Q&A: Data Protection Strategies for Mobile Computing
Best practices for protecting your mobile and enterprise assets.
Protecting mobile assets is quickly dominating the concerns of security professionals. What are the problems and what best practices can you establish -- and enforce -- to keep your enterprise assets (both physical and intellectual) safe? For answers, we turned to Nicholas Arvanitis, principal security consultant, Dimension Data Americas.
Enterprise Systems: What type of password is the strongest?
Nicholas Arvanitis: For enterprise use, longer and more complex alpha-numeric passwords should be employed. In most cases, a minimum of a 6-digit PIN should be selected. Numbers with any significance, such as date of birth, and statistically weak and patterned sequences (e.g., 1111, 1234, etc.) are easily guessed by attackers conducting brute-force attacks to access mobile devices and should be expressly disallowed. Devices should be configured to auto-lock after a short period of inactivity -- between 5 and 15 minutes -- and be configured to “wipe” after a set number of consecutive failed unlock attempts.
Some touchscreen devices support the swiping of defined patterns across the screen to unlock the device; these measures have failed for two primary reasons. The first is inherent human weakness. The patterns chosen by most users tend to converge to a common subset. On average, there is a high success rate in the ability to guess one of a handful of common swiping patterns. The second reason is the natural oils from human skin leave residue on touchscreens. These smudges can be deduced to a very close approximation in most cases. For these reasons, organizations should avoid these password solutions.
How do you protect against lost or stolen devices?
Enterprises should only approve devices that have the ability to be wiped after failed login attempts and that have remote wipe capability. This will allow enterprise administrators to remotely trigger a factory reset of lost or stolen devices, rendering the device useless and clearing corporate data and configuration settings from the device.
Many devices support hardware-based encryption for a stronger level of compliance with select data breach laws. Of course, most applications can also encrypt contents, data, and configuration settings, which provides software-level protection.
Data should never be stored on the mobile device. To mitigate the impact of a lost or stolen device, enforce corporate policies about access to key applications and data via software-as-a-service models or Web services. This relies on a solid policy and procedure for employees to report lost or stolen devices through the appropriate channels, and should be championed and encouraged by the enterprise.
What corporate policies need to be established?
Much of the appeal of mobile devices is the freedom that they offer users to interact and collaborate. Overly restrictive policies may alienate users and result in the violation of such policies. Careful planning and interaction with users must take place to ensure that the policies allow users the level of freedom that they value while appropriately balancing the risk to the organization.
Before policies can be developed, organizations must have a thorough understanding of data management from governance, risk, and compliance standpoints. They must understand what data is considered critical and what the organizational stance is for protecting that data. This is best achieved through a robust data classification system, with the various sensitivity labels applied to corporate data that determine how the data should be handled, and driving policy based on this assessment.
This understanding is critical for the appropriate application of policy and security controls. Security can never be perfect, but it should be tailored to provide the correct amount of security in accordance with the sensitivity of the data.
An overall corporate policy for mobility management is essential. It should address numerous aspects of the solution and devices, and should include the following key components:
- Minimum security standards for supported devices
- Installation and management of apps, including expressly disallowed apps
- Any high-security or higher-assurance configurations for devices specifically accessing regulated and protected data
- Links to and tie-ins with the appropriate acceptable-use policies
- Official standpoint on the privacy of data and the organization’s right to monitor data and seize devices in the case of incidents and investigations
Does sandboxing really make a difference?
Sandboxing makes a significant difference. Mobile devices and operating systems have the immense benefit of being designed and developed in recent times where vendors have been able to approach the design and architecture of such platforms with security in mind from the beginning. Sandboxing is one such benefit.
Sandboxing greatly mitigates the risk posed by a single application by limiting that application to its own allocated resources and by preventing a single compromised application from compromising others. This plays a considerable role in limiting the impact of malware, as the breach would be limited to the memory and process space of the compromised application (in most cases).
This is not to say that mobile devices are devoid of vulnerability -- just consider jail-broken devices or malicious applications -- but successful exploitation of vulnerabilities becomes exponentially more complex. As highlighted in a recent Forrester report, the combination of vulnerabilities reported across the iOS, BlackBerry OS, and Android mobile platforms since 2008 is less than one-fifth the number affecting Windows PCs.
What risks do rogue or jail-broken devices pose?
Jail-broken devices may hamper management and policy efforts, and expose the user to higher risks. An example of this was the 2009 worm that only affected jail-broken iOS devices. The worm took advantage of a default password for the root account on jail-broken devices. Especially concerning about jail-broken devices is the ability to install software or applications that may not have passed vendor approval.
A vast proportion of applications available have been developed by other users. Although vendors provide varying measures of oversight and screening, there have been many cases where applications performed functions without the user’s knowledge, such as transmitting data about the user and device to external Web servers in the background. The impact of such malicious applications ranges from tracking a phone’s location, stealing contacts, and viewing text messages, to sending text messages to paid text services and racking up unauthorized fees.
The threat of unapproved software or applications is exacerbated when the platform is naturally more open (such as Google’s Android) or when users take steps to circumvent some of the built-in security measures (jail broken devices).
What are the implications for regulatory compliance?
Organizations must consider the sensitivity of data at governance, risk, and compliance levels in order to understand what policy and controls should be applied to protect this data accordingly.
Many security measures (such as encryption, authentication controls and remote wipe) play a significant role in locking down a device to be considered acceptable in the face of regulatory compliance. For most organizations, a far more restrictive policy must be applied to mobile devices, and some devices may be considered unacceptable based on their security capabilities and associated management systems and infrastructure.
Control of data is imperative. In some cases, third-party software may be required to align mobile devices with the standards required for compliance. Policy should clearly address the grey area between corporate and personal data and resources, enabling the organization to apply relevant controls and safeguards to the devices, regardless of whether personal data is also stored on the device.
How secure are mobile applications? Should they even be allowed?
Vendors have greater insight into the security of the mobile platform and software, which allows them to take measures to more effectively secure the devices. However, in a pronounced shift for the corporate technology and security departments, mobile devices take the control of deployment and configuration of applications and give it to the user. Mobile application repositories, such as Apple’s AppStore, the Android Market, and BlackBerry App World, allow users to discover and download new applications at a whim -- increasing risk to the enterprise.
The security industry has been warning users for years about the dangers of running untrusted code or running code without understanding the full ramifications of its effect on a system. This is no different for mobile platforms. Organizations should assess applications to determine whether they incorporate any malicious functionality, back doors, or other unwanted characteristics and determine which applications are or are not permitted. In high-risk environments, the organization should exercise tight control over the applications permitted, but in less stringent environments, permit users to install a broader array of vetted applications. Devices that have bypassed trusted code requirements should be expressly disallowed.
What products or services from Dimension Data address mobile security?
Dimension Data has many years of experience as a trusted advisor, assisting clients in understanding and integrating security technologies and solutions as they plan, build and support these solutions worldwide.
Dimension Data provides everything from assessment, integration, and managed security services to support, addressing key considerations and recommendations for organizations integrating mobile solutions to address information security requirements across the entire life cycle. These services cover aspects of governance, risk and compliance, policy and procedure, technical controls and solutions implementation, and testing and assessment.
Dimension Data helps its clients carefully consider and address key focus areas to ultimately reduce the risk profile when adopting and integrating mobile solutions.