Mobile Device Security Options

Because mobile devices reside outside the company firewall and beyond the reach of corporate security policies, they are often where unauthorized activity can occur. Users can inadvertently pass viruses, spyware, and other malware to the company network through the VPN. It still matters that a network has a formidable configuration of layered security, but when a notebook or smartphone is lost or stolen, the data stored on the notebook’s is exposed.

Mobile Device Security Policy

Your organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed. The mobile security policy should be integrated within your overall information security policy framework. Key elements to address in the mobile device security policy are:

• Physical security of the device
• Address lost or stolen devices
• Acceptable uses of the device
• Encryption
• Password protection
• Storage
• Backup
• Access Control
• Authentication
• Monitoring

Like every other security policy, your organization must regularly review its mobile device security policy, particularly after the acquisition of new mobile devices, configuration changes and in the wake of security incidents involving mobile devices. Enterprises have to have ways to protect that data regardless of its location or place of breach. Options available to the enterprise include:

• VPN - Many enterprises use Internet Protocol Security (IPSec) VPNs, but the fact that IPSec works at the network layer can add exposure of the entire network to malware found on remote machines. Secure Sockets Layer (SSL) VPN technology works at the transport layer of the Transport Control Protocol/Internet Protocol (TCP/IP) stack and is session-oriented, offering more precision in granting access -  even down to a specific application, file or window of time. Some vendors are offering all-in-one appliances that package not only VPN working on both layers, but also firewall, intrusion prevention and network antivirus.
  
  
• Network Access Control (NAC) - NAC gives the network the ability to grant access to a device based on preset criteria, and then monitor it throughout its connection cycle. If the device behaves in a way that is out of line with policies, it is quarantined, given an opportunity to remediate and then disconnected if it remains noncompliant.
  
  
• Encryption - A data-level form of protection, encryption is centrally managed and updated. It works by jumbling data according to a complex algorithm that machines are able to unlock once they have been authenticated. Everything from a single file to the entire hard disk can be encrypted.
  
  
• Intrusion detection and prevention - Intrusion detection and prevention systems focus on identifying incidents, logging information about them, taking action to stop intrusions and reporting incidents to administrators for further review. These systems work well to stop unusual IPs and to block worms, botnets and other malware. They add an additional layer of security between the firewall and antivirus software.
  
  
• Remote Lock Down and Data Destrition - Credentials and devices that are tagged as inactive can have "self desruct" or "remote lock down" code downloaded and activated in such a way that all of the "sensitive data" on the remote device is "erased" and the device put in such a state that it is not usable with intervention by the enterprise.. Extreme care should be used if this option is used and the help desk should have procedures in place so that devices remotely locked down in such a manner can be re-activated.
  
  
• Data leakage protection - You can secure data, regardless of where it is in relation to the network, with data leakage prevention (DLP) technology. DLP solutions tag data based on a set of criteria such as location of data, application type, file type, keywords and common data strings. These tags alert IT when the data is being used in a certain manner. DLP can prevent the data from being copied, e-mailed, sent via IM, printed, saved to a different device, changed to a different file type or otherwise altered.