Securing Mobile Devices

By Stephanie Jordan
in

The latest issue of Messaging News, debuting in sync with RSA Conference 2009 happening next week, focuses on messaging security. One of the upcoming articles, “Is Mobile Messaging in Danger?” examines mobile security, and investigates whether there is anything to worry about. “Everyone is waiting for something big to happen and I do share that belief,” says Patrik Runald, chief security advisor of F-Secure Corporation. “It’s hard to estimate when—this year or in three years—but I think everyone agrees that it is going to happen, because it’s such an unexploited market for the bad guys to go after.”

Jonas Markstrom, sales engineer, wireless solutions for Check Point Software Technologies, Ltd. believes that the “Big One” has already happened. “The big one is and will continue to be data leakage to unsupported devices by enabling push email to a consumer device not supported by IT, or data loss through the loss of any unprotected device.” Due to space constraints in the magazine, we could not run all the advice that was offered. Markstrom recommended a few thoughts that users or IT should consider when choosing a truly secure mobile solution:

Usability: The security solution should take device form factor, input methods and limitations into account, as well as usage patterns. A smartphone may be challenging to interact with for some users and security must not make it any harder, but should instead be seamless, enabling user productivity from the background. If security is not user friendly then the benefits of mobility will be lost.

Enforceability: To maintain policy compliance but also to improve the user experience, security should be enforceable, meaning user configuration options should be limited and it should not be possible to remove the security software without authorization from the IT department. Enforceability also means that you are not asking the user to decide what data should be secured or how—for example storing data in specific containers for it to be encrypted. Instead you enforce security so that data is always encrypted—automatically and no matter where the user (or program) puts it.

Manageability: If implemented in the enterprise, the security solution must be fully manageable over the air (OTA) but must also provide flexibility in management. While at first it may seem acceptable to have the security vendor provide the vessel for management, once you go beyond mobile email and start looking at applications and services, having each vendor provide their own management suite is far from ideal (think TCO). You should therefore look early at flexibility in management. For example does the security solution allow OMA-based management or does the solution allow repackaging and deployment through a common Mobile Device Management (MDM or DM) tool and is integration of administrative functionality possible.

Performance: The solution should be interoperable with native and third-party software and should be engineered specifically for the target platform, keeping a small footprint and not impairing performance with regards to CPU, memory or the oh so delicate smartphone battery life.

Platform and device transparency: Having native security on one device platform is not enough nor is it enough to support one or two platforms with a third-party security product. The reality of most companies is that they will have to support multiple platforms and a multitude of devices on those platforms. You therefore need to look for a vendor that has wide platform support already and the engineering and financial vehicle to support new emerging platforms going forward. What you also need to look for, is the ability to apply your security policy across those supported platforms—to be able to enforce a single high level security policy across all company devices, no matter how different they are.

Runald’s top five suggestions for securing mobile devices in the enterprise includes:

  1. Use encryption on the device. Keep in mind that every year millions of smartphones are lost. The data they contain needs to be safeguarded.
  2. Decide whether you will allow employees to install third-party applications.
  3. Be sure to install security solutions. These devices support installing third-party software with constant Internet connectivity you want both anti-virus and a firewall solution.
  4. Try to limit the amount of devices being used by the company. The more you have, the harder it will be to install updated firmware/security patches.
  5. Make sure that the mobile devices are covered in the IT security policy and that employees know whom to contact in the event of loss/theft.

The full article will be available next week, (remember our issues can be found digitally on the Messaging News Web site) so be sure to read it for more on this thought-provoking topic.

Published April 16, 2009