Providing for the security of your organization’s mission critical information assets is essential in today’s asymmetric threat environment. You must now view the challenge from the vantage point of your network’s reach.
Your exposure would largely be confined to one device, for example, if your mission critical assets are contained on a single computer. However, if you or your employees access information from wireless or mobile devices (i.e. laptops, smart phones or tablets) your network’s exposure could be infinite. The capability of being able to provide access to critical information is increasingly necessary for organizations to remain competitive. You should have at least considered “End Point Security” if you are sending or accessing information by means of portable computing devices.
Smart phones, lap tops and tablet computers have literally put your information assets in the street. The capabilities of mobile software and the hardware platforms are incredible. The perimeter of your network has been pushed out further than you may realize. Very little information is inaccessible to workers who are “on the road” if just simple access is provided. Your security plan, unless it includes the idea of “mobile” security best practices, is in serious need of updating.
You are either providing for end point security for your mobile computing hardware and software or you aren’t. If you are requiring, for example, that your employees enable a password policy on their mobile devices you are at least beginning to address end point security issues. But have you done enough? You should be confident in your answer or you have more work to do.
Consider the following questions. Does your organization have a mobile computing security policy? Have your employees received training related to the policy? Have you asked your employees to “sign off” on an acknowledgment of their responsibilities to provide mobile security?
But here is more for you to consider. Each new generation of computing devices brings more power to the employee who is accessing information remotely. The need for attention to provide end point security should be clear. So what should be considered with regards to providing security for remote access?
1.) Your organization should, as previously mentioned, have a security policy related to mobile computing.
2.) Employees who remotely access your information assets should be trained in security best practices for mobile computing.
3.) Attention should be given to mobile authentication. Installing and using the latest protocols are (i.e. 802.1X) recommended.
4.) Sensitive information should be encrypted with at least WPA2 encryption.
5.) Using a Virtual Private Network, or (VPN), should be considered.
6.) Server-side operating system security policies should be established.
7.) Whether to permit access by employee owned devices should be considered.
8.) The physical and software configuration on the mobile devices must be addressed.
9.) All software updates and security patches on the mobile computers should be routinely updated. Configure them to automatically do so if possible.
10.) Mobile tools should be marked and identified in the event of loss or theft.
11.) Set time outs so that mobile electronic computers shut down when sitting idle.
12.) Consider using a privacy screen to block the view of shoulder surfers.
13.) Consider using an automated location service to help you find a device that has been misplaced.
14.) Employees should be prohibited from “jail breaking” or changing a device’s secured setting.
15.) Policies should exist as to what information can be accessed and stored on portable devices.
16.) Turn off any BlueTooth devices when they aren’t being used.
17.) Consider purchasing mobile devices without a peripheral storage capability.
Summary:
Mobile computing is a reality. Failing to recognize vulnerabilities and address solutions may be considered negligent. The loss of mission critical information or the private information of customers could have disastrous results for an organization. Establish and implement security policies. Make sure everyone in your organization is educated on how to implement mobile security policies.
Dr. William G. Perry is the founder of Paladin Information Assurance ([http://www.paladin-information-assurance.com]) and its chief information security analyst. Paladin’s mission is to help organizations discover information security risks and to deploy mitigations. Its core belief is that the protection of digital processing infrastructure is a matter of national security and must be treated as a key business process.