You’re a government security IT professional and you’ve taken the steps to get your network secure. You feel relatively confident, safe even, as you walk the corridors of your organization. Then across the office, you hear a sound – it’s faint at first. Now you can’t escape it – it’s the sound of employees using their own mobile devices at work.
Every “chirp,” “bing” and personalized ringtone represents a different device, operating on a different platform, accessing different information and walking right out the front door.
You can’t fight mobility. It’s here. And government employees expect to be able to work from anywhere using the device of their choice. In most cases, mobility is a good thing and brings with it increased productivity. But as a government IT professional, you need to prepare for the associated security risks in the public sector.
The basic goals for creating a mobile security plan shouldn’t be limited to just protecting the devices. It should also involve securing the accessible organizational data once it becomes local to the device. There are three steps government IT professionals can take to stay ahead of risks: deploying mobile device management (MDM) systems, increasing supplemental security and evaluating and testing emerging security measures.
Mobile device management
MDM is the most basic thing you can do to protect your organization, regardless of whether your employee has an iPhone, Android, Blackberry or some other obscure platform for their mobile device. Be sure that any MDM solution you invest in can do the following:
- Application management: you should be able to know and, if necessary, restrict what devices are downloading and running;
- Configuration management and resource control: you want control over what the device connects to, what it takes pictures of and its passwords;
- Detection of jailbroken or rooted devices: these devices are inherently more risky;
- Device recovery and loss mitigation: track it, lock it down, wipe it clean; and
- Support and service management: quality tech support pays dividends in the long run.
However, MDM is not enough on its own. Users also need to assist with network security. Make them aware of your mobile policies and ensure they are following them. Signed agreements acknowledging that employees understand their rights, their responsibilities and the organization’s rights are crucial. Still, MDM and policy together won’t keep all threats out, and this is where supplemental security measures step in.
Even if your employees aren’t going to be doing anything other than checking email with their mobile devices, you’ll want to consider more than just securing access. You will want to have some additional data protection to help fight against data theft. This means that you should control what data can make its way on to mobile devices in the first place.
Also, there is an ever-increasing back alley of mobile web and application-based threats that you will need to keep an eye on. While mobile malware hasn’t historically been much of a concern, times are changing. With mobile devices overtaking desktop computers in popularity, mobile attacks are anticipated to be the next big thing in cybercrime. You are going to need the latest real-time threat intelligence to stay ahead of the curve.
Emerging security measures
This is the new stuff and the latest cutting edge technology. Some emerging security measures to consider include:
- Application and desktop virtualization: with view-only access and desktop virtualization solutions, you never allow sensitive data to leave the data center in the first place. It provides a superior degree of protection.
- Self-defending apps are also coming into their own. Organizations that have this luxury can design applications that incorporate encryption and key management functionality from the start. These apps are inherently more secure as they rely less on native platform features and data storage locations for protection.
- Investigate whether you want to go agent vs. cloud for deploying your supplemental threat and data protection capabilities.
- Another option includes deploying a sandbox to create an isolated zone on the mobile device where users can work with enterprise resources.
- You can also create an always-on VPN that routes all data traffic back to headquarters or the cloud via an encrypted tunnel.
Fiaaz Walji is Canadian country manager for Websense.
You can find the latest mobile whitepapers with clear guidance for security best practices at: www.websense.com/Content/WhitePapers.aspx?cmpid=pr. Download a new five-part Websense Mobile Acceptable Use Policy Kit at www.websense.com/content/mobile-aup.aspx?cmpid=pr.