Mobile devices…innocent until proven guilty?

How many of us have been on Facebook, and laughed when a friend’s child posts “Child is my favorite!” after their parent left the table with their phone unlocked?

And who has had a friend – or been the friend – who left their phone at the table? Don’t laugh – try being the one who did that WITH the security team. (Guilty…)

Amusing anecdotes? Absolutely. Now, let’s imagine that mobile device is unlocked when it’s left unattended, and contains your corporate data…now what?

That’s where MDM – mobile device management – comes into play. There are a few things to consider when you’re planning your deployment:

  • Who will have access to corporate information on the device?
  • Will you allow people to use personal devices – BYOD – or restrict this to corporate assets?
  • What will you allow, and what do you want to prevent, with device access? Email only? Other resources? Will you allow attachments to be downloaded and stored on the device?
  • How important are remote wipe capabilities – think of the worst case scenario with a disgruntled employee at all levels, with access to your data?
  • What about geolocation capability? Do you want the ability to block access from certain areas of the world – and how easy will it be to fix this when the VP is in Hong Kong, and you’ve blocked APNIC? Do you want to be able to pinpoint the device’s location if it has been lost or stolen?
  • What platforms will you support? Android, iOS, others? Yes, there are other platforms…
  • Consider whether it makes sense to only allow mobile devices to access corporate data via a VPN? Depending on the sensitivity of your data, this may make sense for your scenario.

The majority of MDM vendors will support some or all of the feature set that you desire. Once you’ve weighed out your desired list, and chosen your vendor, there are a number of other factors to look at when considering your actual deployment. A few things to consider:

  • Back to the basics. Passwords – require devices, whether corporate or BYOD, to have a password and to change that password regularly.
  • Encryption. Again, another basic – devices that carry your corporate data should be encrypted.
  • Jailbroken, rooted, and otherwise compromised phones should not be allowed to access corporate data.
  • Require virus/malware protection, particularly for Android devices. Free solutions from well regarded vendors exist, so this is not an onerous requirement for employees.
  • Have valid, documented procedures for geolocation features – whether blocking access or locating devices. Include removal as well as deployment in those procedures – when the VP is back, you will want to remove the access to Hong Kong. And when an employee leaves your company, so should your ability to track their BYOD device.
  • Another item to have documented is your remote wipe or content removal process when a user leaves the company – willingly or not – or when a device is lost or stolen.
  • Decide what you will and will not allow in terms of software on a corporate device. Will you allow users to install Waze? Their favorite game? Define that line in advance, rather than closing the loop later.
  • Regularly audit your configuration, the device compliance, and any exceptions that have been granted. Are there changes that need to be made in light of emerging threats? Are there exceptions that are no longer required?

And remember to take a real vacation occasionally, and put that mobile device down, folks. Those nice people? They’re your family, friends, or others in your life outside of work.

Questions, comments? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

This entry was posted in Awareness, General InfoSec, Mobile Application Security by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.