The first simple steps for Mobile Device Security

Many of our customers have mature security programs that address mobile devices with a wide range of controls.  However, many small businesses don’t have fully developed security policies and are trying to determine what first steps are the most practical that they can take to secure their mobile devices.
The two most basic and most repeated steps to secure data on mobile devices are still the most important first steps to take:

1. Require the use of a PIN or passphrase to access any application or data on each mobile device
2. Configure mobile devices so that they can be remotely wiped

Employees really should be taught to assume that sooner or later the device they are using will be lost or stolen.  A PIN won’t defeat someone with the device in hand from gaining access to the data on the device, if they are determined to do so.  However, a PIN should delay someone from accessing the data on the device long enough for employees to perform a remote deletion of the data, if reporting of the loss or theft is done in a timely manner.

Over time, mobile devices tend to be used on a number of wireless networks and cellular networks that may be insecure.  It is important to protect communications from eavesdroppers.

3. Use a VPN to ensure all communications are encrypted, protecting the traffic from eavesdroppers or tampering

Requiring the use of a corporate VPN for all mobile device traffic will also enable a company to perform traffic analysis and enforce Data Loss/Leak Prevention (DLP) controls, and block access to forbidden sites, if the company has such controls in place.

Most enterprises will prohibit employees from using consumer grade cloud storage services such as iCloud, Skydrive, Dropbox, or Google Cloud Storage.  If the use of these or similar services is allowed:

4. Use a password that will withstand brute force attacks for any cloud storage services and do not reuse the password for any other services or accounts

Companies that do prohibit employees from using consumer grade cloud storage services should educate employees about the risks and what applications are prohibited.  There are many applications that utilize cloud storage without necessarily explaining to the users how features leveraging cloud storage is utilized.

5. Do install anti-malware defenses where appropriate
6. Do not allow jailbreaking of devices

The large number of mobile devices in use are attracting malware authors.  If the mobile device platform has an applicable anti-virus or anti-malware package available it should be installed.  Apple believes their walled-garden approach to software installation negates the need for anti-virus software and they do not permit any such packages to be sold via the App Store.  Of course, that approach only works as long as all software available to consumers will be examined, vetted, and approved by the vendor.

Companies desiring to address a wider range of risks will likely need to impose many more controls.  Mobile Device Management (MDM) platforms provide a variety of additional controls and finer granularity of the controls listed above.  The Blackberry platform still provides the greatest variety of controls, offering enterprise administrators over 450 policy settings.  Microsoft’s ActiveSync mailbox policies defines 41 settings, although not all of the settings can be applied to all device platforms.  Other MDM products typically provide fewer settings than those available from a Blackberry Enterprise Server (BES) but more options than available via ActiveSync mailbox policies.

MDM tools are limited by the features available on the device platform, and at times by the capabilities enabled by the carrier.  Companies that desire to support multiple device platforms may need to operate multiple MDM systems.