software support and upgrade, organizations should plan a centralized device management solution at the time of device deployment, ideally to be directly integrated with existing IT systems for network, application, server and device. A number of advanced solutions exist today that can support multi-platforms on a centralized enterprise console. IT managers can achieve proactive controls over device usage, configuration setting, software update and security patching. In particular, remote password reset, device lock and wipe are necessary features in many cases. Such solutions should be deployed with little or no user involvement, easy integration with existing directory structure and good scalability for a large number of users with diversified devices and on different wireless networks.

Conclusion

Increased mobility has led to some incredible advances for organizations that can now conduct business anywhere and at any time. However, as we have explored this increase in mobility is coupled with rising security threats that could transform these benefits into a catastrophic security issue. Taking the proper steps and putting into place a risk control process to prevent these occurrences can go a long way. But it is also important to remember that it doesn’t end with the organization. The business AND the employees both need to do their part to ensure that best practices are followed and education is provided to increase security precautions. If everyone in the organization takes the responsibility to manage this task then an organization will achieve its goals in effective mobile security governance.

Robert Zhang, Ph.D, CISSP, CISM is a Principal Consultant at GlassHouse Technologies. He has been a lead security architect and has more than 13 years of hands-on experience in 2G/3G wireless networks, Wi-Fi, Wi-Max, Fixed-Mobile Convergence, and IMS deployment. Robert has also served as an information security practitioner with direct customer working experience in the US, Europe and Asia-Pacific.