Securing mobile devices requires enterprise and service provider controls

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Enterprises are adept at securing and managing computing endpoints such as desktop and laptop computers, but most do not have the same controls and processes in place for what is likely the fastest-growing computing platform: smartphones and other smart mobile devices.

Though the amount of malware designed to target mobile devices still pales in comparison to that targeting traditional computing devices, there has been a marked increase in mobile malware and the trend shows no signs of stopping. Combine that with the fact that mobile devices are often lost or stolen, and you get a major enterprise vulnerability.

IN DEPTH: Smartphones and tablets create huge corporate security challenge

To help achieve the necessary levels of security for mobile devices and the sensitive data they access, the mobile industry as a whole must begin shifting toward a complete approach to security and management. This approach should focus on strengthening the security of both the enterprise side -- the endpoints where the data is created, used and stored -- and the service provider side -- the carrier networks through which the devices connect and communicate with corporate backends.

As mobile devices become more sophisticated, provide greater corporate access and store more data, they are becoming a higher-priority target for attackers. As a result, companies need to stop making exceptions for mobile devices and treat them as they would any other endpoint. Using security and management software directly on the devices is key.

By implementing solutions focused on protecting and managing the devices themselves -- much like those used to secure and manage the data on PCs -- enterprises can ensure that mobile devices are not a glaring chink in their otherwise strong IT security armor. The solutions include:

* Mobile device management: It has been said that a well managed device is a secure device. It is imperative that smart mobile devices remain properly configured and managed at all times. IT cannot rely on end users to do this. Mobile device management, or MDM, solutions provide the necessary visibility and control over devices connecting to company networks and resources. By increasing IT efficiency with over-the-air deployment of configurations, applications and updates, management solutions help ensure devices have the required policies and applications and that they are configured correctly and kept up-to-date. This not only ensures security vulnerabilities are not present on the devices, but it improves end-user productivity by managing mobile device health as well.

* Mobile security software: Creative cybercriminals have found ways to exploit smart mobile devices through viruses, Trojans, SMS or email phishing, rogue applications and snoopware (mobile spyware that activates features on a device without the user's knowledge, such as the microphone or camera). It is therefore growing increasingly important to employ the mobile security solutions that provide a barrier against these attacks, similar to their laptop and desktop counterparts. Security solutions that feature network access control capabilities can also help to enforce compliance with security policies and ensure that only secure, policy-compliant devices can access business networks and email servers.

* Authentication technology: Most enterprise networks require a username and password to identify users, but usernames and passwords can be compromised. Using two-factor authentication technology provides a higher level of security when users log in. Effective authentication technologies extend the same safety measures for when users log in from a mobile device. Also, as enterprises develop custom business-oriented mobile applications, they need to look at extending the authentication to these apps as well.

* Information protection: Despite the recent uptick in mobile malware, the biggest threat to mobile devices remains the risk of loss or theft. As more companies use these devices as simply additional endpoints, the data stored and accessible through them is put at even greater risk. Corporate email and data from line-of-business applications on smartphones often contains intellectual property or information subject to government regulation. Thus, the loss or theft of the device exposes sensitive data and may result in financial loss, legal ramifications and brand damage.

Strong password/PIN policies prevent unauthorized access to mobile devices and the data on and accessible through them. Mobile encryption technologies also provide protection for data communicated and stored on mobile devices. Remote wipe and lock capabilities enable an enterprise to remotely delete all of the corporate data on the device to ensure that the data cannot be breached. As individual-liable mobile devices permeate enterprise networks, organizations need a granular control over these remote wipe capabilities so only the corporate-owned data can be wiped. And finally, enterprises need to make sure that the appropriate data leakage prevention policies are in place to reduce the flow of sensitive data out of mobile devices.

Securing the service provider side

As these new smart enterprise endpoints access service provider networks directly, enterprises need to feel comfortable that these vital channels are also free of attacks and threats that could proliferate into their own infrastructure. Carrier network security should include the following elements:

* Next generation network protection: As malicious threats designed to propagate via mobile networks increase, so too must the measures implemented by providers to block these threats. Service provider networks should be protected at their edge, never allowing these threats from getting in. By building a networkwide policy control and enforcement system, these networks are guarded against malware. This networkwide solution must include an application-level security policy that protects against the predominant types of traffic entering the network, including the Web, SMS, MMS and so on. By putting this application-level policy in place, service providers can identify and evaluate new threats from devices as soon as they appear and prevent them from reaching other enterprises and end users.

In addition to improving overall security, a networkwide policy control and enforcement solution has additional benefits. It empowers providers to offer revenue-generating protection services for both enterprises and consumers. These include enterprise-level control capabilities over where users may browse the Web or by controlling devices connecting to the enterprise infrastructure. These capabilities can be sold as a security as a service to corporate customers to drive corporate customer retention and acquisition. They can also be offered as consumer-level control capabilities, providing individual subscribers control over their mobile presence across all services.

* Network security visibility: In order to protect network stability, performance and subscriber trust, it is critical that service providers have real-time insight into what types of activity are occurring on their network. In addition, service providers must comply with increasing regulatory requirements being placed on them. An intelligent security solution designed to identify, manage and report suspicious activity -- in real time -- enables a proactive approach to improving network efficiency by ensuring only valid traffic traverses the network. Additionally, operators must ensure they properly store and make retrievable application-level traffic requested by enterprises, helping meet regulatory requirements for data retention and recovery.

The challenges of securing mobile devices are big, but what's need is an industrywide holistic approach that stops making exceptions for mobile devices and treats them as true endpoints. Ideally, this would include integrated protection solutions for end users, enterprises and telecommunication service providers.

Symantec provides security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. More information is available at www.symantec.com.

Learn more about this topic

Will 2011 be the year of mobile malware?

Malware writers gunning for Google Android

Mobile phones are great for phishers, researchers find

Endpoint security: managing enterprise smartphone risk

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies