While mobility is a competitive advantage, it means your data can travel beyond your secure LAN firewall and over public networks. Your security strategy needs to address the managing and securing of pervasive mobile data from end to end: whether it's stored on a mobile device, traveling over a wired or wireless network, or being sent back to the enterprise.
Organizations need to carefully consider mobile data security as a part of their mobile application development plans and work carefully with technology vendors that offer a complete security infrastructure for protecting mobile data, wherever that data may be. You should consider these five mobile security issues when developing and implementing mobile business solutions:
1. Protect against unauthorized users
The cornerstone of any security strategy, mobile or not, is user authentication. Any device attempting to exchange information with your corporate systems needs to have its identity verified. Each time the user goes deeper into a new area of sensitivity or functionality, your application and middleware infrastructure should know who they are, and whether they should be there.
- Only the chosen may enter: A password should be required before a mobile user can synchronize with a back-end database or browse information stored on a company server--no exceptions. Use mobile device management software to ensure that users have not circumvented security measures or stored their password in a file on their device.
- Rights and privileges: Define what clients can and cannot do. Depending on the application, specific rights and permissions are configured on a per-user basis. For example, a sales force automation application might allow a sales representative to submit orders, but not approve them. A sales manager's password would carry with it the authorization to view orders and approve or deny them.
2. Protect data transmissions
You might not be paranoid, but they are out to get you. Mobile applications require an exchange of information across a public network that is full of potential predators. When transmitting data, you need to ensure that it is secure from end-to-end. Any mobile middleware solution should operate on a secure connection for both data synchronization and client/server communications. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols allow a client application to verify the identity of a server, and ensure that they communicate only with servers they trust.
- Tales from the encrypt: One of the simplest ways for someone to gain access to your data is to simply read the data stream between the mobile device and your server. Leverage strong 128-bit communications encryption to protect the confidentiality, integrity, and authentication of data packets as they pass between the client device and the server. This way, an identity thief who is reading a mobile banking customer's communications will hear only noise, not her bank balance, address, and PIN.
- Know who you're talking to: How do you know that it's your bank on the other end, and not a server set up by a 16 year-old? Be certain that only authorized clients can connect to your server and that clients are connected to the correct server. During synchronization, or client/server connection through a browser, a password entered by the user indicates to the back-end system that they are an authorized user. A certificate on the internal database server tells the user's device that it is connected to the correct bank or hospital system. If your middleware doesn't provide this sort of functionality, it's like broadcasting your credit card information over the radio.
Mobile devices are small and expensive, so they are easily lost or left in taxis, and are a favorite target for thieves. If you don't want the new owner to have access to your corporate systems or view sensitive data, precautions must be taken.
- Persistent data needs persistent protection: There are two precautions that you can take to prevent disclosure of the data stored on a mobile device: encrypting sensitive data, and encrypting the entire file system (this may be useful when using data outside of a database, such as in a spreadsheet). Protect data that is stored on hard disks, in persistent memory, or on removable flash cards (whether they are in or out of the device).
- Always on duty: Even if the data store is protected, you risk exposing the information to unauthorized users if the application has cached data. Data that is stored in an application's memory is more difficult to access, but may also be exposed. Further, if your application sends updates that appear on-screen, the data contained in them may be available to anyone who turns on the device. Include a password-protected timeout in your applications but do not store it on the device; otherwise, anyone who has access to the device may be able to access your data.
4. Protect mobile assets
Safeguard your mobile assets such as your machines, devices, and data through centralized management. From a central location, you can simplify the enforcement of your security policy on devices that are beyond the reach of traditional wired LAN management techniques.
- The enemy within: Often the biggest threat to the security of your corporate systems and data are your own users, who disable security mechanisms and configurations in order to save a few seconds when logging in or synchronizing data. Protect and enforce system configurations by automatically identifying and correcting devices where users have defeated password protection by storing the password on the device, or changing security configuration options.
- Stay up-to-date: Mobile devices that send and receive data such as e-mail are just as susceptible to destructive viruses as desktop machines. However, it's difficult to get busy mobile workers to stop working long enough to download virus updates and security patches, especially on a slow connection. You require a management tool that will push out virus updates and security upgrades, and automate their installation without the need for user intervention.
- Gone, but not forgotten: Data encryption is not the only safeguard against unauthorized data access on lost devices. Fight back with your centralized management software by enabling a self-destruct policy that destroys confidential data on a lost device.
5. Protect your existing security investment
Whether you are creating new mobile applications or extending the reach of existing systems, your mobile deployment should be as secure as applications running on your corporate LAN. Integrate your mobile applications with existing security infrastructures through open standards and flexible architecture.
- Another brick in the firewall: Any mobile application should work with your current firewall, virtual private network (VPN), and PKI technology to integrate user authentication and permission functions with your existing systems. Browser-based communications between handheld devices and corporate systems should be encrypted using wireless transport layer security.
- Regardless of protocol: Your wireless application server technology should enable secure synchronization, encryption, and server-side authentication over whichever wireless protocol you choose.
- The e-mail of the species: E-mail is one of the most frequent points of entry for potential security threats, whether inside or outside the office. As you do with desktop e-mail systems, encrypt all incoming and outgoing messages between your corporate e-mail server and mobile devices that are outside your company's firewall. Your mobile mail application should also enforce password entry, and harmonize security configurations with LAN e-mail systems.
The bottom line
Security is about minimizing risk. This means identifying the weakest links in your system and then designing an appropriate solution that takes into account the associated risks and costs to protect your mobile data.
Has your company adequately secured employees' mobile devices? TalkBack below or e-mail us with your thoughts.
