Protect your mobile device – Part 3: Enforcement, Tools, and First Steps

We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.

 

Enforcement

 

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

 

MDM features typically include:

  • Enforce user security policy:

o   Require complex password with frequent changes

o   Permit remote access only via SSL or VPN

o   Lock-down browser settings

o   Enable encryption

  • Recover lost or stolen devices:

o   Activate alarm (set off an audible alarm on the device)

o   Enable track and locate (track and locate the device via GPS)

o   Permit remote wipe (complete erasure of the device as a last resort)

  • Control mobile device applications:

o   Recognize and prevent installation of unauthorized applications

o   Permit whitelisting and blacklisting of application

o   Restrict or block application stores

  • Remotely deploy and configure applications (email, etc.)
  • Audit the mobile device for installed software, configuration, and capacity

 

ComputerWorld has a comprehensive article on the challenges of MDM. View it at

Mobile device management: Getting started.

 

To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

  • AirWatch
  • LabTech
  • MobileIron
  • Symantec
  • Zenprise

 

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

 

Non-MDM Tools

 

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

  • Password security policies
  • Encryption required
  • Remote wipe

 

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

  • Allow/disallow Internet browser, consumer email, unsigned installation, etc.
  • Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
  • Allow/block specific applications
  • Per-user journaling
  • Integrated archive

 

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

 

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

 

Other recommended tools include:

  • Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
  • Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

 

First step suggestions

 

These are our minimum, first-step suggestions:

  • Deploy anti-malware software immediately and manage it continuously
  • Require password to activate the device with a low auto-lock time
  • Update mobile devices through vendor-approved patching
  • Enable on-board encryption if handling sensitive data

 

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.

Microsoft Streamlines Windows Server Options, Kills Versions for Home and Small Business

Microsoft has revealed that the Windows Server 2012 options will be drastically streamlined from the myriad choices of its predecessor. In the paring down, though, Microsoft is killing off Windows Small Business Server, and Windows Home Server–the two most popular versions for small and medium businesses (SMBs).

On the one hand, the news is quite welcome. Variety may be the spice of life, but when it comes to choosing which version of Microsoft’s server operating system is right for you business it’s just confusing. Choice is one thing, but too many choices makes the decision much more complicated than it needs to be.

With Windows Server 2012, Microsoft will only offer four versions: Datacenter, Standard, Essentials, and Foundation. Even better, the versions are all equipped with essentially the same features and capabilities, and the only real difference is the number of virtual machines each can handle. That means that Windows Server 12 Standard Edition will include features like Windows Server failover clustering, and BranchCache hosted cache server that were previously reserved only for the Datacenter and Enterprise versions.

For the most part, though, SMBs aren’t really interested in those enterprise-class capabilities, and they’ve been satisfied working with Windows Home Server, or Windows Small Business Server–which includes core functionality of Exchange Server and SharePoint Server. These organizations are going to have to make a switch, though, when it comes time to upgrade.

According to a PDF from Microsoft titledWindows Server 2012 Essentials: Frequently Asked Questions, both of these versions are superseded by Windows Server 2012 Essentials. Microsoft explains that it has focused on making Windows Server 2012 Essentials the ideal operating system platform for both small businesses and home users.

The decision is driven–at least in part–by current tech trends, and Microsoft’s own focus on cloud-based tools and services. Microsoft explains, “With Windows Server 2012 Essentials, customers can take advantage of the same type of integrated management experience whether they choose to run an on-premises copy of Exchange Server, subscribe to a hosted Exchange service, or subscribe to Office 365.”

The bottom line is that SMBs don’t need to have Exchange or SharePoint bundled with Windows Server. Windows Server 2012 Essentials will meet the server platform needs of most organizatons–even better than its predecessor thanks to the across the board feature parity–and an Office 365 subscription can deliver Exchange, SharePoint, and Office as a hosted service.

References: PC World: Business Center

Protect your mobile device – Part 2: Training

Training is an important, early step in any process; informing end-users of the need to secure their mobile devices is critical. Recommended training topics:

● Why we need to authenticate and encrypt

● How to reduce the risk of loss or theft

● How to safely deploy new applications

● How to securely backup your data

 

Authenticate and encrypt

 

Authentication is the process of confirming that the end-user is authorized to use the mobile device in a prescribed manner. It is typically handled through a username with a complex password that is changed frequently.  (A complex password requires at least three of four character options – capital letter, lower-case letter, numeric, and special character – with at least eight characters.)

 

Increasingly, biometrics (fingerprint verification, eye-scans, etc.) are playing a role in authentication.

