While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
With BlackBerrys and iPhones getting huge headlines as they battle for mindshare, and hundreds of Windows Mobile, Palm and Symbian devices already on the market, network managers need to address the security issues these popular devices create.
While Plan A (ban all use of mobile devices for government data and government networks) is one option, a more customer-friendly Plan B is to use policy and technology to provide mobility securely. These tips will help you achieve the right balance while securing devices and data.
It’s been said before, but it bears repeating: Fashioning a policy for mobile devices is a critical first step. Without policies, you end up with an anything-goes, no-boundaries environment that opens the agency up to liability for loss and encourages employees to solve their own problems.
Policies should focus on four key areas: device selection and provisioning, device deployment and configuration, device use and maintenance, and device recovery and disposal. The most fundamental decision you’ll build into the policy is ownership: Who is in control of mobile devices? Whether you pay for devices or not, it’s critical to decide who chooses the device and who manages it.
Generally, if IT takes control of the device lifecycle, you can use mobile devices securely. If your agency takes a pure hands-off approach, then the interactions between these devices and government networks and data must have strict limitations.
A policy begins as a written document, but some areas (such as provisioning, deployment and configuration) can be enforced using technology. Software is available for different device families that can automate and enforce policies. But no policy will be successful without end-user buy-in, meaning that you must include security awareness training and a formal acceptable-use policy that end users understand and sign.
Mobile-device networking is almost entirely wireless, which brings up the usual concern for interception of agency data. Don’t waste your time trying to decide what’s important and what’s not. Instead, define all organizational data as critical and require that it be encrypted in transit, whether over wireless LANs or cellular data services.
Devices can be encrypted at the application layer or the IP layer. Each has benefits and drawbacks.
Application-layer encryption requires that each application supports encryption, which is easy for web-based applications but can be tricky for others. Because application-layer encryption is enforced at the corporate firewall, it opens a larger attack surface to the Internet and limits you to applications that can be addressed over the Internet. The low level of user interaction required and device independence makes this a popular option.
IP-layer encryption requires a compatible virtual private network client be installed on each device. Using a VPN client gives you higher application independence but lower device independence and can be intrusive to users who just want to grab their e-mail on the go.
Choose application-layer encryption if your primary requirement is for a single application, such as e-mail. If you have several applications you want to push to mobile devices, IP-layer encryption using VPN clients is the obvious choice.
Misconfigured Bluetooth is the greatest unmitigated threat to mobile devices. Configure the technology to accept connections only from trusted, paired devices and turn Bluetooth off when you’re not using it.
Because the most common security problem is device loss, the most critical requirement for device security is that no data remain unencrypted on the device. Unfortunately, device manufacturers don’t care about this (yet), so you will have to use a third-party package from a manufacturer such as Check Point Software Technologies or PGP to ensure that everything is encrypted. While all devices will eventually have built-in encryption, solving the problem today requires add-in software.
Be careful about other potential leaks as well. Short Message Service (SMS) messages can contain valuable data, as can phone directories. Measure the risk of disclosure against the convenience of pushing these hard-to-encrypt data stores out to devices. Web browsers will cache data (including webmail messages), so be sure they are set to flush the cache upon exit.
Malware writers view mobile devices as easy, fat targets. While such attacks are most common in Asia and Europe, there’s no reason to believe that users are protected if they live elsewhere. To operate safely, you need to deploy anti-malware software. You can choose a pure-play mobile-device tool from your current anti-malware manufacturer or, for larger deployments, add a complete device management package that will cover not just anti-malware but also device provisioning, application configuration, backup, remote device wipe and unlock, and other over-the-air management tasks.
Because it’s best to avoid malware altogether, this is another area where mobile-device policy can be helpful. Although mobile devices are smaller and seem innocuous compared with desktop PCs, the advice you already give your Microsoft Windows users is just as applicable: Don’t open attachments you aren’t expecting; don’t download and install untrusted applications; don’t share your work device; and make sure you backup any important data regularly.