Mobile devices have completely changed our perspective of network security. In this video, you’ll learn about the important aspects of securing a device that is constantly moving and outside the direct control of your organization.
<< Previous Video: Server-side vs. Client-side ValidationNext: Mobile Application Security >>
We are obviously now a mobile workforce. Everywhere we go, we have our mobile devices with us. And everything we do during the day seems to go back to our mobile devices. Our companies can sometimes provide these mobile devices for us. And occasionally we’ll have our own that we bring into the office as well. You’ll see these referred to as Bring Your Own Devices, or BYOD.
So your organization has a bit of a challenge. You not only have company assets– you need to secure the data and the resources on those assets– but you now need to do the same security to people’s own personal devices. And you generally accomplish this through something called Mobile Device Management, or MDM.
This is a centralized manager. It usually consists of some very intelligent software usually running on a server or specialized hardware. And it’s able to communicate out to the internet and out to all of your mobile devices wherever they happen to be in the world. This is obviously a very specialized functionality.
This isn’t like our old firewalls or intrusion prevention systems. This is an entirely new category of security and management that’s specifically designed for these mobile devices. The mobile device management software allows you to do a lot of things on these mobile devices. And usually, you’re setting policies that will affect all of these devices.
You might want to decide what applications are appropriate to run on that device. Maybe you want to enable or disable the camera functionality. Maybe you want to be able to control everything about that mobile device. And you can do it all from these mobile device managers.
Some of these mobile device managers allow you to partition off a separate section inside of the mobile device that’s just for the company information and the company control. And then it will still allow you to use the rest of your mobile device as a personal device that you can take your personal camera pictures, but not use that when you’re using the company side of that mobile device.
There’s a lot of functionality that’s enabled when you start using a mobile device manager. You can push out policies that requires that all of the mobile devices have a certain access code set. Maybe it requires a lock screen PIN so that you can be assured that your mobile devices with your company information just aren’t sitting around and accessible. You can tighten them down and make them as secure as you’d like.
We’re generally storing a lot of information on our mobile devices. It might be data from your organization. It might be contact lists. But all of that information is proprietary and private to your company. So a lot of organizations will encrypt the data on all of these mobile devices. That way, if the device is lost or misplaced, at least you know that the data will not be accessible to third parties.
There’s a lot of ways to implement this type of encryption on a mobile device. This screenshot from an Android operating system shows you that you can enable encryption in memory. And you can set the memory strength to be strongest, stronger, or strong. This gives you some different levels that you can use for encrypting and protecting that data.
And you may be asking, well, why would you not want all of your data to be encrypted at the strongest possible encryption? Well, that’s because as you have stronger encryption, it requires more resources of the mobile device. There will be more CPU cycles used. Therefore, more battery will be used, and more memory. And of course, on these mobile devices, we have a finite amount of all of those resources.
So you want to set the encryption to the mode that makes sense for your company but still is going to allow you the most functionality of the mobile device. One important consideration is that if you’re going to encrypt all this data, do not forget your password. This is where you have access to a certificate that is going to be used to encrypt this data. And if you forget a passphrase or password that allows that access, then all of that data is now going to be inaccessible to you and everyone else.
If you’ve ever lost a mobile device, one of the things that concerns you immediately is that someone is now going to have access to all of your applications and all of your data. And one of the challenges then is how do you make sure that none of this information is going to get into the wrong hands?
Well fortunately, all of these remote devices these days have a remote wipe functionality. This will completely sanitize the device. And you can generally do this from your mobile device manager or from a browser front end. If you’re using an Android or an Apple device, it’s very simple to go into their front end and choose to completely remote wipe the device. This is the remote wipe screen from my iPhone that tells me that I can erase everything on this device all from a browser screen.
I’ve logged in and chosen to do a remote wipe. And it tells me, this will permanently delete everything on your mobile device. Once wiped, your iPhone will no longer be able to display messages. You won’t know where it is. It’s completely factory reset. And they even have a check box here that says, I understand I cannot undo or stop this action.
But if somebody now has access to your mobile device, maybe a remote wipe is really the best thing to do at the time. But you need to plan for this now. You need to connect your device to a mobile device manager or make sure that you have arranged for your Android or Apple device to have this remote wipe functionality. If you’ve not configured it beforehand, it’s going to be very difficult then to have abilities to remote wipe this data later on.
