By Arun Madan
STSM, Executive Architect Manager,
Associate Director Security & Enterprise Architecture,
Exhausted, I had just landed at the airport in Austin, TX, coming all the way from Delhi. It was Thanksgiving Day, and everybody was in a holiday mood. When I put my hand in my pocket to look for my iPhone, I got the shock of my life: I couldn't locate the phone! I kept wondering if I had left the phone in the airport washroom before we departed to Austin.
On the phone, I had stored all of my travel details: the rental car and the apartment I was going to stay at, as well as my to-do list, my contacts, my mail accounts, and my social media applications. However, I started to feel really sick when I realized that I started to use the phone for business a few months ago. What if all of that sensitive information falls into the wrong hands?
This time I was lucky, and I found my phone in one of my bags. However, the shock was serious enough for me to think about writing this blog post about safeguarding sensitive information on a mobile device, whether it is a phone or a tablet.
The device itself, if lost, can easily be replaced. The major risk is the unwanted and uncontrolled access to sensitive information, which may either be stored offline on the mobile device, or may be accessible by using that device. We have to safeguard this data at all times.
Today, most smart-phone devices come pre-loaded with Internet or intranet access, and have many user-friendly, cool features. You may not even have to download easy-to-use applications that are ready to access and display information, or carry out transactions, at the touch of a finger. When you access multiple applications, such as social media, productivity apps, or email, you do not want to repeatedly provide your passwords.
Too often, productivity gains take priority over data protection. With the growing demand for mobile technology innovations to increase efficiency, improve agility, and realize cost savings, more and more executives think that sensitive enterprise data security is important.
Let’s consider how you can best protect access to sensitive data from and on your mobile device, while keeping the “cool features” required to increase the productivity of employees like you who employ mobile devices for business use.
There are ten important basic security controls that organizations need to consider and implement to protect themselves from the unauthorized access and leakage of sensitive enterprise data from their employee's mobile devices.
1. Device password lock
2. Device password policy
3. Anti-virus and anti-malware
4. Device data wipe, if lost or stolen
5. Device security policy compliance checks
6. Device software and application updates
7. Sensitive data encryption
8. Secure VPN access to corporate intranet
9. Secure, risk-based access to applications
10. Secure coding practices for applications
There are many additional questions that come to mind when I think more about the needs of a secure mobile organization. Some of these are:
Are these basic controls enough to secure a mobile enterprise? What are the latest threats, vulnerabilities, and risks? How can you secure a mobile enterprise in a proactive way? How easy or difficult is it to implement and monitor security controls on a large number of mobile devices (this number is increasing as more employees utilize both a mobile phone and a tablet for business and personal use)? Is there a holistic solution to mobile enterprise security?
There are many more questions, and I would love to hear some from you. I’d also be interested in hearing about any creative mobile security solutions you’ve come up with.
While I was in Austin, I have tried to address many of the questions above in an IBM Redguide on mobile security, which is available at the IBM Redbooks website.