If you’re centralizing the management of your mobile devices, then you’ll have a lot of policy decisions to make. In this video, you’ll learn about the options you’ll need to consider when managing mobile devices.
<< Previous Video: Mobile Device Connection Methods Next: Mobile Device Enforcement >>
The use of mobile devices in the workplace has exploded. And it’s up to the security professionals to find a way to manage all of these different mobile devices. The ownership of these mobile devices can vary widely from place to place. Many environments may require that you bring your own device to work. This would be BYOD, Bring Your Own Device. Other organizations may provide the mobile device for you.
But in all of these situations, we need some centralized way to manage all of these mobile devices. That’s where we have Mobile Device Management, or MDM. With a mobile device manager, a network administrator or security administrator can have one pane of glass and be able to manage all of the mobile devices in their environment. This allows them to set policies on what applications can be used, what type of data can be stored on the device, if the device camera is operational or not.
You effectively have complete control over the entire device. In some cases, you can even create a partition in a device so that you can separate out private information from company information. And from a security perspective, you can even set requirements on what security is expected on the mobile device. For example, you can force everyone to use a screen lock and require personal identification numbers to be able to unlock the device.
These mobile devices can be a challenge to manage. They’re with us 24 hours a day. And they’re always connected to the network. This makes it very easy for us to be able to install an application wherever we might be anywhere during the day, but not all applications are written with security in mind, and some applications are specifically written to be malicious. Someone can easily download these applications, install it onto a mobile device, and become infected with this malware.
Some organizations will tightly control what applications can be installed to these mobile devices. They’ll build a list of applications into a white list and install that white list onto the mobile device manager. Once it’s installed there, users can only install applications that are on this approved list. And if it’s not on the white list, it doesn’t get installed onto the mobile device.
As you can imagine, this adds additional management to the security administrator. There has to be a white list created. And then that white list has to be constantly updated with applications that have been approved or applications that are required by your end users.
There’s also a balancing act with data on these mobile devices between being secure and having the data accessible. You want your users to be able to have access to the data they need and be able to do their jobs, but you also want to be sure that nobody unauthorized is gaining access to this data. In many cases, the data may not even be stored on the local device. It could be some on-site servers that are running Microsoft SharePoint or simply file transfers that you can do to and from the mobile device. Or all of this data may be in the cloud on a service like Box, Office 365, or many of the other cloud-based storage services.
Fortunately, many of these mobile devices include options for Data Loss Prevention, or DLP. This would prevent somebody from copying information from the inside servers and pasting it into information that might be going outside the organization. You can usually manage this DLP function from the mobile device manager and set broad policies for everyone in your organization.
One important security requirement for a security administrator is to have the ability to perform a remote wipe. This means that the security administrator can go to the mobile device manager, find someone’s mobile device, hit a button, and then delete all of the information from that device, all remotely from the mobile device manager. This means if someone’s mobile device is stolen or goes missing, you can delete everything on the device to make sure that nobody gains access to any of that data.
This is something that generally needs to be configured well ahead of time. Normally, when you add a device to a mobile device manager, this particular function is already enabled. If the device is not being managed by a mobile device manager, then you’ll want to configure the device for remote wipe capabilities using a set of credentials.
The important thing here is to remember that the security administrator can delete all of this data at any time. It’s not unusual for someone who’s leaving the organization to have everything on their personal mobile device suddenly deleted without any type of warning. It’s a policy that’s normally agreed to when someone adds this device to the mobile device manager. So it’s important to have backups, especially if you keep any of your private information on this mobile device.
Many mobile devices allow you to geolocate the device based on a set of GPS coordinates, some triangulation of signals, and other techniques as well. And usually, you can track this within a couple of feet. So you know exactly where that mobile device happens to be.
This can certainly be very handy if you misplace your device or you’re wondering where your mobile phone happens to be. You can identify exactly where it is. But of course, this could also be used for bad. Someone could know exactly where you are and be able to track where you happen to be based on the location of your mobile device.
Many mobile devices allow you to enable or disable this feature. And disabling the feature may limit some of the functionality of the mobile device. But most of the time, the security team who manages this mobile device likes to know exactly where that asset happens to be so that they’re able to determine if it’s in your hands and protected, or if it’s in the hands of someone else.
But most of the time, the security team requires this functionality enabled in the mobile device manager. That way, they can keep track of all of the different assets, they know exactly where the data happens to be, and if they need to at any time determine where one of their devices happens to be, they can go to the mobile device manager and pull up a list that maps out all of the mobile devices.
This geolocation feature can also be combined with policies on the mobile device manager to enable or disable certain capabilities of the mobile device. For example, if your mobile device is inside the office, you might choose to have the camera automatically disabled on that device until somebody takes it outside of the building. Or you might want to only allow authentications if that mobile device happens to be in a particular geographical area. If that device suddenly appears in a different country, you could have that device automatically disable itself or prevent any type of access to data.
