Table 6-3 summarizes the encryption policy requirements for smartphone compliance.
Requiring VPN on the Device
Virtual private network (VPN) refers to the secure connectivity between a device and a VPN gateway or server installed within the corporate network. When a VPN tunnel is established between a device and the VPN gateway, all communication over that tunnel is encrypted. This encryption provides security for data being exchanged between the device and the corporate network.
Hackers can snoop on data that isn’t encrypted as it’s on its way to the device. For example, it’s possible for a hacker at a café to snoop on unencrypted data being received on another person’s smartphone. This is why you want end users to connect via VPN when they’re accessing corporate data in public places.
You may have used a VPN to connect to your corporate network from your PC at home. Similar technology is available for several smartphone devices. A VPN connection encrypts the data communication from and to the smartphone, thereby making it impossible for hackers to intercept and steal the data being exchanged.
So, the most critical requirement of data encryption is to enforce VPN access as a compliance requirement. If you are an IT administrator, that means enforcing VPN for all smartphone users to connect to their work e-mail or other applications. Most VPN vendors like Cisco and Juniper have VPN solutions available for some or all smartphone types.
Enforcing VPN on smartphone devices requires you to have a VPN server or gateway installed in your network. The devices need to connect to the server when setting up the VPN tunnel.
Here are the VPN policies you may want to enforce on smartphones:
Allow users to check corporate e-mail, browse intranet pages, and/or use client-server applications.
Enforce strong authentication on the devices, including one or more of the following types:
• Username and password
• Certificate-based authentication
• One-time password (passwords expire after just a single use)
Manage a single set of policies to set consistent VPN policies for not just smartphones, but also Windows and Mac computers.
Certificate-based authentication and one-time password authentication require you to deploy certificates to smartphone devices as well as set up infrastructure to configure the one-time password server in-house. Be sure to look up the vendor documentation for deployment guides and instructions.
Finally, VPN — or, in general, secure connectivity from smartphones to the corporate network — may differ from corporate devices to personal devices. For example, BlackBerry devices maintain a secure connection to the BlackBerry Enterprise Server that is typically installed within a corporate network, which saves you from needing a VPN. For all other smartphone types, you’re better off requiring and enforcing a strong VPN policy.
Table 6-4 summarizes the VPN requirements for smartphones from a compliance perspective.
Protecting the Device from Viruses
Because we’re talking all about compliance in this chapter, take a look at the various aspects of smartphones that are vulnerable to hackers, and what you can do to protect the devices and data on them:
Malicious apps: Certain apps can steal information from the device and relay it back to a hacker’s server. Information that can be stolen includes the contacts, calendar, messages, and other content stored on the device. Several apps prompt users to allow them to access their GPS location, for example. Allowing GPS access to an app provides crucial information about where the device and its owner are at any point in time, putting data at risk because the device could be physically stolen. It’s critical to monitor the behavior of apps and weed out the ones that are malicious.
Spam: Mobile devices are susceptible to receiving spam in several forms, including text messages, instant messages, and e-mail, and via online games. These are all ways in which spammers target smartphone owners. The spam messages are typically solicitations for products or services, often fraudulent.
Worms, viruses, and Trojans: Just like on Windows PCs, software viruses can affect smartphones and replicate by sending copies of themselves to all contacts found in the address book. Devices can receive such files via SMS, MMS, e-mail, Bluetooth, or any of the plethora of communication methods available for smartphones.
From a compliance perspective, here’s a list of items that you should consider enforcing on smartphones in your corporate network:
Comprehensive antivirus protection, with automatically updated virus signatures to protect against Trojans, worms, and other threats
Antispam protection, with the ability to automatically delete spam
Antimalware protection, to detect malicious apps that suspiciously track user information via GPS
Firewall protection, to set traffic filters that control the traffic flowing into as well as out of the device.
Not having such software is akin to letting your users connect to your corporate network from computers that have no security software (like antivirus or antispyware). You’d never let that happen, so why allow smartphones to be able to connect without similar protection?
As for personal versus corporate-assigned smartphones, you should enforce the virus protection on both types of devices, just like you would on both home computers and corporate laptops.
Applications like antivirus protection usually affect the battery life of a smartphone. Be sure to analyze the effects on battery life when you shop around for smartphone antivirus solutions.
