Mobile device control: Get to yes

Share this article:
Mobile device control: Get to yes
Mobile device control: Get to yes

If you aren't already trying to figure out your mobile device security strategy, you soon will be. The rapid proliferation of these devices, their immense popularity, along with the obvious business uses, make them the next big challenge for security pros. As with any technology, mobile devices come with security issues that must be addressed before you allow them to be used in your environment.

Why are these devices so troublesome? The biggest issue is they are not created, marketed or sold with the enterprise in mind. They are intended to be purchased by individuals for personal use, which has two distinct consequences: The vendors do not provide adequate enterprise management tools, if they provide any at all, and the account you create on the device for the user is essentially an administrative account. Indeed all the security incidents associated with these devices to date have been self-inflicted wounds perpetrated by users who installed malicious or insecure code onto their own devices.  

Legitimate apps also add to the problem. Many apps provide functionality that isn't always obvious based on its stated purpose and might just have some serious unintended consequences. So what can we do? Banning these devices from your environment might last for a little while longer, but more than likely you will be purchasing a third-party solution to help manage and secure them in the near future. Before you go rushing to purchase one of the multitudes of mobile device management solutions that have appeared on the market, take a few moments to develop your list of requirements. Doing this first will ensure the tool you purchase will support requirements rather than letting the feature set of available products define them for you.

As you develop your requirements, keep these key issues in mind:

How will mobile devices be used in your environment? Will the IT staff use them to provide support or troubleshoot issues? Will physicians use them to display images to patients or access personal health information (PHI)? Understanding how they will be used and by whom will help determine your requirements.

Be sure to require that the devices meet the same security standards you have already established for other IT resources.

Remember that these devices will spend most of their time on networks that are not under your control, either the carrier's data network or the closest available Wi-Fi network.

Finally, it is imperative that any technical controls implemented on the devices be enforceable and not able to be circumvented by the users. It simply does no good to invest time and money into any solution that can be easily defeated by the end-user.


[sidebar]

»Mobile use
How will mobile devices be used in your environment, asks Vicky Ames. Will users put sensitive corporate documents on them or use them to access internal systems while traveling

»Security standards
The temptation to relax password policies or other requirements for these devices must be resisted, despite the best efforts of your users to convince you otherwise, she says.

»Multifunction apps
When looking for a document-reader app, Ames was hard pressed to find one that didn't also come with an FTP server, wireless flash drive, easy link to the cloud and other features.

»Managing risk
Additional functions on an app are most helpful to end-users who share documents and files with their friends, but pose some significant concerns for IT security personnel.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.