Best practices for mobile data protection

Similar documents
Chris Boykin VP of Professional Services

Symantec Mobile Management 7.2

Symantec Mobile Management for Configuration Manager 7.2

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Ensuring the security of your mobile business intelligence

Symantec Mobile Management 7.1

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

A guide to enterprise mobile device management.

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

Cisco Mobile Collaboration Management Service

Athena Mobile Device Management from Symantec

Hands on, field experiences with BYOD. BYOD Seminar

Symantec Mobile Management 7.1

How To Write A Mobile Device Policy

Feature List for Kaspersky Security for Mobile

Enterprise Mobility as a Service

Mobile First Government

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Samsung Mobile Security

Bell Mobile Device Management (MDM)

Bell Mobile Device Management (MDM)

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Symantec Mobile Management Suite

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Guideline on Safe BYOD Management

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Why Digital Certificates Are Essential for Managing Mobile Devices

Advanced Configuration Steps

Deploying iphone and ipad Security Overview

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Kaspersky Security for Mobile

Ensuring the security of your mobile business intelligence

Addressing NIST and DOD Requirements for Mobile Device Management

Security. Mobile Device FOR. by Rich Campagna, Subbu Iyer, and Ashwin Krishnan. John Wiley & Sons, Inc. Foreword by Mark Bauhaus.

MDM Mobile Device Management

LabTech Mobile Device Management Overview

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

PULSE SECURE FOR GOOGLE ANDROID

Mobile Devices in Healthcare: Managing Risk. June 2012

McAfee Enterprise Mobility Management

ipad in Business Security

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

Parla, Secure Cloud

Sophos Mobile Control

AirWatch for Android Devices

Kony Mobile Application Management (MAM)

BYOD Policy for [AGENCY]

Mobile device and application management. Speaker Name Date

MaaS360 Mobile Device Management (MDM) Administrators Guide

IT Resource Management vs. User Empowerment

Comprehensive Device Management Platform comprising of Management Suites specialized in addressing different problem domains, extensively

The ForeScout Difference

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Mobile Device Management for CFAES

Mobile Security Mobile Device Management Mobile Application Management

GETS AIRWATCH MDM HANDBOOK

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

10 Quick Tips to Mobile Security

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

COMMUNITAKE TECHNOLOGIES MOBILE DEVICE MANAGEMENT FROM BELL USER GUIDE

IBM MobileFirst Managed Mobility

Securing Corporate on Personal Mobile Devices

RFI Template for Enterprise MDM Solutions

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

E-Guide MOBILE DEVICE MANAGEMENT CHECKLIST

[BRING YOUR OWN DEVICE POLICY]

Mobility Manager 9.5. Users Guide

Sophos Mobile Control Technical guide

Sophos Mobile Control user help. Product version: 6.1

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

Supplier Information Security Addendum for GE Restricted Data

ForeScout MDM Enterprise

MDM features vs. native mobile security

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Sophos Mobile Control User guide for Apple ios. Product version: 2 Document date: December 2011

company policies are adhered to and all parties (traders,

When enterprise mobility strategies are discussed, security is usually one of the first topics

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

How To Manage A Mobile Device Management (Mdm) Solution

AirWatch for ios Devices

Transcription:

E-Guide Best practices for mobile data protection This expert e-guide presents five essential best practices for securing employee-liable mobile devices and tablets that will allow you to safely embrace the trend toward using personal devices for business. Sponsored By:

E-Guide Best Practices for Mobile Data Protection Table of Contents Top 5 mobile data protection best practices Resources from ArcSight Sponsored By: Page 2 of 9