Most antivirus software products work off virus signatures that are regularly updated by the vendor. Look for solutions where the virus signatures are automatically updated from the vendor to each smartphone. You can’t expect the smartphone user to manually update the virus signatures.
Table 6-5 summarizes the compliance policies to protect smartphones from viruses and other threats.
Protecting the Device from Loss and Theft
A critical policy for smartphone compliance is the ability to take actions when a smartphone used for corporate access is reported lost or stolen. Employees carry critical information on their smartphones, including personal and corporate e-mail, contacts of people at work, SMS messages, and so on. When an employee loses a smartphone, such information is liable to being stolen. Therefore, it’s extremely important to take immediate action when a device is reported lost or stolen.
Here are the kinds of actions that you can take to mitigate the risks of the loss or theft of a smartphone:
Locate the device via the GPS location.
Remotely lock the device so that others can’t access data on it unless they know the password.
One way to mitigate the threat of somebody guessing the user’s passcode is to set a limit for the number of incorrect login attempts so that after maybe five or ten attempts, the device is automatically locked. Alternatively, you could temporarily suspend the user’s authentication until the user calls the help desk to unlock the account.
Remotely set off an alarm so that the theft of the device becomes obvious to others in its vicinity.
Remotely wipe the contents of the device so that no traces of personal or corporate data remain on it.
Remotely lock or wipe the device as soon as the SIM card on the device changes. (If the SIM card changes, it’s an indication that the thief is attempting to reuse the phone.)
Each of these actions mitigates the risks of losing sensitive data on lost or stolen smartphones. You should also evaluate whether you need these actions to be taken by you or the employees themselves.
In the case that employees can take such actions themselves, they would need to log in to a web portal to authenticate themselves with a username and password. Once authenticated, they would take any or all of the actions discussed here on their phone. This kind of model allows employees to take immediate action on their lost or stolen phones.
On the other hand, if you (corporate IT) choose to get involved, the employee would need to
call the help desk to report a lost or stolen phone. The help desk would retrieve details of the phone from the phone number provided by the employee and then take any of the actions discussed here.
It’s important that such actions are taken as soon as possible after the device is reported missing. Delaying actions such as remote wipe or remote lock increases the risk of sensitive data getting stolen from the missing device.
The definition of remote wipe has subtle differences for different mobile platforms and vendors. For example, on some platforms, a remote wipe indicates that all user content is removed from the device, leaving it in what is called a “factory-default” configuration. Some vendors can wipe selective content from the device, removing enough data to prevent confidential data from getting into the wrong hands.
From a compliance perspective, this policy should be enforced as much on personal smartphones as on corporate-owned ones.
Table 6-6 summarizes the loss and theft compliance policies to be enforced on smartphones for corporate usage.
Managing Devices at Scale
In a small- to mid-sized company, as many as several hundred smartphones might connect to the corporate network every day. With larger companies, the number of smartphones in the corporate network can easily be in the thousands or tens of thousands. In such cases, it’s critical to manage the policies that are deployed on these devices for compliance purposes.
Here are some considerations for evaluating the compliance needs for the management of smartphones in a corporate environment:
Management at scale: Whatever management process or system you use must scale for thousands of devices. Remember to estimate for more than you need today because, as your organization grows, the number of smartphones in your network will grow just as fast, if not faster. The management system must be able to deploy all compliance policies to smartphones in a centralized manner. Seek a single solution, or a single vendor, to offer a centralized solution that can manage all types of mobile devices and smartphones from a single console.
Centralized inventory management: The centralized management console must be able to report an inventory of mobile devices managed within the corporate network. This capability should also include the ability to report the inventory by device type, vendor, and operating system. This allows you to pull up reports for your bosses to show the number and types of smartphones connecting to the corporate network. In a rapidly evolving smartphone market, it’s important to keep an eye on the trends of devices in your network.
Centralized logging and reporting management: The centralized management console must also be able to generate logs and reports of incidents, as well as compliance and policy violations in the network. For example, you must be able to run reports that show the number of virus infections that were immediately caught in the last 30 days, or the number of new devices that connected to the network in the last week or month. This must also provide details of actions taken on a particular smartphone.
Notifications: The centralized management console must provide real-time notifications to IT staff when a critical event happens. For example, virus infections must be reported via SMS, e-mail, IM, or other means to interested subscribers. Though the virus infections might be immediately caught and corrected by the software, it’s important to have the framework available to report such events in real time.
