Q: How can an enterprise authenticate access to corporate assets from mobile devices?
A: When discussing authentication for access to corporate assets via mobile devices (either corporate- or personal-liable) you need to consider two authentication aspects. First, you need to be able to authenticate the mobile device to your network, which then provides access to the data you choose to make available to mobile devices. Second, you need to authenticate the individual employee to the mobile device. The individual authentication aspect is made up of two components: 1) authenticating the individual to the mobile device itself, and 2) authenticating the individual account credentials to ensure access rights are granted to allow access to specific subsets of data. The specific way to accomplish the authentication aspects discussed varies based on the architecture of your network and the devices (with varying operating systems). If you are searching for specific mobile enablement tools, make sure to ask about the capabilities for each type of authentication discussed above.
Q:How often should an enterprise require employees to change passwords on their mobile devices?
A: Ah, passwords—the daily reminder to employees of why they hate their information security policies. It is not the passwords themselves that are the thorn in their side; rather, it is the myriad information security policy requirements for system and mobile device users to change their passwords to a new, unique password that has not previously been used, that consists of letters, numbers, and special characters, no repeating characters, change every 60 days, no words or names, no specific dates, no favorite pets…I think you get my point. While the information security password requirements are well intentioned, they may not make sense in your particular situation for mobile device users. Consider utilizing the same password that your users are already required to use for logging on to their more traditional resources (and making sure the password stays in sync). Alternately, you could consider requiring users to create a different password for their device that does not change (if you go with this option, ensure that you have other controls in place such as device wipe when the wrong password is entered a specific amount of times, remote wipe capabilities, etc.). Additional security controls are of course recommended no matter the specifics of your mobile device password policy.
Q:What can enterprises do to address the security issues posed by the consumerization phenomenon?
A: When I was training for a Private Pilot Certificate, I always enjoyed reading industry magazines and books along with the required reading. The aviation humor and comics were always a treat for leisure reading, while still focusing on the subject matter. One that still stands out in my mind (and one that any pilot can identify with) has the tagline “Any landing you can walk away from is a good one.” While non-pilots may not find this humorous, it is the truth. What is the most important thing for a pilot to do? Keep his passengers and himself alive, regardless of the condition of the aircraft when they walk (or run!) away from it. Guess what? Your employees feel they same way about how they perform their jobs! As long as they can get the job done, they do not necessarily care about the policies or controls you have put in place, especially if they have a deadline to meet. The pilot keeps the passengers alive; your employees get the job done. Block the latest and greatest technology from being used in the office, and your employees will find a way to use the tools they feel make them productive. So embrace the consumerization of IT in the workplace. Maybe, just maybe, your pilots will leave the aircraft in good working order.
Q:Can third-party security solutions fully address OS weaknesses inherent to iOS devices? Or will iOS devices pose a greater security risk unless Apple decides to “bake in” more robust security at the hardware level?
A: I am not a fan of using absolute terms when discussing security. One can never provide complete security, 100% security, or a fully secure environment. If anyone tells you they can, explain to them that you just realized you were late for another meeting and you will get back to them. Really, I am not kidding. Now that I am off my soap box, let’s discuss how to manage the risk of deploying always-on devices that have known security vulnerabilities. The reality is that you have no choice but to identify third-party solutions that can mitigate the vulnerabilities you are looking to address. If you work in an organization that is large enough and spends enough money with a particular supplier, you may have some say in what security capabilities get built into future product releases. However, most of us are not in that situation and will need to rely on third-party solutions to address our particular needs. Third-party solutions may not address all of your security needs, but they may be able to ease specific concerns you may have regarding device OS weaknesses.
Q:How can enterprises protect end users’ privacy when it comes to individual-liable mobile devices?
A: Privacy in the age of the Internet is an interesting topic. If you mail a letter through the United States Postal Service (USPS), you expect that only the intended recipient will open and read your letter. Why? Because according to Federal Statue (Title 18, Part I, Chapter 83, Sub Section 1702), anyone that reads someone else’s mail (for simplicity, we will just go with reading someone else’s mail, although other particular offenses exist) “shall be fined under this title or imprisoned not more than five years, or both.” But when it comes to digital communications, a divergence exists. Organizations that supply an Internet-based service (e-mail, social media, cloud storage, etc.) have the ability to (and many purport to have the right to) access, read, and resell your personal communications. (Hey, maybe the USPS should consider hiring folks to open up all correspondence sent through the mail delivery service, mine the data, and resell the information…seems to be acceptable online. Perhaps this strategy would put the USPS back in the black!) As an employer, you should take the high road. Let your employees know what information you can access on their devices and what you intend to do with that information, if anything. Several mobile security solutions provide a separation between personal and employer communications on the same device.
Ben Halpert CISSP, is the editor of Auditing Cloud Computing: A Security and Privacy Guide. He is also the founder of the non-profit Savvy Cyber Kids, teaching our youngest learners safe and appropriate use of technology before they go online. Comments, questions and requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.