People who own SmartPhones live by them. People who don’t, soon will!
SmartPhone usage and the applications we run on them are only going to increase in popularity and for many people, they are becoming essential business devices.
The first step in helping these tools to be secure is to embrace their existence and define policies, procedures, and mechanisms to configure, use, and manage them. What data can and cannot be stored on the phone? How will email be handled? What applications will be allowed on the phone? Most of these policies will deal with data sensitivity, data handling, and risk management.
The second step is to decide which SmartPhones will be approved. You should choose phones based on the existence of functionality (either directly on them as native functionality or as a third-party application) that will support your requirements and high level security policies. Can you encrypt the data on the phone? Can you perform a remote wipe of the phone if it is lost or stolen? Can you configure it and key applications with passwords or other secure tokens? Most of these issues will deal with security policies, operational management, and device management.
The third step is to define the tools and protocols that each person will use that minimize the risk of exposing confidential data or inappropriate access to the phone itself. How will the phone connect to the network? What kind of virus or malware protection is used? How is the device secured? These topics will force you to deal with access control, information security, and incident management.
If all of this sounds like a lot of work, it can be but it really is an acknowledgement that SmartPhones are the new laptop and you’ll have to put the same amount of effort, controls, and management in place to deal with them as you did with your laptop infrastructure.
Companies that are doing poorly in this space haven’t embraced the technology as a peer of the laptop or desktop. Companies that are doing well, have expanded their security policies and procedures to deal with the unique capabilities and risks that come with the SmartPhone.
My advice? Embrace them as the next generation of mobile computing and secure them to create real business opportunities and advantages!
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.