All mobile devices these days have a screen lock functionality. So when you’re not using your phone, it automatically times out and goes into a locked mode. And you have to input the unlock key to then gain access back to the mobile device. This could be something very simple, like a four digit passcode. Or maybe you can create a very strong passcode that includes both upper and lowercase letters. So you’ve got a lot of options for how you want to define what that lock code ultimately is.
And you can also define what happens if you try over and over and over again, and you still aren’t able to use the right lock code. Somebody gains access to your device, you can set it up on iOS to erase all data on this iPhone after 10 failed password attempts. That way, if somebody does gain access, and they’re trying to type in information just to guess what your passcode might be, after the 10th access attempt, and it’s incorrect, your entire phone is now going to be wiped.
So you do want to make sure that you always have a good backup if you’re going to enable that functionality. And that does speak to how you should define these lockout policies. If you’re managing a lot of different devices, you’ll probably want to have a set of global policies configured on your mobile device manager. It might have some very aggressive lock-out timers. If nothing happens for 60 seconds, lock the phone, or five minutes, or 10 minutes.
And at that point, you want to define what’s going to happen when this phone is locked, what type of passcode needs to be inputted to unlock the phone. And if you do have a situation where somebody’s trying over and over to brute force that passcode, you need to define what happens at that point.
If you ever have lost your phone or your tablet, you know there is some great GPS functionality built right into the technology. You can get very, very precise tracking information that will get you back to that device all within a few feet of each other. These things can be very useful for your organization so that if somebody does lose their phone, you can redirect them to where it might be. Or you could at least know where people are in the organization at any time during the day.
But they can also be used for bad reasons. It somebody wanted to track where you were going and what you were doing, this would be a very, very good way to do it. Most devices will give you the option to enable or disable that functionality. If this is a company owned device or it’s a BYOD where you have brought your own device to the company, you may not have a choice. It may be on all the time just so the organization knows where their applications are and where their data is all the time.
These mobile device managers are incredibly powerful. They really can control every aspect of your mobile device. And they can even control what applications are loaded and what applications can run on your device. And your mobile device manager administrator can now set policies and define exactly the types of apps that are allowed on your device.
If there is an unapproved app, you can restrict the access or just remove it completely from the mobile device. These MDMs are extremely powerful, and they do have complete control over your devices. The more advanced mobile device managers will allow you to segment off a certain section of your mobile device that’s just for corporate data. So you can store your data and applications and control what users do in this partitioned area, but still allow personal use of the mobile device.
Some of our phones and tablets have a slot for removable storage. So you can plug in some storage, copy information to that storage device, and then remove it. Obviously, when it’s removed, the mobile device manager has no idea where that removable data is. So one of the things you can configure in your mobile device manager is to allow or disallow someone to write certain kinds of data to that removable memory.
Some of the other features of the phone can also be enabled and disabled. You can enable and disable Bluetooth. If your organization is concerned about using this over Wi-Fi, you can disable Wi-Fi, or disable the camera functionality. Every little piece of that hardware and software inside of that mobile device can always be managed from that mobile device manager.
If you’re like me and you have a hard time just trying to find your car keys, imagine managing hundreds or thousands of mobile devices on your mobile device manager and wondering where all of those devices might be. And in large organizations, these devices might be anywhere in the world. So it’s very useful to have some functionality to be able to track the assets and know exactly what inventory is out there being used in the field.
Some organizations require you to buy your own phone and to buy your own tablet, and then they don’t have to worry a lot about the asset itself. All they have to do is control what happens on the asset. But of course, if the organization is buying the hardware, then they’re obviously going to need a way to keep track of where that asset happens to be. That’s why location services on these mobile devices are very important, so that the mobile device can check in with the mobile device manager and tell the mobile device manager where it happens to be in the world.
And of course, if you’re on a plane or you’re somewhere where you don’t have a GPS signal, at least the mobile device manager will know the last time that particular device was seen out there in the world. Some security policies will include what things will be monitored on your mobile device. There’s obviously privacy concerns. And in different countries, there are going to be different rules and regulations about what is private and what is not private. So your mobile device managers have to be smart enough to know that in Germany, there’s a completely different set of privacy concerns than there might be inside the United States.