Discussions of mobile security typically revolve around the vulnerability of smartphones, tablets and the data they contain to loss and theft. Yet CIOs, CISOs and IT directors need to be equally concerned about the challenges of maintaining data security during everyday use of both corporate-issued and BYOD devices.
Case in point: the smartphone-related theft of patient records at Jackson North Medical Center in North Miami Beach in 2012. An emergency room volunteer had used his camera-phone to take more than 1,000 photos of records that contained Social Security numbers and other health information for 566 patients, then he sold the records to another man. The scheme was discovered when three men were found filing fake tax returns using free Wi-Fi in a McDonald’s parking lot.
Certainly, every organization needs to implement safeguards against hardware loss and theft, such as the ability to remotely lock and wipe data when a device goes missing. But it is even more important to protect corporate data against leakage and compliance risks that arise when devices are still safely in users’ hands – as the vast majority will be. This can be accomplished in five basic steps using your mobile device management (MDM) solution of choice.
1 – Secure All Endpoints
For starters, every smartphone or tablet – whether company- or employee-owned – should be encrypted in its entirety to prevent access to corporate data in the event of device loss or theft. Decryption can occur only when the user is authenticated, keeping strangers out of the corporate information cookie jar.
It is also advisable to disable device features such as cameras, near-field communications and Bluetooth connectivity within the boundaries of your company offices, using the geofencing capabilities available from robust MDM solutions. This will thwart employees intending to use these tools to filch proprietary information, intellectual property or other sensitive data. The National Banks of Central Texas, for example, turns off device cameras for employees’ iPhones, iPads and Androids at all of its bank locations to foil mobile users who may be tempted to take a screenshot of a customer’s account or other bank information.
In addition, MDM software can be configured to automatically take action when detecting jailbroken iOS or rooted Android devices that would enable users to run unauthorized software. Policy options include quarantining the effected device, alerting admins and users to the problem, and/or blocking user access to corporate email and enterprise apps to protect them from jailbreak-related security risks, including damage by malware downloaded from forbidden apps.
2 – Secure the Content
From monthly sales reports to new product information and beyond, business content that must be accessed remotely from the corporate network or shared with multiple users should be served up to clients in encrypted containers and automatically erased from the mobile device when the user exits the app. Admins can simply select the appropriate MDM settings to provide these capabilities.
The City of Rancho Cordova, CA, uses this approach to securely transmit city council meeting agendas and other documents to city-owned and personal mobile devices carried by city council members and municipal staff. The city is saving more than $200,000 annually by enabling secure paperless document sharing as well as employing city-approved mobile apps like Evernote for taking digital notes and distributing minutes in city council meetings.
3 – Secure the Applications
Security for mobile enterprise, productivity and public apps is just as important as protection of business content. On the enterprise app front alone, according to one 2012 survey, nearly six organizations out of 10 are making line-of-business applications accessible from mobile devices. Using the enterprise app store capability in MDM and blacklisting/whitelisting of public apps help secure the applications in use.
Enterprise app stores, for example, push private in-house apps and updates to any number of authorized devices, and simultaneously ensure that these apps are viewed and run only by users with appropriate access privileges. Whitelisting ensures user access to company apps, public apps like Salesforce CRM, and other apps that employees need on the road. Blacklisting blocks users from downloading unwanted apps.
This mix of features helps optimize app security for organizations like airport transportation service SuperShuttle, which recently rolled out a new Galaxy tablet-based enterprise mobile app to its entire fleet. The company is using its MDM provider’s app store to deploy, manage and update the app used to manage field operations. In addition, it has locked its app to the tablet using MDM’s secure workspace feature so that drivers cannot run distracting public apps when they are on the road, and restricted Web browsing to airport information and airline schedules required for drivers to do their work.
Some MDM solutions also offer virtual email gateways that can block unwanted devices and users from accessing the corporate email server while also managing user credentials through integration with Active Directory.
4 – Secure the Network Access
Mobile devices must be configured to ensure secure remote access to the corporate network as well as to block users from hitching a ride on public Wi-Fi when they’re connecting to corporate resources.
The first requirement can be met by setting up VPN connectivity with application tunneling, preventing unknown devices from breaking into the corporate network. The second can be addressed by configuring MDM settings to require a secure Wi-Fi connection before allowing users to access company applications or databases. Time window and location-based access control restrictions can be set to control access to the corporate network and critical enterprise applications. For example, the company may want to restrict access to financial applications to allow application use only from company premises during work hours.
5 – Set Up Your Security Policies
Finally, define security policies for data access and application use. Set access rights and restrictions for corporate data, create a whitelist of required company applications and a blacklist of unwanted public applications, and establish settings for email servers and Wi-Fi access based on user profiles and location. Policies can then be pushed over the air for easy rollout to all devices and updated on the fly. In addition, rules can be defined and triggered to send alerts and take automated actions to enforce compliance in case security policies are broken.
By following these five steps and implementing related protections in each category, admins can keep many of today’s mobile security demons at bay. With daily reports of data breaches as well as the unstoppable rise in mobile adoption, it’s imperative for organizations to control mobile data access risks quickly and completely. Your company’s reputation – and yours – may well depend on it.