Configuration management: Another part of managing smartphones is the management of configurations and versions of each device. This may be optional to some companies, who state that only certain OS versions are supported within the network and that device owners are responsible for upgrading the device to a supported version.
Most of the functions we describe in this section are provided by the BlackBerry Enterprise Server for BlackBerry devices only. You essentially have to look for a single solution that does a similar set of functions for all the other devices out there, including those from Apple, Google, Samsung, Motorola, and others. You may be better off retaining the BlackBerry Enterprise Server to enforce compliance on BlackBerry devices and using a separate solution for all other device types.
Another aspect of managing configuration might be to push settings, policies, or applications as a configuration update to the devices. If your company has proprietary apps to install on your employees’ smartphones, you need a centralized configuration management system that can manage the deployment of policies and software to smartphones.
It’s important in this case, too, to ensure that the configuration management console is centralized in a single console for all device types. It’s ideal to have a single centralized console, or at least minimize the number of systems that can manage your smartphone diversity in the corporate environment.
Table 6-7 summarizes the smartphone management requirements for corporate compliance.
Backing Up the Contents of the Device
Regular backups of smartphone contents are just as important as backing up the contents of Windows or Mac computers. From the user’s perspective, regular backups are extremely useful when a device is lost or stolen because the user can easily restore his lost device’s contents to a new device. From a corporate perspective, regular backups provide checkpoints that provide insight into the data and contents of smartphones for potential forensic analysis.
Several smartphones available today have a large amount of space on their hard disks, often in tens of gigabytes. For example, 16GB and 32GB configurations are common for most smartphones. If it’s difficult to back up that volume of data for thousands of smartphones, it might be useful to back up only the critical data that resides on them.
From a compliance perspective, here are the types of data that should be backed up from smartphones:
Contacts
Calendar
Call log
SMS messages
Photos and files (if needed)
This particular policy may also differ for corporate-owned devices, in comparison to personal devices. For example, you may not want to enforce backups of personal files, including videos, pictures, and messages from personal smartphones. On the other hand, it may be acceptable to back up more data from corporate-owned devices. Depending on your organization’s particular tolerance for risk, you can choose to back up any or all of the data we just listed.
When you devise a smartphone backup policy, be sure to think through the following aspects as well:
Where is all that data stored? You can choose from several cloud-based solutions, which back up all the smartphone data to a central system in the vendor’s cloud. If this isn’t acceptable for your company either due to geographical or industry restrictions, insist on a solution that stores all the backed-up data on a server within your corporate network.
Who is authorized to see that data? A typical backup solution for smartphones must involve the device users to invoke a backup operation manually whenever needed, or schedule backups at periodic intervals determined by the IT administrator. An IT administrator could schedule a backup every day or every week, or set any other schedule that seems reasonable.
Typically, the user can restore the contents to the device (or a replacement) manually without needing a third party (an IT administrator) to intervene. The user’s backups should be protected by a user-configured passphrase.
In addition, you may also want to give administrators access privileges to that backed-up data. In case users forget their passphrases, it should be possible to reset the passphrase, just like resetting Active Directory passwords.
Depending on where the user’s information is stored, it is important for the software vendor to assign permission to appropriate parties to see that sensitive information. For example, even the mobile device management vendor’s customer support group may not be granted access to the user’s photos, contacts, or SMS messages. It is important to check whether the vendor’s software can assign granular privileges to various groups of users to see sensitive information that belongs to mobile end users
.
It’s important to identify the list of people who are authorized access to all the backed-up data stored either within your corporate network or in the cloud of your vendor’s network.
Are communications encrypted during backups and restorations? You should explore your vendor’s solution to check how the smartphone’s contents are backed up. The data must be encrypted back and forth from the device to the central backup server. If that communication isn’t encrypted, it’s possible for hackers to snoop in on that traffic and access the data being backed up (or restored).
Table 6-8 summarizes the backup compliance policies for smartphones.
Monitoring and Controlling Contents of the Device
Depending on your corporate policies regarding security and risks, you may be required to inspect and tightly control data and applications residing on corporate-owned devices. This includes Windows and Mac computers as well as smartphones and other mobile devices. For example, it’s fairly common in the government to have tight policies controlling what users can access from their computers and mobile devices.
Mobile Device Security For Dummies Page 16