To print this page, click your browser's print icon.

Mobile Security: Take it with you Wherever You Go

By Qahim Moosavi, Margolis Consulting Services

It is time to get serious about protecting the data stored on wireless devices.  This article offers some suggestions for keeping your secrets safe.

The development of new mobile devices such as the Blackberry has made the mobile workforce more productive. Starting with email and extending to critical applications such as CRM, mobile devices have made corporate data available regardless of our location; however, this accessibility and convenience comes at a price.  The more available our data becomes, the more vulnerable it becomes. 

Too often, companies that vigilantly guard their data leave it exposed via mobile access.  Under the pressure of making the data available, security administrators can underestimate the potential risks caused by the unique nature of these devices.  The vulnerabilities range from stolen or lost cell phones to hacking into the phone to access corporate data.  In order to combat these vulnerabilities users require a good set of enforced policies along with proper IT administration.  In the following, I will touch upon a few concerns for mobile computing.

The first thing one should do after getting a  phone is to password protect it.  Most phones come with a power-on password.  Securing your phone with an adequate password will protect your data and privacy if you lose your phone.   In addition, the data stored on the mobile device should be as secure as the information in the corporate network.  The loss of this data or its confidentiality can lead to embarrassment, law suits and even failure to meet legal compliance objectives like HIPAA or Sarbanes-Oxley.  One of the best ways to deal with this problem is to encrypt the all data, especially the data stored on removable devices.

The corporate firewall is usually the first line of defense against would-be hackers.  Thus, security administrators are usually very protective about the services that are allowed in and out of their network.  Allowing access to mobile users requires the administrator to open ports into the firewall, thus allowing “unknown connections” that may be construed as un-trusted.  This vulnerability may be mitigated by adding controls such as a mandatory authenticated SSL connection.

By nature, the wireless network is usually built outside the corporate environment.  Thus, the normal security policies and precautions taken inside the network must be increased when dealing with data outside the network.  The data in transit within wireless networks can be dangerously exposed.   One solution would be data encryption based on a shared secret key.  One secret key (a software algorithm) would be used to encrypt the data and another key would be used to decrypt the data.  Thus, anyone tapping into the data would not be able to read the contents.  Another method would be to maintain an encrypted tunnel using the SSL protocol.  Although a very secure and reliable method, it requires a lot of computing resource and thus may reduce the battery life of the mobile device.

 Most people view security for their wireless devices differently from security for their desktop or laptop.  The attacks on their “regular” computers such as viruses, Trojans, worms and spyware, which can be collectively classified as malware; can also load themselves onto wireless devices and create problems.  They can self-execute and bypass corporate security, potentially compromising the network and its data.  The most common approach for preventing the transmission and proliferation of malware on computers is to install anti-virus software. This software is designed to detect and contain malware.  This is one area where the main vendors are starting to step up and incorporate the same features and management tools that they have been promoting for the computer environment for years.

As corporations provide more mobile devices and start taking advantage of their unique features, the steps taken to secure and maintain them become more vital.  An effective wireless solution should be designed with security and compliance along with functionality, keeping in mind that a mobile device can present certain challenges such as limited battery-life and memory as well as constrained processing.

Most important, mobile devices need to be governed by a robust and enforced security policy. Historically, mobile devices fell under the umbrella of a general acceptable use policy; however, in light of the increased connectivity and functionality of mobile devices, it is necessary to create specific policies to address vulnerabilities.

An effective user policy will include but not be limited to the following areas:

  • User authentication is the first line of defense for mobile devices.  Mobile devices should be power-on password-protected.  It is critical to define password length, expiration, and attempt limits to ensure password strength.
  • Limit unauthorized use of mobile devices by restricting connectivity on mobile devices. Just because a mobile device is Internet-enabled does not mean that everyone in the organization needs access to the corporate network. Defining user groups limits access to include legitimate personnel and also makes those with access accountable.
  • Encrypt data in transit between recipient and sender over the Internet.  Most mobile devices come equipped with removable media; the media should also be encrypted.
  • Define and deploy antivirus and anti-malware measures.  Typical antivirus deployment would put a strain on the limited processing and memory capabilities of a mobile device; however, if emails are scanned at the server level before they are downloaded onto the mobile device it off loads the processing to a more capable computer.
  • Mobile devices should not be able to download third-party applications over a wireless network. Attachments should either be viewed by an attachment service that only makes a rendition of the attachment available. A rendition would be viewable but not executable. Administrators must restrict the types of connections that can be initiated by third-party applications inside the firewall.
  • Ultimate control of the mobile device should rest with the IT administrator and not the end user. The IT administrator needs to mandate and enforce mobile device settings and retain the ability to erase data from devices remotely.
  • Expanding on the above policy, controls should be in place to address lost or stolen phones.  One such control would be to “zap” the phone so that all data and configuration information is erased in the event the phone is lost or stolen.

Corporations are seeing the power and functionality of mobile devices increase and are quickly making use of it to enhance productivity and customer relations; however, the bad guys have also recognized the power of these devices.  Thus, an effective wireless solution should be designed around secure reliable computing.  Typical solutions used for the desktop environment may be impractical for mobile computing.  Corporate policy, administered from top-down, should address the unique requirements of mobile computing specifically.  Mobile devices should be protected from malware, data loss/theft and tampering to deliver confidentiality, integrity and availability.



For further information pertaining to this article, please contact Qahim Moosavi at (610) 784-0155 or at qmoosavi@marg.com.