In this series we’ve tackled the threats these new handheld computers mobile devices present, as well as how we need to deal with folks culturally when they demand access to sensitive corporate information on mobile devices. As we wrap up this short series on mobile device security, let’s jump in and talk about a few things we can do to protect these devices.
As we all understand that these mobile devices are really handheld computers, we need to think about the tactics that are successful for securing our more traditional computers. Admittedly, ‘successful’ may be a bit optimistic, but there are still many lessons we can learn from the controls we use to protect laptops. Some of these fall into a traditional security technology bucket, while others tend to be more operational and management oriented. But really, those distinctions are hair-splitting. Things like secure configurations and access policies contribute to the safety of the data on the device, and that’s what’s important.
Tactic #1: Good Hygiene
I know you hate every time you go to the dentist and see the little sign: Only floss the teeth you want to keep. I certainly do, but it’s true. As much as I hate to admit it, it’s still true. And the same goes for protecting mobile devices. We need to have a strong posture on these devices, in order to have a chance to be secure. These policies won’t make you secure, but without them you have no chance.
- Strong Passwords: If you have sensitive data on your mobile devices, they need to be password protected. Duh. And the password should be as strong as practical. Not a 40 digit series of random numbers. But something that balances the user’s ability to remember it (and enter it n times per day) against the attackers’ ability to brute force it. And you want to wipe the device after 10 password failures or so.
- Auto-lock: Along with the password, the device should lock itself after a period of inactivity. Again, finding the right setting is about your users’ threshold for inconvenience, the length of their passwords, and your ability to dictate something secure. 5-10 minutes is usually okay.
- Data encryption: Make sure the device encrypts data on it. Most mobile devices do this by default, but make sure.
With your dentist, doing a good brushing right before your appointment probably won’t going to fool him or her if you haven’t flossed since the last appointment. But unless you are checking constantly whether the mobile device remains in accordance with your configuration policies, you can be fooled. Just because you set up a device correctly doesn’t mean it stays that way.
For traditional networks, a technology like Network Access Control (NAC) can be used to check a device when it joins the network. This ensures it has the right patches and right configuration, and has been scanned for malware, etc. You should be doing the same thing for your mobile devices. Upon connecting to your network, you can and should check to make sure nothing is out of compliance with policy.
This helps block the user who gets his device from you and promptly jailbreaks it. Or does a hard reset to dump the annoying security controls you put in place. Or the one who turned off the password or auto-lock because it was too hard to deal with. Remember, users aren’t as dumb as we think they are. Well, some aren’t. So some of them will work to get around the security controls. Not maliciously (we hope), but to make things easier. Regardless of the security risks. Part of your job is to make sure they don’t manage it.
Tactic 2: Remote Wipe
Despite your best efforts, some users will lose their devices. Or their kids will drop them (especially the iDevices). Or they’ll break and be sent in for service. However it happens, the authorized user won’t be in control of their devices, and that introduces risk for you. And of course they won’t tell anyone before sending the device is into the shop, or losing it. So we get a memo asking for a replacement/loaner because they have to access the deal documents in the can.
You need the ability to eliminate the data on the device remotely. This doesn’t have to be complicated, right? Authenticate properly and nuke it from orbit. Hopefully your user backed up his/her device, but that’s not your issue. Ultimately if there is sensitive data on the mobile device, you need to be able to wipe it from anywhere in the world.
One caveat here is that in order to wipe the device you must be able to connect to it. So if a savvy attacker turns it off, or puts it into airplane mode or something, you won’t be able to wipe it. That’s why having an auto-wipe policy in case of 10 password failures is critical. At some point, someone will try to get into the device, and that’s when you want to be rid of the data.
Tactic 3: Lock down Network Access
It’s no secret that most public wireless networks are the equivalent of a seedy flea market. There are some legitimate folks there, but most are trying to rip you off. And given the inherent bandwidth limitations of cellular data, most users leverage WiFi whenever and wherever they can. That creates risk for us, who need to protect the data.
So what to do? Basically, get a little selective about what networks you allow users to connect to. You can enforce a policy to ensure any WiFi network used offers some kind of encryption (ideally at least WPA2) to avoid snooping the network traffic. Or you can VPN all the devices’ network traffic through your corporate network, so you can apply your web filtering and other protections, with encryption to rebuff sniffers.
Unfortunately this isn’t easy to swing in reality. Remember, these devices don’t belong to your organization, so mandating that all network traffic goes through your network may not fly. In that case, what you can do is make sure that any inbound traffic to sensitive information goes through a virtual private network (VPN). This way you can require strong authentication and an encrypted tunnel to make sure that it’s the right person, and only the authorized users gets access to your corporate data.
Most of the large network security vendors provide a mobile device VPN client to force a secure connection. This is something you should strongly consider.
Tactic 4: Support Technologies
Although not a traditional security capability, being able to support these mobile devices will contribute as much (if not more) to your ability to protect the data as anything else you can do. Why? Because if a user can quickly have you unlock their device if they forget the password, it becomes easier to enforce a strong password policy.
If they have trouble connecting to a network because you require the VPN, you’ve only got one shot before they actively work to get around your security controls. So basically, by making sure their user experience isn’t adversely impacted by the additional protection, you are giving your security controls a much better chance to succeed.
Tactic 5: Reporting
Finally, we have to mention the C word. No, not that C word – I’m talking about Compliance. Regardless of the business you are in, the reality is that you are likely dealing with some kind of regulatory oversight. And that means you’ll need to prove to an assessor (or 8) that the private data on those mobile devices is protected. Which ultimately means you need to be able to generate reports about what you are doing.
The good news is that any technologies you’d consider for any of the other tactics will be able to generate the reports you need. But keep in mind the need to document what you are doing when you are setting them up.
As we’ve discussed, it’s not a matter of if, but when you’ll need to provide access to critical corporate information on mobile devices. Saying ‘no’ is not an option. “Yes, But…” helps you ensure folks have legitimate reasons before providing access, but you’ll still have to build a plan to support these devices.
That means you need to keep apprised of the current attacks being used against mobile devices, and also that you need to pay attention to both the process and the technologies used to protect them. Along with all the other stuff on your plate every day. Have fun with that.