How to develop security policies for mobile devices

Mobility is empowering, but also creates new security risks. Here's how to develop policies that let you reap the benefits of mobility, without the worries.

As enterprise mobile connectivity becomes increasingly pervasive, IT organizations face the challenge of creating mobile policies that allow users to be productive, while at the same time protecting corporate assets. This series is aimed at helping enterprises develop and institute a mobile policy.

In this series:

Mobility policies: Security
Mobility policies: Responsibility and education
Mobility policies: Enforcement

Mobility policies: Security
by Mark Tauschek

In this section, we discuss the security component of an enterprise mobility policy. Given the recent epidemic of high-profile security incidents that were a direct result of a mobile device or network being compromised, it is essential for organizations to understand the importance of mobile security. The main security concern is not for the physical devices themselves but for the data that resides on them and travels over the networks they use. Think of mobile security from a data perspective, and include policy elements that aim to protect data at rest, and in flight.

Protecting data at rest

One of the components of any good mobility policy is how it addresses the protection of "data at rest." This includes all data that is stored on mobile devices. The key here is to encrypt all data stored on any mobile device, whether it be a notebook computer, a PDA, a mobile phone, or a mobile storage device (for example, a USB drive or SD storage card). There is often a perception that this is unenforceable, particularly with employee-owned devices. This is a fallacy, however, and enterprises must incorporate policies to address any circumstance where corporate data is stored on a mobile device.

A mobile policy should include a statement that mandates the use of strong -- i.e., 128-bit Advanced Encryption Standard (AES) -- encryption on all mobile devices that have the capacity to store data. While some companies may have the ability to enforce this mandate using centrally managed encryption solutions, some may have to rely on users to ensure that data is encrypted. There will be more on policy enforcement in the third tip in this series.

Ideally, the protection of corporate data residing on mobile devices will be enforceable using technology that forces data encryption on all devices that do or could contain corporate data. Whether this is possible or not, a mobile policy clause addressing the securing of data and the responsibility of the user must be included. Below is an example of a mobile data security clause placing the responsibility for data security on the user:

"Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information belonging to or maintained by and they must annually complete the 350. Before connecting a mobile computing or storage device to the network at , users must ensure it is on the list of approved devices issued by the ISD."

Source: SANS Institute Mobile Computing and Storage Device Policy Template

In addition to the policy clauses that address the encryption of data at rest, organizations should have technology to remotely wipe the contents of a device in the event that it is lost or stolen. For this reason, include a policy clause that makes it clear that any lost or stolen devices should be reported to IT immediately.

Protecting data in flight

Mobile devices may connect to several networks that are out of the control of the enterprise IT department. For this reason, it is important to define enforceable policies that dictate proper mobile device connectivity practices. In many cases, technology can force compliance with the mobile policy, but if the infrastructure is not in place to force compliance, enterprises must rely on users to understand and adhere to policy. A sample clause might be:

"It is the responsibility of employees, contractors, vendors and agents with remote access privileges to 's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to ."

Source: SANS Institute Remote Access Policy Template

The policy should dictate that any mobile device used for business purposes must use an encrypted network connection at all times. This can take the form of an IPSec or SSL VPN connection, or a WPA2 secured WLAN connection.

Bottom line

The sections that follow will address mobile user responsibility and education, and mobile policy enforcement. Keep in mind that the security component of the mobile policy must take into account data at rest on mobile devices and data in flight over the networks to which mobile devices connect.

Mobility policies: Responsibility and education
by Mark Tauschek and Jayanth Angl

Security is a critical component of any enterprise mobile policy, as outlined in the first section in this series. Equally important is defining the responsibilities of the enterprise and the users, and ensuring that users are educated on, and fully understand, the corporate mobility policy. Assign responsibilities thoughtfully, and take the time to educate users on the corporate mobility policy.

In this section, we discuss assigning responsibility and educating corporate users on the enterprise mobility policy. Leave nothing to chance -- clearly delineate what the enterprise is responsible for and what the user is responsible for. When the policy is finalized, it is not adequate to simply place a copy of the policy in front of users and ask them to read it and sign it. All mobile users must receive policy training that details their role and responsibilities, rights and obligations, and the repercussions of violating the policy. Only after the training should users be asked to sign off on the policy.

Assigning responsibility

There are so many questions to ask when developing a corporate mobility policy. The most questions arise around who is responsible for what in the policy. For example, policy creators might ask:

  • Which mobile devices does the IT department support?
  • Can employee-owned devices be used for work, or will all mobile devices be assigned by the company?
  • Is the company billed directly by service providers for wireless services, or do employees expense their costs?
  • Does the company pay for all mobile usage, or is there a monthly spending limit?
  • If there is a spending limit, how does the user reimburse the company if the limit is exceeded?
  • If a mobile device is lost, stolen or broken, is it the responsibility of the company or the employee to replace it?
  • If a mobile device is lost, stolen or broken, what is the process to ensure that the data on the device is/was secure, and at that point, is responsibility handed from the user to the company?
  • Does the company have the means and infrastructure to ensure that data at rest and data in flight are encrypted and secure, or is the onus on the employee?

All of these questions will no doubt raise secondary questions. The key is to ask the right questions, because the answers will vary dramatically from company to company. Whatever the questions and answers are, make sure it's clear that this is not the "Wild West" and there is a well-defined policy that must be followed.

