by: Harry Ho
Twitter. GooglePlay. Amy Winhouse. Corporate email. Facebook.
These five terms can be tied together by one word — security. They can be tied together by one location — your mobile phone. Although they may seem like very distance terms, they can be linked by very similar patterns. After the death of Amy Winehouse, her goddaugther’s twitter account was hacked. It was then used to spam and release of a hidden virus disguised as a music track. With the rise of mobile users on android devices, came the rise of backdoor trojans and viruses embedded in application code. Many facebook users know the woes of hackers lurking about. Friend requests and messages that send viruses are not uncommon.
According to Symantec’s Internet Security Threat report for 2011, 42% of big business mailbox attacks (within realm of Symantec use) were aimed at high-level executives, senior managers and people in research and development. When it comes to security, there is no one excluded from attacks. To any type of malware, every mobile device is a new territory to conquer.
On October 12, 2012, the iC3 published a safety warning FinFisher and and Loozfon — two pieces of malware capable of stealing information and remotely controlling and monitoring a user’s mobile device. Indeed, the highest survey-polled concern for BYOD is security. In order to help combat this, I have come up with some simple points to push toward securing your mobile enterprise.
1) Required Registration with MDM’s
Mobile device management platforms are important. If an enterprise doesn’t have one, they should look into getting one. An MDM helps manage an actual device used within an enterprise, be it to lock key features, lock and allow certain apps, remote wiping, or requiring passwords. However, having an MDM isn’t it enough. In order for your MDM to be effective, you must require registration of your employees devices. Its a simple rule. If they want to use their personal device, they need to comply with corporate policy. Set restrictions on what devices may be disqualified for BYOD use (for example a Jail-broken iPhone).
2) Requiring Passwords and Encryption
Protecting your back-end resources is something that goes without saying. It would seem obvious that these are protected. However, applications that may be signed on may have free roam of certain portions of data. These devices, especially employee owned, are gateways into your private enterprise data. Creating a password policy on physical hardware and utilizing application data encryption is a way to tie up that end. Use an MDM to create and manage a password policy.
3) Application Policy Creation
For someone to bring their own device, is to bring their personal business with them. Mobile phones are usually linked to multiple publicly accessible resources (like social media applications). Ensure employees are keeping to task while working. Utilize your MDM or MAM to help build custom application lists. Blacklist apps that you may think have security holes, create user groups for specific applications per role, and provide a white-list of recommended enterprise applications.
4) Application Development
Building an application is also part of the security. When connecting to resources, create a time-based expiration for any authentication headers or cookies. Ensure connections are protected and applications meet security standards before publishing. Test it thoroughly and think of different security scenarios. Make use of any encryption technology available for the platform you are developing with. If it is there, you might as well use it.
5) Update Frequently
Updating everything. Ensure that BYOD’s are updated to manufacture and OS standards. Also work with developers to keep a maintenance cycle for application revisions and version control. Use your MAM to enforce it. Having the latest updates usually ensures the latest rework on bugs — security flaws being one.
6) Use what you already have
If you are happy with your current system and its security measures, tie in authentication with your current one. Utilizing the resources you may have can provide a blanket on integration. Using a set of credentials throughout multiple applications or services may be a good way to go and make working more efficient. Keep in mind, however, that this gives a broader range of control to the device holder. This should be weighed cautiously.
7) Collaboration and Communication
Collaboration works on so many different levels. Collaboration between your users and developers produces better and more secure applications. Communication with your IT department and users produces a clearer understanding of security guidelines to meet. Use whatever collaboration tools your company uses to effectively build a strong mobile enterprise. Build as many lines you can to ultimately build a community web or support. People can accidentally be the cause of security breaches, but they can also be the driving force for a well-protected mobile enterprise.