Best Practices: Managing Mobile Device Security in the Workplace

by Mike Weber, Managing Director, Coalfire

As the rate of mobile device usage in the workplace rises and the sophistication of the devices increases, users are becoming more efficient road warriors than ever. Unfortunately, they’re also introducing a lot of risk into the IT equation. The more capable these devices are at helping users access data, the more capable they are of being used by hackers to do the same.

What policies do you need to manage mobile devices in the enterprise today given all the security issues, consumerization, etc.?  The astronomical rate of adoption of smartphones by consumers has resulted in significant pressure on the enterprise to provide support for smartphones and other mobile devices.  Businesses can realize productivity gains while reducing the cost of maintaining a mobile workforce by embracing the technology the user community prefers. 

However, this approach expands the attack surface of the enterprise, requiring the implementation of both organizational and technical controls in order to manage the resulting risk.  As enterprises adopt this “bring your own device” approach, it is critical that security awareness and training programs are tailored to provide users information about how the built-in technical controls work, what controls are required or managed by the business, and what controls are the responsibility of the user.  Controls that are a de facto requirement include requiring strong passwords to activate the device, requiring re-authentication after five minutes of inactivity, data purging after ten failed log-in attempts, and requiring local data encryption.  Platforms that have the capability of being remotely wiped when lost provide an additional layer of security, and have become a supported standard on virtually all smartphones.

What tools exist to enforce such policies?  Mobile Device Management (MDM) is an emerging field that has developed rapidly to meet the need.  As you would expect, all the big names in enterprise computing and security have solutions to manage smartphones that perform a similar set of inventory, configuration, and feature management tasks through an agent-based model.  Each solution differs somewhat in the approach and device support.  Providers include McAfee, Microsoft, Apple, HP, and Sybase, among others.  Solutions that are enterprise-focused, cloud-based, or SaaS are all available.  Beyond system configuration and inventory capabilities, MDM solutions typically have the ability to push applications to the device, and control what may be installed by the user. 

One drawback to an agent-based approach is that it relies on the integrity of the device.  A key differentiator between the current solutions is the ability to identify when a system is jailbroken or rooted, and to execute policy controls immediately as a result.  This capability enables a business to trust the integrity of the devices and limit potential impact to their environment when bad things happen. Most vendors offer support for a good number of devices, but the level of support differs from vendor to vendor.  As this field develops, it can be expected that support for various phones will be integrated over time.