Consumerization of IT: Moving Beyond Security Concerns for IT Organizations, Part III

Security5 minutes readOct 20th, 2011

Understand the security requirements – security considerations are part of every aspect of secure mobility.  From the devices you decide to support, the applications and access you provide, the connection and data center capabilities you provide, are all part of the security environment.  Some of the areas to consider are:

  • Establish policies for mobile device usage.  Users have responsibilities when allow remote access to applications and data.  Whether the devices are provided by the enterprise or personally owned.  User education on usage policies must be provided.  IT and HR need to work together on implementing the policies.
  • How are mobile user identities managed?  Is a simple UserID/Password mechanism secure enough for the data they will access?  Is multi-factor authentication needed?  Will some type of token key store like a smartcard be required?  Do you need biometric verification?
  • What type of Mobile Device Management will your enterprise require?  If you only need secure email then Exchange ActiveSync (EAS) services may be all that is required.  Depending on the importance of the data, more security may need to be applied.  Know the built-in security features for devices.  Do they provide hardware encryption?  Manage and enforce polices for mobile devices.  Consider remote wipe of secure data or even the entire device.
  • Should recovery of lost a device be considered?  Use of device tracking by network access or Intel Anti-Theft (for larger devices) may be of value.
  • Consider a custom App Store for enterprise applications.  If possible, control applications loaded on the device.  Setup “white list” and “black list” applications and provide the capability to enforce them.
  • Provide “jailbroken” device detection and automatic wipe of enterprise apps and data.  Devices that are “jailbroken” or “rooted” can no longer provide the protection profiles needed.
  • Does a secure sandbox for applications and/or email/web access provide the necessary separation of user and enterprise data?
  • If developing custom apps from internal or open source code consider code vulnerability scanning tools to detect coding errors and purposely designed vulnerabilities.
  • Implement the concept of least privilege.  Provide only the access necessary for each use type.  Do not allow access to resources that the user does not require.  It opens the system to being exploited if the user access credentials are compromised.
  • Protect data in motion (SSL, VPN, etc.) and data at rest (encryption).  Look for Certified FIPS 140-2 encryption capabilities in the products and services you provide.  Keep server certificates up to date and only allow access when the certificates are correct.
  • Ensure that redeployed devices are purged of all data and apps.  When re-issuing enterprise owned devices completely re-image the device or reset to factory defaults.  Then build the device for the user.   The new user should not have access to the old user’s data or apps.
  • Keep sensitive data server side.  Enterprise IP or sensitive data should only stay at the data center.  The device should be simply the plane of glass that the user has to view the data.  It should never be allowed to be saved outside the data center.  Other than taking a picture of the display, there should be no capability save the data anywhere.
  • Ensure your security operates with continuous compliance and active management.  Look for a deal with violations.  It may be necessary to revoke user privileges if they abuse the policy.

Innovating on what’s possible – while working toward all that is described above, consider how mobility can help improved your business capability.  Improving customer service, higher productivity or optimization of human resources are all possibilities.  These are generally discovered during an Innovation Workshop or “brainstorming” session, but can also come from employees, customers or competitors.  Some of the current capabilities being implemented include:

  • Location based services – the ability to use the device’s GPS coordinates to provide user services. While phones have been providing location services like nearby restaurant or gas station location, new apps are providing a greater user experience.  These include current coupon listings, user ratings of restaurants, location of government services.  There are apps that help travelers identify and understand historic locations, monuments or people.  People that work together could locate each other and get directions to each other’s location.
  • Use the device capabilities like the camera.  Several financial institutions allow the deposit of check through check images from a smart phone.  Scan the barcode to renew a prescription.  Scan a product’s UPC code and get price comparisons for stores near your location.
  • Augmented reality – the ability to use the phone to show you information or content about where you are now.  There is an app that shows the location of all New York City subway lines and shows closest stations when you hold the phone up.  As you move around it changes what is overlaid on the live video with new station names for those in front of you.

I have laid out many of the areas to be considered.  The task may look at too big to tackle, but can be implemented in stages once you understand what you want to accomplish.  My next BLOG will cover how to get started implementing Secure Mobility and how Unisys can help.

Related posts:

Tags-   Consumerization CyberSecurity Data protection Mobile devices Security