Securing mobile devices is a touchy proposition. It is, perhaps more than most computing environments, an environment in need of defense-in-depth. While that has long been the mantra of information assurance pros, it has become critical in an age of computing devices that are as easy to lose or steal as a pack of cigarettes or a pad of paper.
This month, we look at products that can secure mobile devices and we look at the basis for security in general: encryption. Encryption usually is our last resort. If all security measures fail, as long as the data is encrypted we are at least moderately safe from data compromise. It doesn't matter whether we are talking about data at rest or in motion. Encryption saves the day when all else fails. But, that does not mean that we can ignore the other protections.
Recently, I have had the unenviable task of writing a policy on mobile device security for the university where I teach. I say "unenviable" because this is a complicated area exacerbated by the bring-your-own-device (BYOD) trend now so prevalent. There are key protections in most competent policies. When you look at a mobile device security application, you should bear these protections in mind.
Before we address that piece, there is one other thing that complicates mobile device security even more - the wide variety of device types, applications, operating environments and implementations of those environments. That variety is almost out of control. Apple has reigned in the app developer so that there is some, at least, consistency in iPad/iPhone/iPod implementations. However, Android is anything and everything the developer or the device manufacturer wants it to be. There is almost no consistency in how Android is implemented across manufacturers of phones and tablets.
We see this when performing mobile device forensics. It takes several forensic tools to cover the Android territory, whereas Apple products can be handled competently by most mobile device forensic tools. We see a similar issue when trying to secure these tools. Add to that the ease with which mobile devices can be rooted or jail-broken and securing the mobile landscape is a huge challenge. I question whether there actually is a "best practice" yet.
This means that most policies should include full encryption, forced password/PIN, remote wipe, automatic password expiration and prohibition against rooting and jail-breaking. And, remember, a policy is not worth much if you cannot enforce it with appropriate security tools. Your tools need to be able to enforce at least this minimum set of requirements.
As well, remember that mobile devices often also are multimedia devices. That means that they are managing documents, telephone calls, web surfing, photos and videos, as well as a host of other applications that use multiple combinations of those fundamental functions. Subsequently, a complete solution to the challenge of securing mobile devices needs to cover all of those bases. Unfortunately, most don't. But, in terms of the evolution of this market space, it's early yet. The batch of products we are looking at this month is heading in the right direction. And, don't forget that the market itself is far from mature. For the most part, the security products in our Group Test are taking on new problems as fast as they emerge.
We tested each product for its functionality. We had a baseline of functions for which we looked, and we especially were concerned about the security impact on the user. In the BYOD world, users do not take kindly to being told that all of their family photos are gone because the remote wipe didn't work as expected. That said, if the organization is to allow sensitive data on a personally owned device there must be a way to ensure the protection of that data. As we evaluated these products - the tip of the spear, so to speak, given that there are very few such products in the market yet - we looked for that important combination of security and user-friendliness that will ensure success and staying power for the product.