 

Sensitive data should be encrypted to make it unreadable if the device is lost or stolen. (Encryption scrambles the content, making it unreadable to anyone without the capability to unencrypt.) Authentication is required to unencrypt and access the data.

Reduce the risk of loss or theft

 

Cell phones are easy targets for theft; they can be sold on-the-street and are (still) easily programmed to a new service on a cellular network.

 

To prevent theft:

● Be vigilant; know where your cell phone is at all times and keep it close to your body. (It doesn’t always help: One of our clients had his cellphone taken right from his hand by a man on a bike on a busy city street; the bicyclist also gave him a kick to discourage pursuit.)

● Install phone-tracking software

● Install a physical locking device

 

Safely deploy new applications

 

Mobile-device users download applications through app stores installed on the device. App stores are increasingly targeted areas for malware distribution; only trusted and approved applications should be downloaded and deployed. (Most app stores have responded by requiring additional security precautions from their customers.)

 

For company-owned devices, end-users should have specific guidelines on what applications can or cannot be deployed; ideally, an enforcement mechanism would be installed on the mobile device to ensure these policies are followed. For employee-owned devices, this policy may need to be recommended rather than required.

 

Securely backup your data

 

To prevent loss or inadvertent deletion, data stored on a mobile device (pictures, documents, contacts, etc.) should be backed-up in an encrypted format to a separate, secure location.

 

Backups should be required on devices owned by the organization and strongly recommended for individually owned devices. Backups should be scheduled periodically and verified.

 

Online, consumer-oriented backup and file-storage applications – spritemobile, DropBox, Mozy, SugarSync – are somewhat restricted by the mobile-device operating system in what type of data that they can backup; typically contacts, calendars, tunes, and photos. Full backups are usually done through tethering (attaching the phone to an external device).

 

Visit Enterprise Security Policies for Mobile Device Backup and Restore atDummies.com for an informative article on mobile-device backup.

 

Next month (part 3): We will discuss enforcement, review a few tools, and wrap-up with first-step suggestions.

Turtle

Bryley Referral Program

Sticking your neck out to vouch for Bryley is, as far as we’re concerned, the ultimate compliment. Because of that, everyone you refer is treated with respect, kindness and good communication whether or not Bryley can help them with IT.

Protect your mobile device – Part 1

The need to secure newer mobile devices (smartphones, tablets, etc.) has grown since they now meet the basic criteria for malicious, cyberspace-based attack:

  • Developer kits are readily available
  • Mobile devices are in widespread use throughout the world
  • Motivation is increasing since usable/saleable data live on these devices

 

In addition, BYOD (Bring Your Own Device) has introduced related, security-oriented concerns and complexities:

  • How can we accommodate personal equipment in the workplace, particularly when two-thirds of 20-something workers in a recent survey from research firm Vision Critical state that “they, not the company, should be responsible for the security of devices used for work purposes”?1
  • How do we manage the large variety of mobile devices, many with differing operating systems, processing capabilities, and user interfaces?
  • How do we structure our security offerings to permit broad access to low-risk functions while restricting high-risk activities on a need-to-have basis?

 

Protecting a smartphone (or tablet) gets easier if you take the perspective of Garin Livingstone, one of our technical staff, who pointed out: “It is just a small computer; all of the same security concerns and rules that apply to PCs also apply to smartphones.”

 

As described in a recent InformationWeek article2, corporate response from the IT department should consist of these three stages:

  • Set policy for mobile device use
  • Train users
  • Enforce

 

Mobile-device-use policies should protect company data, while enabling employees to do their jobs efficiently.  The policy should protect, but not inhibit, the use of data from a mobile device; this usually requires the protection of the device itself with a strong focus on what data is available and where it will reside.

 

Some policy suggestions:

  • Device:

o   Deploy an anti-malware utility set to scan automatically

o   Set continuous updates of operating system and anti-malware utility

o   Encrypt company data (if stored on the device itself)

o   Backup data to a secure site (preferably daily)

  • User:

o   Require passwords and make them complex

o   Set an auto-lock period of five minutes or less

o   Set browsers to high-security mode

  • Remote access:

o   Access data/applications securely via SSL, HTTPS, or VPN technologies

o   Provide virtualized access to data stored at the corporate site

In our next article, we will review training and enforcement, highlight some tools, and wrap-up with first-step suggestions.

 

 

References:

 

1. Visit Network World athttp://www.networkworld.com/news/2012/061912-byod-20somethings-260305.htmlto review the article “Young employees say BYOD a Right not Privilege” by Ellen Messmer.

 

2. Please review the May 12, 2012 InformationWorld article “Mobile Security Gaps Abound” by Michael Finneran.