Tip

Best practices for enterprise mobile device security

Enterprises increasingly rely on smartphones to improve employee productivity. Unfortunately, lack of essential security and

    Requires Free Membership to View

mobile device management introduces substantial security risks for smartphone users. In addition, many enterprises do not provide adequate governance to deal with issues such as device ownership and data leakage. This article provides best practices for enterprise mobile device and smartphone security policy development and enforcement.

Smartphones open enterprises to security threats
 

Enterprises should establish a mobile device security policy to reduce threats without overly restricting usability.

Paul DeBeasi

Smartphones represent a potentially enormous security risk to the enterprise. A growing number of employees use personally owned smartphones to access enterprise applications. Unfortunately, many of these mobile devices were designed for the consumer. As a result, information technology (IT) teams often refuse to support employee-owned devices. This encourages users to bypass IT and to manage their mobile devices using external services such as MobileMe. The larger device storage capacity and faster cellular speeds also make it easier to store sensitive information on smartphone and mobile devices, increasing the risk associated with data leakage.

Recommendations for enterprise mobile device and smartphone security

Enterprises should establish a mobile device security policy to reduce threats without overly restricting usability. We recommend that enterprises consider the following mobile device management policies.

  • Define use-case requirements
    Identify groups of mobile users with different mobile information needs (e.g., field engineers and sales personnel). Define the use-case requirements for each group of users (e.g., field engineers need access to technical specifications, and sales personnel need access to customer relationship management software).
  • Create an enforceable mobile device security policy
    For each use case, define mobile device management policies that address issues such as ownership, personal/professional usage and security. Note that policies may differ (e.g., more/less restrictive) for each of the use cases.
  • Adhere to security best practices
    Adhere to security best practices such as those listed below.
    • Enforce strong passwords for mobile device access and network access. Automatically lock out access to the mobile device after a predetermined number of incorrect passwords (typically five or more).
    • Perform a remote wipe (e.g., reset the device back to factory defaults) when a mobile device is lost, stolen, sold, or sent to a third party for repair.
    • Perform a periodic audit of security configuration and policy adherence. Ensure that mobile device settings have not been accidentally or deliberately modified.
    • Encrypt local storage, including internal and external memory (e.g., secure digital cards).
    • Enforce the use of virtual private network (VPN) connections between the mobile device and enterprise servers.
    • Enforce the same wireless security policies for laptops and smartphones. Refer to the following article, Best practices for securing your wireless LAN, for additional information.
    • Perform regular backup and recovery of confidential data stored on mobile devices.
    • Perform centralized configuration and software upgrades "over the air" rather than relying on the user to connect the device to a laptop/PC for local synchronization.
  • Adhere to vendor best practices
    Review and follow vendor-provided best practices. For example, see the Microsoft Security Guide or the BlackBerry Enterprise Solution Security Technical Overview.
  • Remove residual application data
    Ensure that mobile applications remove all enterprise information from the device. Residual information left behind by a mobile application can present a security risk.
  • Evaluate third-party products
    An increasing number of third-party products from companies such as Trust Digital and Good Technology can help an enterprise manage its mobile devices. Evaluate how they can help simplify security provisioning in enterprises that must support smartphones from a variety of vendors.
  • Perform user education
    Implement a continuous program of employee education that teaches employees about mobile device threats and enterprise mobile device management and security policies.


 

A growing number of employees expect to connect personal devices to enterprise networks in order to retrieve email, synchronize calendars and access enterprise applications. Although the enterprise may not own the device, it does own the informational assets stored on the device.

Enterprises should consider the recommendations described in this article in order to minimize smartphone security risks.


 

About the author:

Paul DeBeasi, formerly a senior analyst with Burton Group, is now the research director for Gartner's Network and Telecom Strategies (NTS) research team. DeBeasi is a well-respected industry leader with more than 25 years of experience in the communication and wireless industries.

Prior to working with Burton Group, Paul founded ClearChoice Advisors, a wireless advisory firm, and was the vice president of Product Marketing at Legra Systems, a wireless-switch innovator.

His career began in engineering, where his work helped Bell Laboratories, Prime Computer and Chipcom develop profitable communication products in the 1980s and early 1990s. At Cascade Communications, his work as the frame relay business manager helped grow revenues by more than $160 million over two years. Paul holds a BS degree in systems engineering from Boston University and a master of engineering degree in electrical engineering from Cornell University.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in February 2011

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.