Top 5 mobile data protection best practices By Lisa A. Phifer According to a recent Juniper Networks Inc. survey, 40% of workers reported using their own mobile devices for both personal and business activities; of those, 80% admitted to accessing their employer's network without permission. Unless enterprises implement controls to prevent loss, theft or misuse of these employeeliable devices, any one of these security events could put considerable business data at risk. Practices for protecting data on corporate-liable mobile devices are well known, from enforcing encryption, to wiping lost devices. But the business data associated with employee-liable devices must be safeguarded without relying on IT procurement or ownership, while respecting user expectations for personal privacy and choice. Let's take a look at five essential data protection best practices for securing employee-liable mobile devices and tablets. 1. Mobile device locks Device locks are IT's first line of defense against unauthorized access to business data and accounts stored on an employee's mobile device or tablet. However, consumer devices purchased by employees don't always have sufficiently strong device locks. Furthermore, users may reset complex passwords that make personal devices hard to use. These business needs can be addressed with a three-phrase approach: Implement a process to let users enroll their own mobile devices and tablets, checking them against minimum requirements. This prevents business use of substandard devices while embracing those that can support IT-defined security policies. Auto-configure enrolled devices to enable built-in PIN or password locks, enforce complexity rules and auto-lock idle devices. Aim for rules that reduce business risk without being too heavy-handed. Sponsored By: Page 3 of 9

Implement over-the-air device configuration monitoring to ensure settings have not been altered. For example, checking every time a device tries to access a corporate account to block/remediate non-compliant devices. These practices can be implemented for employee-liable mobile devices using either Exchange ActiveSync (EAS) or a multi-os mobile device manager (MDM), available from companies such as AirWatch, BoxTone, Good Technology, MobileIron, Odyssey Software, Inc., Sybase, Inc. and Zenprise. Employers that do not have an MDM and do not want to install one can use hosted MDM services. 2. Remote data wipe for mobile devices When a previously enrolled device is lost/stolen or its owner leaves your company, remote data wipe can prevent all future use of business data and accounts stored on it. However, wiping an employee's personal device should not be done without explicit permission and ideally should not impact personal data or inconvenience the user. These business needs can be addressed as follows: As a condition of device enrollment, employees should be required to formally consent to an acceptable use policy. That mobile device policy should define (among other things) situations in which IT can invoke remote wipe, how wipe will impact personal device use and data, and data backup/restore responsibilities. Consider using data encryption tools that compartmentalize business data, accounts and applications. For example, use a self-encrypting corporate messaging application that saves email, contacts, calendars and other data to an authenticated, encrypted sandbox that can easily be removed without wiping the entire device. Implement processes to remotely wipe employee-liable devices. To deter evasion techniques, complement confirmed over-the-air command with auto-wipe after repeated login failure, prolonged offline use or SIM/USIM card removal. Be sure to watch out for corporate data left behind on removable media on devices (e.g., Android). Basic over-the-air remote wipe can be implemented using EAS, any MDM, or numerous free/inexpensive applications designed for personal use (e.g., Apple MobileMe, McAfee Sponsored By: Page 4 of 9

WaveSecure). However, greater IT control and visibility can be achieved by using an MDM for this practice: For example, reporting on which devices were wiped, or auto-removing enterprise applications and accounts previously installed by the MDM. 3. Mobile locationing and tracking During any mobile device's lifetime, considerable information may be recorded about its usage, including geographic location. On-going tracking can help IT recover lost devices quickly or generate roaming alerts to warn IT about possible thefts. However, employee expectations of privacy may inhibit on-going tracking. Furthermore, some consumer devices may not be readily located (e.g., disconnected or disabled devices). Finally, costs may be considerable if tracking involves frequent SMS messages. To address business needs while addressing personal and cost sensitivities, determine whether on-going tracking is really necessary for employee-liable devices. If so, describe business rationale and practices for location tracking in your acceptable use policy, requiring employees to consent when enrolling personal devices for business use. If locationing is really only needed to recover a lost device, state this in your acceptable use policy and then stick to that narrow use case. On demand/as-needed locationing services are freely available for every major mobile OS (e.g., Apple MobileMe, Lookout Find My Phone (Android), Microsoft My Phone, and BlackBerry Wheres My Phone). But here again, more centralized visibility and control can be obtained by using an mobile device manager to implement this practice. 4. Stored data encryption on mobile devices In some cases, device lock plus remote wipe are sufficient to mitigate risk on personal devices used for limited business tasks. A mobile device used to check innocuous email without saved attachments, or a tablet used only for remote desktop access may not store business data requiring persistent protection. However, workers who deal with sensitive information or require greater functionality require stored data encryption. Unfortunately, some consumer devices don't support full device encryption. To address this business need, take the following steps: Sponsored By: Page 5 of 9

Extend the aforementioned enrollment process to check personal mobile devices against stored data encryption requirements, using the worker's authenticated identity to determine mobile data needs and risks. If encryption is required but a device cannot support it, provide instructions to help the worker obtain a suitable device perhaps even an IT-secured corporate-liable device if the situation warrants. Auto-configure enrolled devices to enable full device encryption and removable media encryption wherever possible. Where needs and risks warrant, deploy selfencrypting applications to provide another layer of protection for corporate data, segregated from personal data. Finally, configure device settings and applications to minimize the amount of corporate data stored on the device. Use over-the-air device configuration monitoring to ensure continued compliance with all stored data encryption policies. In addition, watch for devices that exhibit signs of tampering (i.e., rooted Androids, jailbroken iphones), as these may harbor Trojans that can access and transmit otherwise-encrypted data to remote attackers. To accomplish the first step, integrate your enrollment process with your corporate directory, authenticating employees with existing logins and using group affiliations to determine business need and risk. For the second step, deploy secure mobile applications, such as Good for Enterprise and NitroDesk TouchDown, or substitute Web portal or remote desktop access to reduce on-device storage for employees that don't really need offline/disconnected access to business data. 5. Mobile activity monitoring and audit Note that ongoing monitoring plays a role in all of these best practices. It is not enough to configure an employee-liable device and hope business data stays secure. Even though IT may not choose or own employee-liable mobile devices, the employer still needs to monitor and audit business data and activities to ensure compliance throughout their lifecycle. However, this must be done over-the-air, without intruding on personal usage. Start by monitoring the workplace for employee-liable devices used for business without IT permission. Network access controls, device fingerprinting tools and wireless/wired network IPS are all good tools to help IT spot mobile devices or Sponsored By: Page 6 of 9

tablets that fall into this category. Some of these monitoring mechanisms can even prevent corporate access by unknown devices. Next, log every business system interaction involving enrolled mobile devices, including email/contact/calendar synchronizations, Web sessions, VPN connections, over-the-air configuration updates and MDM application installations. These records are important for routine reporting and audit purposes, and should be retained long after a device is wiped or de-enrolled. Ideally, devices should be identified in a way that prevents spoofing or cloning for example, device certificates installed using SCEP. Finally, perform periodic compliance checks for each enrolled employee-liable device. At minimum, checks may be done during normal interactions (e.g., using EAS to verify settings whenever email is synchronized). However, MDM products often provide richer mobile device auditing and reporting capabilities in some cases, scheduled and on-demand retrieval of device settings and auto-comparison to ITspecified policies. By implementing these five essential mobile device data protection best practices, many employers will find they can safely embrace the trend toward using personal mobile devices for business. Stay focused on business data and establishing minimum controls needed to protect that data. For example, few users would consent to a white list policy that prevented them from installing personal applications. However, many users might accept and even welcome IT assistance in wiping a personal device that's been stolen. To maximize acceptance and side-step pitfalls, identify a test group and use it for an initial rollout of proposed policies and controls, making any necessary refinements before beginning a broad rollout. Sponsored By: Page 7 of 9

Find the cybercriminal. (Never mind. ArcSight Logger already did.) [ Just downloaded the customer database onto a thumb drive. Stop cybercriminals, enforce compliance and protect your company s data with ArcSight Logger 4. Learn more at www.arcsight.com/logger. 2009 ArcSight. All rights reserved.

Resources from ArcSight, an HP Company Protecting the Secuirty and Availability of Next Generation Telecom Services Addressing FSA Requirements with ArcSight IdentityView ArcSight Protection Suite for NERC CIP Compliance About ArcSight, an HP Company ArcSight (NASDAQ: ARST) is a leading global provider of cybersecurity and compliance solutions that protect organizations from enterprise threats and risks. Based on the marketleading SIEM offering, the ArcSight Enterprise Threat and Risk Management (ETRM) platform enables businesses and government agencies to proactively safeguard digital assets, comply with corporate and regulatory policy and control the internal and external risks associated with cybertheft, cyberfraud, cyberwarfare and cyberespionage. www.arcsight.com. Sponsored By: Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information