The essentials of a smartphone, mobile security policy

Smartphones are often far too useful to be completely restricted from the enterprise. The risks from mobile devices, however, call for a number of important security features. Michael Cobb reviews how to lock down an organization's many smartphones.

Smartphones have quickly become yet another indispensable part of modern business. Features such as wireless email, Web browsing, personal information management and network access to corporate resources allow for quicker and better decision making and greater productivity.

However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smartphone device when away from the office, and therefore outside the confines of their organisation's secure environment.

This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smartphone's undoubted benefits, it is important to address smartphone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.

The essentials of a smartphone, mobile security policy
This means your mobile security policy needs to mandate:



  • Device passwords with a minimum length, complexity and update frequency.
  • Data encryption, depending on its sensitivity or classification level.
  • Password-protected inactivity timeouts.
  • No access to read-only parameters.
  • Limited access to riskier features, such as Bluetooth and instant messaging.

I would also recommend only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.

And if you're concerned about shoulder surfers figuring out access PINs by watching which keys are pressed, consider using an authentication technology like PINoptic, which offers a picture-based passcode claimed to be 37 times more secure than a four-digit PIN.

Although the actual number of software-based attacks on smartphones and PDAs is still low, the total is likely to change as the user base grows. Interestingly, the relatively few vulnerabilities discovered on smartphone operating systems have all been fixed very quickly. At the time of this writing, mobile OSes such as Symbian, iPhone, RIM's BlackBerry, Windows Mobile, Linux, Palm WebOS and Android have all been patched according to Secunia's vulnerability reports. (This may be due to the intense competition amongst vendors in the enterprise market where device security is a key issue.)

It's not just the smartphone OS that can be attacked, however. Running only IT-vetted applications is key to avoiding mobile malware. Security products aimed at the enterprise smartphone can therefore play a vital role in mobile security policy, letting organisations control custom and third-party applications installed on the device and the resources they are permitted to access.

For example, an application could be permitted to reach internal and/or external domains, or prohibited from using Bluetooth or GPS. Controls like these can dramatically reduce risk.

For organisations that need to control a variety of smartphones, there are now products that provide consolidated reporting across different mobile OSes on the status and the compliance posture of all monitored devices. GuardianEdge Technologies Inc.'s Smartphone Protection, for example, supports the Apple iPhone, Windows Mobile and Palm OS devices. It can prevent untrusted applications from being installed or used while allowing trusted applications to run and access encrypted data.

There are plenty of smartphone and mobile security products for large and small business smartphone users, such as the eWallet from Ilium Software Inc., Splash Data Inc.'s SplashID, mSafe from smartphone software developer MotionApps, Symantec Corp.'s Norton Smartphone Security and Mobile Anti-Virus from F-Secure Corp.

However, overloading devices with too many security tools can drain the batteries very quickly and strain CPU performance. It's important, therefore, to maintain some sense of balance between mobile security and usability –-- always consider how difficult it will be for users to follow your security procedures; otherwise they'll try to find ways to circumvent them.

One area that has been seen as frustrating and complex by users and administrators alike has been setting up a VPN connection on a smartphone. End-to-end encryption from the smartphone, over the transport medium, to corporate resources is essential to prevent over-the-air data leakage, and thankfully vendors are upgrading products to make the whole process far easier.

Network security company Astaro Corp. claims its users can now set up and use the iPhone's IPsec VPN capabilities with no technical knowledge, while SSL VPNs from SonicWALL Inc. offer clientless remote access for smartphones.

The Mobile VPN in Microsoft's System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.

Depending on the nature of your mobile workers' voice calls, you may want to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified "Top Secret," as well as restrict access to "Secret" email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.

The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.

If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?

Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they're still Internet-connected computers, so don't let them become a double-edged sword.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Read more on Network security management