Enterprises increasingly rely on smartphones to improve employee productivity. Unfortunately, lack of essential security and mobile device management introduces substantial security risks for smartphone users. In addition, many enterprises do not provide adequate governance to deal with issues such as device ownership and data leakage. This article provides best practices for enterprise mobile device and smartphone security policy development and enforcement.
Smartphones open enterprises to security threats
Smartphones represent a potentially enormous security risk to the enterprise. A growing number of employees use personally owned smartphones to access enterprise applications. Unfortunately, many of these mobile devices were designed for the consumer.
As a result, information technology (IT) teams often refuse to support employee-owned devices. This encourages users to bypass IT and to manage their mobile devices using external services such as MobileMe. The larger device storage capacity and faster cellular speeds also make it easier to store sensitive information on smartphone and mobile devices, increasing the risk associated with data leakage.
Recommendations for enterprise mobile device and smartphone security
Enterprises should establish a mobile device security policy to reduce threats without overly restricting usability. We recommend that enterprises consider the following mobile device management policies.
• Define use-case requirements
Identify groups of mobile users with different mobile information needs (e.g., field engineers and sales personnel). Define the use-case requirements for each group of users (e.g., field engineers need access to technical specifications, and sales personnel need access to customer relationship management software).
• Create an enforceable mobile device security policy
For each use case, define mobile device management policies that address issues such as ownership, personal/professional usage and security. Note that policies may differ (e.g., more/less restrictive) for each of the use cases.
• Adhere to security best practices
Adhere to security best practices such as those listed below.
- Enforce strong passwords for mobile device access and network access. Automatically lock out access to the mobile device after a predetermined number of incorrect passwords (typically five or more).
- Perform a remote wipe (e.g., reset the device back to factory defaults) when a mobile device is lost, stolen, sold, or sent to a third party for repair.
- Perform a periodic audit of security configuration and policy adherence. Ensure that mobile device settings have not been accidentally or deliberately modified.
- Encrypt local storage, including internal and external memory (e.g., secure digital cards).
- Enforce the use of virtual private network (VPN) connections between the mobile device and enterprise servers.
- Enforce the same wireless security policies for laptops and smartphones. Refer to the following article, Best practices for securing your wireless LAN, for additional information.
- Perform regular backup and recovery of confidential data stored on mobile devices.
- Perform centralized configuration and software upgrades "over the air" rather than relying on the user to connect the device to a laptop/PC for local synchronization.
• Adhere to vendor best practices
Review and follow vendor-provided best practices. For example, see the Microsoft Security Guide or the BlackBerry Enterprise Solution Security Technical Overview.
• Remove residual application data
Ensure that mobile applications remove all enterprise information from the device. Residual information left behind by a mobile application can present a security risk.
• Evaluate third-party products
An increasing number of third-party products from companies such as Trust Digital and Good Technology can help an enterprise manage its mobile devices. Evaluate how they can help simplify security provisioning in enterprises that must support smartphones from a variety of vendors.
• Perform user education
Implement a continuous program of employee education that teaches employees about mobile device threats and enterprise mobile device management and security policies.
A growing number of employees expect to connect personal devices to enterprise networks in order to retrieve email, synchronize calendars and access enterprise applications. Although the enterprise may not own the device, it does own the informational assets stored on the device.
Enterprises should consider the recommendations described in this article in order to minimize smartphone security risks.
About the author: Paul DeBeasi, formerly a senior analyst with Burton Group, is now the research director for Gartner's Network and Telecom Strategies (NTS) research team. DeBeasi is a well-respected industry leader with more than 25 years of experience in the communication and wireless industries.
Prior to working with Burton Group, Paul founded ClearChoice Advisors, a wireless advisory firm, and was the vice president of Product Marketing at Legra Systems, a wireless-switch innovator.
His career began in engineering, where his work helped Bell Laboratories, Prime Computer and Chipcom develop profitable communication products in the 1980s and early 1990s. At Cascade Communications, his work as the frame relay business manager helped grow revenues by more than $160 million over two years. Paul holds a BS degree in systems engineering from Boston University and a master of engineering degree in electrical engineering from Cornell University.