Information security – best practices for portable devices

19. Januar 2012
Dan Vultur

Security challenges and solutions in respect of mobility

Today, mobility is the new desktop: More and more companies offer several options for employees to work outside their regular offices, namely to work on portable devices like laptops, smartphones, tablets and the like. This is not only true for big companies, but also for mid-size and smaller companies. In Germany, every fifth company takes extensive advantage of mobility and 50% of their staff is at least one day in the week not in front of their pc, meaning they are on the road. As a matter of fact, mobility is the fastest growing industry in the history of IT. With the help of mobility solutions, executives, for example, have access to reporting at a fingertip, so that the constant nagging of middle management becomes almost superfluous.

It’s a common practice to synchronize the outlook calendar, e-mails, and contacts with the smartphones the company provides, although during this process confidential or sensitive information will end up on the portable device. Therefore, every company should consider the information security risks and  deploy countermeasures in order to mitigate these risks.

What are the information security risks?

Data leakage and hacking

There are many information security risks when considering corporate data on the portable devices. One of the most common issue with portable devices is that they are rather prone to get lost or stolen because of their size and underestimated value. This is especially a quite probable situation for employees traveling a lot for business purposes, or commute every day to work. Another common and very important issue is data leakage: usually, employees, besides synchronizing their e-mails and contacts…, copy company data on the portable devices, which takes the data outside organizations’ boundaries. Furthermore, they copy this data to their personal computers / storage devices. From there, this information can be accessed by their family members, friends or any other unauthorized party if that personal computer / storage device gets compromised.

The next issue is not so common yet, but the trends indicate a high increase on this vector in the next years: Malware infection and hacking. As smartphones are becoming more and more powerful with enabled richer functionality and being connected to the internet very easily, the chances of getting infected with malware increased significantly. Beyond that, the devices can be hacked and be used as hacking tools just as a normal station or server as these devices have an operating systems and tons of applications which remain un-patched; this offers great opportunities to various unauthorized parties to gain access to the corporate data through these compromised devices once they are connected into the company’s network. Moreover, more security penetration testing frameworks like “Metasploit” can be run from portable devices (e.g. iOS, Android based devices, etc) enabling these devices to become hacking tools in the hands of the wrong people.

How do we mitigate these risks?

Security policies, encryption, remote control, and awareness

One of the most effective general countermeasure, however, usually overlooked is to have in place proper information security policies and special training of the respective personnel. This is a crucial topic because if the employees don’t know about the existence of the policy and it’s content or what they are allowed or not allowed to do with the portable devices then security breaches are likely to happen. As employees get more and more educated on this topic the likelihood of security incidents, involving portable devices, decreases significantly.

Another mitigation technique is to always use encryption for the data in transit and for the data at rest. Bottom line: If portable devices, especially notebooks, try to connect to the corporate network over the internet a secure connection using encryption mechanisms should be used. This will prevent unauthorized access during the transmission of the data between the portable devices and the company servers. Aside from this, encryption solutions should be used for the storage of the data on the portable devices (e.g hard disks, memory cards, USB sticks, etc) as this will make the data unreadable in case the device get’s lost or stolen.

As a result of elusive security, strong authentication is mandatory when connecting to the corporate network from outside the company using internet connections. Preferably, a two factor authentication should be used, meaning that for a successful authentication, a user must provide two out the following three elements:

  • Something only the user knows; e.g. a password, an answer to a specific question…
  • Something the user has; e.g. smart card, special device…
  • Something the user is; e.g. retina scan, fingerprints, voice recognition…

Another countermeasure, which needs to be put in place, is a solution providing remote control on devices in case they are lost or stolen. This is especially true in terms of mobile devices, such as smartphones or tablets. In case the device gets lost or stolen, using this kind of solutions, the company can wipe the data out or can make the data unreadable in a very effective and efficient way.

A very complex and “resource hungry”, but, extremely important countermeasure is proper patch management for the portable devices. Most companies have a patch management solution in place for the operating systems, especially for the notebooks, which get patched with the most important updates. However, the other devices (e.g. smartphones, tablets, etc) are not incorporated in the patch management solution, which makes them vulnerable. Furthermore, companies need to consider patch management solutions beyond the operating system for all types of software that is installed on the portable devices.

What have all these got to do with application management?

Instant access to business data like reporting

The trend indicates that more and more companies are offering to their employees the chance to work from home or to process company data from other “nonconventional” mobile devices like smartphones or tablets. For all these devices application management should be considered and implemented just as this is done for standard computers and servers. In order to ensure information security on these devices, dedicated security solutions (some described above) need to be deployed and managed accordingly. Bottom line is that every professional application management solutions provider should offer the same level of diversity, flexibility, and quality in regards of application management for portable devices as compared with the standard solutions.

A pretty new but increasing demand in the market is to have business related application on mobile devices like logistic services, HR services, reporting service and the like. For all these kind of solutions proper application management must be implemented both at the mobile devices and at the backend systems supporting these platforms. Considering the sensitive nature of the information that is transferred to the mobile devices, information security best practices and controls must be implemented accordingly. This is why T-Systems integrates all these considerations into holistic mobile solutions in order to serve its customers best.

Do you want to know more? Stick to the AMM blog because the next security article is already in progress.

Ausschlussklausel für Haftung: Diese Kommentare zu unseren Beiträgen spiegeln allein die Meinung einzelner Leser wider. Für die Richtigkeit und Vollständigkeit der Inhalte übernimmt T-Systems keinerlei Gewähr.