If you aren’t already trying to figure out your mobile device security strategy, you soon will be. The rapid proliferation of these devices, their immense popularity, along with the obvious business uses, make them the next big challenge for security pros. As with any technology, mobile devices come with security issues that must be addressed before you allow them to be used in your environment.
Why are these devices so troublesome? The biggest issue is they are not created, marketed or sold with the enterprise in mind. They are intended to be purchased by individuals for personal use, which has two distinct consequences: The vendors do not provide adequate enterprise management tools, if they provide any at all, and the account you create on the device for the user is essentially an administrative account. Indeed all the security incidents associated with these devices to date have been self-inflicted wounds perpetrated by users who installed malicious or insecure code onto their own devices.
Legitimate apps also add to the problem. Many apps provide functionality that isn’t always obvious based on its stated purpose and might just have some serious unintended consequences. So what can we do? Banning these devices from your environment might last for a little while longer, but more than likely you will be purchasing a third-party solution to help manage and secure them in the near future. Before you go rushing to purchase one of the multitudes of mobile device management solutions that have appeared on the market, take a few moments to develop your list of requirements. Doing this first will ensure the tool you purchase will support requirements rather than letting the feature set of available products define them for you.
As you develop your requirements, keep these key issues in mind:
How will mobile devices be used in your environment? Will the IT staff use them to provide support or troubleshoot issues? Will physicians use them to display images to patients or access personal health information (PHI)? Understanding how they will be used and by whom will help determine your requirements.
Be sure to require that the devices meet the same security standards you have already established for other IT resources.
Remember that these devices will spend most of their time on networks that are not under your control, either the carrier’s data network or the closest available Wi-Fi network.
Finally, it is imperative that any technical controls implemented on the devices be enforceable and not able to be circumvented by the users. It simply does no good to invest time and money into any solution that can be easily defeated by the end-user.
How will mobile devices be used in your environment, asks Vicky Ames. Will users put sensitive corporate documents on them or use them to access internal systems while traveling
The temptation to relax password policies or other requirements for these devices must be resisted, despite the best efforts of your users to convince you otherwise, she says.
When looking for a document-reader app, Ames was hard pressed to find one that didn’t also come with an FTP server, wireless flash drive, easy link to the cloud and other features.
Additional functions on an app are most helpful to end-users who share documents and files with their friends, but pose some significant concerns for IT security personnel.