An important security feature of any mobile device is to have that device lock the information and only allow access to the device if you happen to know the passphrase. That passcode or passphrase can be a simple numeric passcode, or it may require a separate passphrase that includes letters and numbers. This is an option that you can set on the mobile device manager. And you can force that requirement on all of your mobile devices.
If somebody puts in a passphrase and gets it wrong a certain number of times, you can then decide what to do with that device. For example, if someone tries the wrong password 10 times, you can choose to have the entire device erase all of the data. You get to choose what that lockout policy might be. Maybe you slow down the process so that someone cannot provide a brute force attack on that device. Or after a certain number of tries and attempts, you can have the phone simply lock completely and require some type of input from the security team to regain access to that mobile device.
Not only do we use these mobile devices to pull information from the internet and display information on the screen, these mobile devices can also have information pushed onto the screen automatically. This information simply appears on the screen of the mobile device without requiring any type of input from the user. This means we could be using one app on the mobile device and then receive a notification on the screen of something that has occurred in another application. This type of notification can sometimes be managed locally on the mobile device, but these notifications can also be managed on the mobile device manager so that everybody has exactly the same notification function on their mobile devices.
Of course, no security system is foolproof. And there will be times when somebody does forget a passphrase and needs to gain access to that mobile device. They’ll usually call the help desk or contact the security team to regain access to that mobile device. The user may have different security functions enabled to gain access to their mobile phone. They might be using a passphrase or a passcode. There might be a personal identification number. Or they might be using a swipe pattern on the lock screen.
If someone does lose access to the device, they can call the help desk, and from the mobile device manager, you can initiate a recovery process. This is one that will usually present a question to the user on the screen, perhaps something that only they would know, and then they can answer the question and regain access to the device. If you wanted to remove all security controls from the mobile device, you can do that, or you can manage a set of very granular security controls to make the device as secure as possible.
Biometrics are becoming a very popular way to set security controls on a mobile device. With biometrics, you can use your face or a fingerprint to gain access to the mobile device. But very often, these are not the most secure authentication factors. It’s much more secure to use a passphrase or something that someone may know rather than a type of biometric security.
The ability to turn on and turn off these biometrics is, again, managed through the mobile device manager. So the security team gets to manage whether they would like to enable biometrics as a security control or whether they want to disable the function entirely. There may be some applications that require additional authentication, and you might want to enable biometrics for those. And there might be other applications that would not use any type of biometric authentication.
Another authentication check that goes a little beyond two-factor authentication is context-aware authentication. This is where you can check for other types of access to the device that might help you determine if this device is really in the hands of the right people. For example, you could see if the IP address that someone is authenticating from matches a previous IP address. Maybe it’s at a GPS location that’s very common for this device to be, or maybe there’s a set of Bluetooth devices that is always paired with this device. And as someone is authenticating, you can check to see if all of those Bluetooth devices are in place. This certainly may not qualify to be the only type of authentication you’re using, but it could be another check that would help you determine if this device is in safe hands or not.
It can be difficult to manage the security of a device that during the day has your corporate data on it, but after work it’s used as a personal phone. In these particular cases, you may want to implement containerization. With containerization, you can separate all of the enterprise applications and data from someone’s personal applications and data.
You would effectively create a virtual container on the mobile device, and all of your corporate information goes into that virtualized container. This also limits any of the personal applications from gaining access to the containerized data. This means that we’re able to separate and keep all of the data safe whether it’s your personal data or the corporate data.
This containerization also helps if someone was to leave the organization. Instead of wiping everything on someone’s personal device, you can instead just wipe the information that happens to be in the corporate container. That way, someone can leave the organization and still keep all of their personal videos, pictures, and all of their data intact without having to completely erase the device.
A technology that’s becoming increasingly popular on our mobile devices is full device encryption. This means that all of the data that we store on these mobile device– if we lose the device, all of the data on this device is protected, because nobody can gain access to that encrypted information. Different mobile devices and different mobile device operating systems handle this in different ways. For example, in Android, you can configure strong, , stronger or the strongest type of full device encryption. And in Apple’s iOS, you have similar functionalities to be able to fully encrypt everything on the device.
This type of encryption is a very complex interaction between the hardware that we’re using and the software and data that’s on these devices. And every mobile operating system manages this process in very different ways. One of the challenges we have, of course, is that if we lose the passphrase or the key that has encrypted all of this data, then we lose all of the access to everything on that mobile device. That’s why most mobile device managers will back up these keys. That way, there’s always a way for the security manager to gain access to the data on that mobile device.