Cloud Computing Security
book with ISBN: 1461194067, is now available.
- Mobile security
- Common mistakes
- Security Measures provided to customers
- Understanding wireless security
- Mobile Security policies
There are two options:
1. Action to prevent mobile security breaches
2. Reaction after a breach
The former is a lot easier and cheaper than the latter. Make mobile security a top priority and start seeking out these vulnerabilities. Eventually, you can gain the control you need.
Several ways to improve security through mobile device management exist. One first step is to section up the databases into authorized segments by user. Each user may see only the selected partitions for which she/he is authorized. This requires structuring data access by permissions with a policy engine rather than by subject.
The next step is protection for a lost device. Now coming onto the market are management systems that to some extent take the responsibility for data protection from the employee and return it to the network manager. A number of systems can now destroy any data on a smartphone or PDA and also allow only authorized devices to attach to the network for both mobile and PC synchronizing activities. An increasing number of suppliers have taken up the challenge; their products either look at mobile networking as an extension of existing management systems or as a new field in itself (e.g., Securewave, Synchronica).
Antivirus software is a critical application in today's enterprise network environment. So it comes as no surprise that as smartphones, PDAs and other mobile devices are integrated into standard business practices, there is a dire need to protect them. Mobile devices provide the increasingly crucial ability of allowing knowledge workers to connect to the corporate network, as well as the Internet, but for security professionals that means protecting the devices from emerging mobile viruses, traditional malware such as worms and spyware and mobile-targeted spam, sometimes called SPIM.
Smartphones often begin their foray into the enterprise with the most highly mobile employees purchasing devices themselves and then asking IT to allow them to use their devices for company business. Until there is an all-out decision to standardize within the enterprise, IT ends up trying to find a solution that will support a variety of devices running Symbian, Microsoft, Palm, Linux or BlackBerry operating systems.
Similar to the wired world, mobile malware has a tendency to infect a particular OS. In the wireless world, the platform of choice thus far has been Symbian, which boasts more than 75% of the mobile handset market. As Microsoft gains ground at 17%, most enterprise mobile antivirus products include support for both Symbian and Microsoft OSes. Blackberry devices, popular for enterprise deployments, have yet to see mobile malware.
There are a number of ways to address protecting numerous platforms and devices within the enterprise. The first, although not always the easiest, is to standardize the mobile OS or the device within the organization. Unfortunately, many smartphones and PDAs are "user-provisioned," meaning the users buy first and then demand to synchronize with the corporate network with little (if any) regard for security.
Another way to address heterogeneous mobile devices is to look for mobile antivirus products, as products from a number of vendors are designed to protect multiple OSes.
Once the mobile antivirus product is installed on the device, it is equally important to have access to updates. There are a number of ways in which mobile devices can be updated. The ideal method is through an integrated security console, through which all enterprise antivirus updates would be pushed.
However, mobile devices add an extra dimension beyond the traditional IP network, since there are multiple delivery methods. For example, F-Secure Corp.'s Mobile Security product can automatically update the signature database over an HTTPS data connection, incrementally via SMS messages or in the background via a GPRS connection.
Defense-in-depth is the mantra of any IT security administrator, and mobile devices are no exception. It's not just viruses that cause pain in enterprise mobile device deployments. Spam presents a significant financial liability in the mobile realm. Unlike traditional email spam, when a mobile device receives spam, the cost can be more that just corporate bandwidth and the time it takes to delete it. With cellular carriers charging for each SMS/MMS message time spent online and for data transfers, unwanted messages can rapidly add up to additional costs for the enterprise.
Furthermore, as mobile VoIP technologies gain ground, companies will have to contend with the reality of more than just text spam. Security vendors are already gearing up for the advent of voice spam -- automated calls inexpensively generated using VoIP technologies.
That's why an antivirus-only product isn't going to make it in today's mobile security enterprise arena. Vendors have realized that addressing requirements for mobile deployment is much more than just porting an existing antivirus product into a mobile environment.
To cover all the bases, look for mobile security solutions that have integrated antispam, antispyware and personal firewall functionalities into their products.
Usability and productivity must be taken into account when choosing an enterprise mobile security solution. Mobile security products need to be seamless to the user; otherwise, enterprises run the risk of having users bypass security features by turning them off or performing factory resets on the devices themselves.
Carriers are also recognizing the ubiquitous need for mobile device security and have begun including antivirus and anti-spam in their service contracts. While this helps alleviate the possibility of mobile malware, it is not an overall solution for providing mobile security to enterprise deployments.
The key elements of a mobile device management strategy, are as follows:
- First, don't even think about developing a mobile computing strategy without an acceptable-use policy and a corporate security policy in place. Defining what users may and may not do with enterprise equipment and information is critical. The use of two-factor authentication is recommended, but at the very least some form of acceptable-password enforcement should be present.
- Add mobile devices to your asset management system. It's important to keep track of who has what, if for no other reason than that your CFO might ask.
- Then think about configuration management -- what settings and applications should be present on the mobile device. As part of this, remote configuration and update allows problems to be fixed remotely in the field and can cut IT support costs. Also a "zap" feature to erase any information on the mobile device if it's lost or stolen, and a whitelist mechanism to define which applications are allowed on the device are essential.
- Synchronization and backup are clearly both very important. Sync can include both coarse-grained (files) and fine-grained (emails, calendars, contacts), and sync can be performed over a wide-area wired or wireless network, a LAN, Bluetooth or USB, and to a specific computer or to a server. Configurations can be tricky here, and again it's very important to define precisely what is allowed. Don't forget about mobile-device backup as well.
- Using a central management console to administer mobile devices and to make sure all drivers, virus definitions, firewall settings and related items are properly configured.
- Define remote access capabilities, including remote LAN access and/or remote control of specific machines if that's a service you intend to allow.
- Finally, make sure you have a mechanism for monitoring, usage reports and related services. These should be available to your help desk as well.
As noted above, the exact combination of products and services required in any given case can be determined only by an analysis of the specific IT objectives of a given organization, and related policies. And, costs need to be carefully considered as well – and not just the costs of products and services. It's important to keep in mind that what we're really doing here is optimizing the costs related to the users of all of this functionality. As with anything related to IT, the bottom line is productivity, not technology.
To receive your Mobile Devices Security Assessment, please submit your payment of $999.00.
B E T T E R: Please submit your payment of $1999.00 for a complete Mobile Devices Assessment of your entire business. Extra, if more than 100 miles travel required.