Defense strategies for securing the mobile enterprise

New, smaller "wireless-ready" handheld computers and smart phones are making employees more mobile and effective, but increased mobility also means increased risk.

Today the majority of mobile devices come with built-in support for wireless LANs, Bluetooth and wireless WANs. No longer encumbered by the complexity of connecting to corporate networks and resources, mobile users can more easily access and exchange business information anywhere on a corporate campus, in the field or while traveling.

As a result, valuable enterprise data that was once tightly secured within the networked perimeter now resides unprotected on mobile endpoints, including laptops, tablets, PDAs, converged handheld devices and smart phones. Left unsecured, mobile devices are an open door to one of your most valuable corporate assets -- information. And because of their size, these devices are easily misplaced, lost or stolen -- exposing your organization to potential legal liability, financial loss and brand damage.

Security threats introduced by mobile devices are forcing organizations to fundamentally change their philosophies of what a secured perimeter is. When organizations had to worry only about protecting physically connected computers from unauthorized access, they quickly added firewalls, antivirus tools, virtual private networks and strong authentication to protect the perimeter.

However, when you add computing devices that are even smaller than laptops and that work completely independently of the network, the job of securing the perimeter becomes very complicated. Because these devices are used outside the network's span of control, they require their own security strategy. To adequately protect your digital assets, you need to expand your secured perimeter to include mobile devices and their wired or wireless connections to your network.

If you think this isn't a big problem, think again. Companies are adopting mobile and wireless devices faster than any other platform. Industry analyst firm Gartner Inc. predicts that by 2007, there will be nearly 120,000 WLAN "hot-spot" gateways worldwide, providing access to private and public networks for over 200 million mobile devices used in business. Gartner also predicts that more than 60% of staffs in Global 2,000 companies will have mobile access to corporate applications and that 40% of corporate data will reside on handheld devices by 2005.

Managing mobility is no longer an option -- it is a required component of network security. Your challenge is to determine who is accessing your network, how they are accessing it and with what type of mobile device. Then you'll need to figure out how to secure and effectively manage these devices and connectivity options for potentially thousands of users -- while keeping costs in line. The best approach is a proactive one. The following defense strategies will help you develop a plan that includes sound practices, adequate training and the implementation of a security and management framework to expand your secured network perimeter to include mobile devices.

Perform a risk assessment. Sound security practices are dictated by the business you are in and the risks you face. And information security planning begins with understanding the value and sensitivity of the information you store today. Identify where sensitive data is located, who controls it, who and what has access to it, how it is stored and how it is protected.

Implement a security policy for mobile devices. Once you've performed a risk assessment, you'll need to implement a security policy for mobile devices. The policy should cover reasonable and prudent security controls that govern items such as the types of information that are to be placed on the device; the security configuration of the device, including all software that is to be used to protect enterprise data; and permissible modes of operation, including acceptable wireless connectivity options and use of removable media.

Train and educate employees. Employees should be made aware of the vulnerabilities of mobile devices and the implications to the company if they should fall in the wrong hands. Training should include awareness of the physical security of the device, the mobile device security policy, a review of the types of information that can be stored on the device and the procedure to follow if a device is lost or stolen.

Implement strong on-device security. Many times, sensitive information, such as customer account information, order history, pricing and product road maps, as well as critical-access and network credentials, are stored unprotected on mobile devices. To maximize the protection of enterprise data, security should be enforced at all times to ensure that the mobile device is protected whether online or off.

At the very least, start with a policy that requires user authentication to prevent unauthorized users from obtaining access to the device's functions, applications or network access from the device. Enable fail-safe options that can automatically lock out access privileges when a user exceeds a certain number of access attempts, as well as more aggressive measures that automatically destroy all applications and data stored on the device.

Unauthorized users can also easily circumvent security by simply removing the device's hard drive or removable media and inserting it into an unprotected device to gain access to the data. To prevent this, encryption policies should be enforced that make the data unreadable and inaccessible from an unauthorized mobile device.

