More and more corporate data is being moved onto mobile devices through email and cloud-based mobile applications, so securing mobile data is becoming increasingly critical. However, traditional security models break down when it comes to mobile. Mobile devices can't be managed autonomously by IT because IT can't enforce upgrades or install applications or programs without the end users' consent. Therefore, an effective mobile security model needs to be based on visibility and mitigation, not command and control. Based on our experience working with enterprises around the world, here are five tips for securing your mobile data.
1: Ensure visibility
The request to get email on new devices such as iPhones and iPads often comes from the CEO, and IT responds by turning on ActiveSync. However, the problem is that once you've turned on ActiveSync, anyone can get onto the network. As different mobile platforms provide different capabilities for device security and control, the first step in mobile security is to find out exactly who is accessing your network and what devices they are using to do so. Then you want to be able to set access control policies that can determine whether to allow or block access based on hardware type, OS version, or compliance status. ActiveSync is a great technology to set some baseline controls, but it's important to complement it with the right tools to ensure the security of your network.
2: Make sure you can do the basics
Any mobile device management and security technology you evaluate needs to be able to handle core mobile security functions:
- Remote lock and wipe
- Password policy
- Encryption monitoring
- Jailbreak and root detection
- Device restrictions, such as denying access to certain apps (e.g., password spoofers) and explicit content
Keep in mind these are the minimum requirements that should be on your checklist.
3: Create clear policies and communicate them to employees
One major decision that many enterprises are struggling with today is whether they should allow employees to use their own devices. Whether the phone is owned by the company or the employee, it's inevitable that it will end up with both corporate and personal data on it. Therefore, it's essential to actively communicate your data security policies to your employees and to make sure that the information is in a place where it can be easily found. You will need to make decisions about two big areas. The first is how you handle personal versus corporate data -- for example, what gets stored or archived on company servers, such as SMS? What gets wiped or removed if an employee violates policies? The second area of concern is privacy and who sees what. Regardless of your policy, the most critical factor to consider is transparency. It should be easy for an employee to find your corporate data security and privacy policies. They should know exactly what IT tracks, monitors, and archives. Then they can make decisions about their own device usage.
4: Make sure you're securing everything -- not just email
Mobile security is no longer just about email. Through the use of mobile apps, more and more company data is moving onto mobile devices, so you need to have visibility into apps, as well. You must have a central view of all the apps employees are using, and you need to be able to blacklist apps that pose a threat to security or compliance.
5: Stay flexible
It's important to remember that enterprise mobility is really new. Be prepared to evolve because everything will keep changing. New OS releases will have new features and functionality. New devices are going to keep coming (consider the iPad-led tablet computing wave), and there will be more mobile apps and data to secure. You need to be alert to all of these developments because many will have implications for the policies you've established. The most important thing is to maintain complete visibility into your mobile environment and regularly evaluate your security policies to make sure they align with your mobile reality.Shun Chen is director of product management for MobileIron.