Today being mobile in business is essential – and determining how your business manages mobile devices is important. There are cost considerations, use considerations, and management considerations. But security considerations should also be an integral part of your mobile device strategy. Almost every company out there has some kind of mobile offering, but if you’ve never considered the strategic elements of your program, it’s worth revisiting and potentially changing your practices based on what you find.
When making a strategic decision in regards to your mobile device management strategy, you are ultimately determining why mobile is being implemented and what it will do to better your organization. Don’t just assume that everyone needs access to their email. You need to think about mobile as an exposure – an entirely different attack vector that can be compromised. Your strategy should be one that provides enough access to enable business to take place and support your business needs, while at the same time limiting your cyber risks.
With that in mind, here are some questions you should answer when developing your mobile management strategy.
- What roles require mobile access to corporate resources?
- What information will be available for access?
- What functions (i.e., read/write, transmit, print, store) are required for each role?
- Who approves access?
- What is the provisioning process for user accounts?
- What are the approved devices?
- How will mobile fit into the existing policy set of your information security program?
- How much control do you want?
Let’s take a closer look at that last question. How much control you want is a big part of determining whether you will have a BYOD (bring your own device), CYOD (choose your own device), or COPE (corporate-owned, personally-enabled) policy. When determining your technical control policy over mobile devices, you need to understand the threats.
Two obvious threats that we see out in the field are unauthorized access and data leakage (either by mistake or intentionally by an authorized user). The less control you have over the device, the more control the user has. And then the more risk you’re open to from threats that could be exploited.
One way to gain more control is to use a mobile device management platform, and authentication is an important consideration. If you use a tool like AirWatch, Mobile Iron, or Good Technology, you’re going to have a lot more control over authentication requirements and pushing out technical policies than you would with MS ActiveSync or no mobile device management solution at all.
When looking at authentication from a mobile device to internal corporate information systems, you should consider both multi-layer and multi-factor. Multi-layer authentication includes such things as IP restriction or installing a device-based certification that is tied to a user account. Multi-factor authentication challenges the user to provide more authentication information (something they have or something they are) over and above their username and password (something they know) to access an account. At Tyler, we like to see both multi-layer and multi-factor authentication when we’re looking at a high-risk activity, especially where administrators are concerned.
In terms of security, the following functionalities should be considered when determining how to best manage mobile devices within your company:
- Segregation of company and personal information;
- An encrypted container;
- An additional authentication layer – user has to authenticate both to the phone itself and then the encrypted container where company data is stored;
- Remote wipe capabilities;
- A level of control over technical policy distribution outside the user’s judgment, behaviors, and configurations;
- Regular software and/or operating system updates – the ability to push these out is an added bonus;
- A way to monitor uTyler.
“Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the larger picture,” states Assessing Threats to Mobile Devices & Infrastructure: The Mobile Threat Catalogue (Draft NISTIR 8144) a recent report from the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST). The report is a great resource and outlines a catalogue of threats to mobile devices and associated mobile infrastructure. The goal of the report is to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Anyone interested in joining NCCoE’s Mobile Device Security Community of Interest is asked to email them at firstname.lastname@example.org.
Free Download: Ransomware Survival Guide
We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.