Control the use of employee-owned devices. The inexpensive nature of mobile devices enables and encourages staff members to bring personal devices into the office and onto the network. This compromises many of the basic assumptions of a sound security foundation. Control the use of employee-owned devices and the flow of enterprise data to them by detecting and blocking the use of personal devices or by automatically provisioning security software and user policies to ensure that they're protected at all times.

Authenticate users and devices prior to granting access to enterprise data. Synchronization software can be used to easily transfer large amounts of sensitive data from an unattended desktop computer to a mobile device. To prevent malicious synchronization, manage synchronization activities through security policies that enforce authentication and control where users can synchronize.

A chief concern is the widespread use of WLANs within corporate environments. To prevent rogue attacks at points of entry to corporate LANs behind the firewall, network authentication should be enforced for all ad hoc wireless connectivity to the network.

Centralize policy administration and enforce it with software. When it comes to policy enforcement, compliance remains the responsibility of the security office. Many times, security safeguards, such as passwords and data encryption, are circumvented by an unintended or intended hard reset of the device, which automatically sets it to the factory default settings -- which don't include security. Implement policy-based software to ensure that the measures you put in place to safeguard the privacy of sensitive information are not defeated. Be sure the security software can monitor, audit and report vital statistics about each user's network access to validate compliance with security policies.

To ease the burden and costs of administering potentially thousands of mobile devices across multiple mobile operating systems, policy administration should be centralized and automated. Use software that will automate the distribution of security software and policies, as they're defined for new users or updated, to ensure ongoing compliance with security policy -- even in the event of an intended hard reset. Ideally, mobile security policies should be integrated with an enterprise directory, such as Microsoft Active Directory, allowing consistency across all corporate systems. These best practices ensure a base level of security on all systems and greatly simplify administration by eliminating the need to update multiple systems each time a change is made in employment status.

Control the flow and secure information in flight. Many devices are shipped "wireless-ready" and support many communication options such as infrared beaming, Bluetooth, WLANs and WWANs. Be sure that only safe, authorized communication mechanisms are used. Establish controls regarding when, where and how an employee can communicate when using a mobile device.

Given the security risks associated with information traveling over the public Internet, be sure to protect the airways as enterprise data is transmitted to and from the enterprise network, using link-level encryption such as SSL or VPN technology. In addition, a personal firewall should be implemented to further control access to mobile computing devices.

Bob Heard

Protect devices from malicious code. As an increasing number of devices are used to connect to the enterprise network, viruses and Trojan horses specific to mobile devices will become more of a nuisance. Personal antivirus protection should be deployed and regularly updated to safeguard against data loss and the malicious destruction of code.

Balance accessibility of information with security. The ability to use mobile devices demands a delicate balance of security and accessibility of information. To allow continuity of business functions, on-device security controls should be transparent to the user and should not hinder productivity. For example, encryption and decryption of databases or folders that contain sensitive information should occur in real time when requested, to reduce the impact on the user. And be sure that an authorized administrator can recover encrypted databases or files in the event that an employee leaves the company.
Users who forget their passwords should not have to depend on a call to the help desk or connectivity to the network to obtain access to the device's functions. Use software that ensures business continuity and eases help desk calls by allowing an authorized user to reset his PIN or password.

Mobility marks the next new wave of computing. The demand is real, the technology is here, and the benefits are great. However, new security threats introduced by mobile devices and wireless access to corporate LANs are eroding the secured networked perimeter, dictating a change in the fundamental philosophy of enterprise security and how you protect your digital assets.
As you mobilize employees, address this new computing paradigm by effectively extending your networked perimeter to include mobile devices and their wired or wireless connections to your network. With 120,000 WLAN hot spots predicted to provide network access to more than 200 million mobile business devices by 2007, managing and securing mobility is no longer optional. To adequately protect your digital assets, expand your secured perimeter to include mobile and wireless devices.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon