Friday, November 23, 2012

Enterprise Mobile Device Security

In the United States, today is known as Black Friday and some retailers even began opening Thanksgiving night. I couldn't think of a better subject to address today than security suggestions for both companies and consumers to consider.  While many people are braving the challenges of finding a parking space and standing in long lines in hopes of finding a great price on some clothing and/or electronics, many are likely to use their smart phones to make purchases even while still standing in a line.

Securing both your enterprise mobile device's security as well as ensuring your consumer and business app data is secure is a significant issue of concern. For the businesses that provide apps, it is essential you ensure all partners in the cloud and throughout your infrastructure are employing industry standards to ensure you and your customer data is kept safe through the highest user authentication standards.

I highly recommend that all systems responsible for the storage and use of data employ OAuth standard for authorization. OAuth is now in version 2.0 and focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

I was recently reading an article by Information Week's Matthew J. Schwartz on the 7 Ways to Toughen Enterprise Mobile Device Security. Mr. Schwartz summarizes the general risk by stating "realize that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse."

Here are Mr. Schwartz's Seven Tips for Toughening Security around Enterprise Mobile Devices.

1. Create Strong Security Policies.
While it might sound basic, having mobile device security policies in place is a necessary first step. "Establish the appropriate controls, aligned with your corporate policies, and that make sense for your organization."
Again, this is where I'd encourage employing the OAuth 2.0 standards.
2. Apply Existing Security Policies To Mobile Devices.
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device.
3. Enforce Security Policies.
The next step is to enforce your organization's policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially if you have a bring your own device (BYOD) to work policy.
4. Inventory Mobile Devices.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it's time to reconsider your policies, or else verify that the devices are being appropriately blocked.
5. Proactively Wipe Devices.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn't connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.
6. Weigh App Whitelisting.
One technique for preventing mobile devices from being exploited is to restrict exactly which apps employees can install on their devices. "If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, you're just inviting a malicious application into your organization." So a lot of companies look toward whitelisting, and from a security perspective, that's really great. Notably, if the in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.
7. Beware New Breach Notification Laws.
Almost every state now has data breach notification laws, which require that any exposure of sensitive data involving state residents be publicly disclosed. There are two states--Nevada and Massachusetts--that have laws that at least have indications that you need to encrypt data. Does your business have customers in either of those states? If so, security managers, with help from their IT staff and legal staff, need to determine if  this requires encrypt of all customer data on our devices.
As more and more transactions and client data is transacted over mobile APPs. It is imperative that protecting that information is a key concern of an business, large or small, to protect this information. Snappii can not only guide you though the building of an APP for your business or corporation, but we can help advise you of the security steps to consider to ensure that all of the information accessible or gained by your APP remains secure.
If this Black Friday finds you and your customers without an APP to access on their mobile device, go online and learn how easily Snappii can help you build your APP inexpensively, without the need to learn code and with all the functionality you, your employees, and your customers need. 

No comments:

Post a Comment