In the United States, today is known as Black Friday and some retailers even began opening Thanksgiving night. I couldn”t think of a better subject to address today than security suggestions for both companies and consumers to consider. While many people are braving the challenges of finding a parking space and standing in long lines in hopes of finding a great price on some clothing and/or electronics, many are likely to use their smart phones to make purchases even while still standing in a line.
Securing both your enterprise mobile device”s security as well as ensuring your consumer and business app data is secure is a significant issue of concern. For the businesses that provide mobile business apps, it is essential you ensure all partners in the cloud and throughout your infrastructure are employing industry standards to ensure you and your customer data is kept safe through the highest user authentication standards.
I highly recommend that all systems responsible for the storage and use of data employ OAuth standard for authorization. OAuth is now in version 2.0 and focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
I was recently reading an article by Information Week”s Matthew J. Schwartz on the 7 Ways to Toughen Enterprise Mobile Device Security. Mr. Schwartz summarizes the general risk by stating “realize that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse.”
Here are Mr. Schwartz”s Seven Tips for Toughening Security around Enterprise Mobile Devices.
While it might sound basic, having mobile device security policies in place is a necessary first step. “Establish the appropriate controls, aligned with your corporate policies, and that make sense for your organization.”
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device.
The next step is to enforce your organization”s policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially if you have a bring your own device (BYOD) to work policy.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it”s time to reconsider your policies, or else verify that the devices are being appropriately blocked.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn”t connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.
One technique for preventing mobile devices from being exploited is to restrict exactly which mobile business apps employees can install on their devices. “If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, you”re just inviting a malicious application into your organization.” So a lot of companies look toward whitelisting, and from a security perspective, that”s really great. Notably, if the in-house process for getting new mobile business apps approved requires weeks or months of waiting, employees will rebel.
Almost every state now has data breach notification laws, which require that any exposure of sensitive data involving state residents be publicly disclosed. There are two states–Nevada and Massachusetts–that have laws that at least have indications that you need to encrypt data. Does your business have customers in either of those states? If so, security managers, with help from their IT staff and legal staff, need to determine if this requires encrypt of all customer data on our devices.