Educate users

Protecting valuable information assets against mobile security threats requires a firm commitment to training all users of mobile technology. The reality is that the consequences of device theft or misuse are too great, potentially including a breach of the corporate network, the loss or corruption of critical data, and the violation of applicable industry compliance regulations. Because a single security breach could very well exceed the cost of staff training -- as seen with greater regularity in recent news coverage -- educating users on mobile security best practices should be viewed as an effective preventive measure and a prudent investment for the organization.

Attaching great emphasis to the consequences of mobile device misuse, loss or theft will give employees a greater incentive to follow corporate policy, but training these users on the specifics of the policy is also required. Among others things, an enterprise mobile training plan should address the following key topics:

  1. Protecting devices. Users should be instructed to follow proper procedures for storing and transporting devices, and they should specifically be instructed not to leave devices unattended in vulnerable locations such as offices, airports and hotels.
  2. Data encryption. A high-level overview of the data-safeguarding and remote-management technologies currently employed by the enterprise will drive more responsible usage. Users should be made aware that breaking enterprise policy by copying sensitive server-hosted data -- including confidential member information and company IP -- to unencrypted local device storage can have serious repercussions for the individual.
  3. Password management. Users should be educated on the help desk procedures to follow or alternative requirements for changing or setting passwords for mobile devices, in accordance with an existing enterprise password policy.

Ensuring that users have received proper instruction on the mobility policy will go a long way toward reducing the frequency and severity of security breaches.

Bottom line

The section that follows will address mobile policy enforcement. The takeaway from this tip is that responsibility must be assigned appropriately, and users must understand their responsibilities. Mobile policy training is critical and must not be overlooked.

Mobility policies: Enforcement
by Mark Tauschek

The previous two mobile policy sections focused on security, responsibility and user training, which are all important, but without enforcement, a mobile policy is a toothless tiger. When crafting a mobile policy, it is important to consider how the policy elements will be enforced. Ideally, all components of the policy will be enforceable. While that isn't always practical, enforcement should be top of mind when developing a mobile policy.

In this section, we discuss mobile policy enforcement. An unenforceable mobile policy is worth about as much as the paper it is printed on, so the enterprise must carefully consider what can and cannot be enforced when crafting a mobile policy. Part of enforcement comes in the form of using technology to force proactive compliance, and the other part is defining reactive repercussions of noncompliance. Understand where technology is suitable and where it is necessary to identify repercussions for violators.

Technical controls

Technology can help ensure mobile policy compliance in four key ways:

  • Forcing encryption of data at rest on mobile devices.
  • Forcing secure connectivity on unsecured public networks.
  • Ensuring that unauthorized mobile devices do not have access to the corporate network or company data.
  • Ensuring that mobile user spending is in line with the mobile policy and that additional costs can be recovered.

Forcing data encryption

Several centrally managed storage encryption products are available that can force encryption on all data stored on the mobile device. While almost all mobile devices have an option to password-protect and encrypt data on the device, this option typically requires the user to turn on encryption and manage password access. Ideally, IT should centrally manage data encryption and take the responsibility out of the hands of users. Centrally managed solutions are available from Check Point (acquired Pointsec), GuardianEdge (also OEMed by Symantec), McAfee (acquired SafeBoot), and Utimaco. Utilize a centrally managed mobile data encryption solution to ensure that data at rest on mobile devices is safe and secure.

Forcing secure connectivity

When mobile users connect to unsecured networks that are beyond IT's control, it is important to ensure that the network connections are secured. There are several ways to ensure that data in flight is encrypted, including IPSec VPN tunnels, SSL VPN portals, and mobile VPN connectivity. The trick is forcing encrypted connections, particularly when a mobile network is used to conduct business. Products from AirDefense and Airtight Networks can enforce secure connectivity on corporate notebooks, while mobile VPN products from Birdstep Technology, Bluefire Security, and NetMotion Wireless can help ensure secure connectivity on mobile devices such as PDAs and smartphones.

Restricting access

It is important to ensure that the users and devices that connect to the corporate network via mobile networks do not pose a threat. Implementing network access control (NAC) for mobile devices should be a part of any corporate mobile policy. Fortunately, most SSL and mobile VPN solutions include some form of NAC. At the very least, inspect endpoints to ensure that their OS security patches are up to date, anti-malware definitions are up to date, and devices connecting to the corporate network are malware-free. Devices that do not comply with policy can be forced to remediate and become compliant prior to gaining network access.

Enforcing usage limitations

Many enterprises will want to restrict device usage and cap spending. In order to do this effectively for more than a few mobile users, it may be necessary to implement a Telecom Expense Management (TEM) solution. This software makes it easier to analyze mobile usage by looking at mobile invoices for anomalies and over-usage. TEM solutions for mobile billing are available from a number of vendors, including AnchorPoint, Rivermine and Tangoe.

Repercussions of noncompliance

Some elements of the mobile policy may not be enforceable using technical controls. For these situations, it is important to ensure that mobile users understand the repercussions of violating the policy. The actions taken by the organization will vary depending on the mobile policy itself and the severity of the violation. For instance, an unintentional violation that does not result in a security breach may bring a written warning, where a deliberate contravention of the policy that results in compromised corporate data may result in immediate termination. Craft the policy based on the needs of the business, and be very clear about how the policy will be enforced.

Bottom line

Enforcement is a critical component of a mobile policy. An unenforceable policy is essentially worthless, so as you craft your mobile policy, be sure to consider whether it can easily be enforced.

Read more on Network hardware