The popularity of G1, the iPhone and other smartphones means enterprises need to think about security and management. With that in mind, here are some things to consider as you set your security policies.
From the iPhone to T-Mobile's G1, smartphones have become pervasive in
today's enterprises.
What are not always pervasive are
sound
security practices for controlling them. While malware for mobile devices
is not especially widespread, hundreds of unique pieces of smartphone
malware such as
-Sexy View' have been identified. Then there are the hacks.
In a demonstration,
Trust Digital showed how it was possible to use an SMS control message to
silently change the phone's configuration, for example, turning off security
settings for e-mail transmission such as SSL.
With all this in mind, here are a few things enterprises should consider when
it comes to smartphone security.
1. Take a Business-Centric Approach
to Planning
Philippe Winthrop, an analyst with Strategy Analytics, said businesses need
to know how many smartphones they have and what they are being used for. "Go
through and use cross-functionality teams ... within your organization to
understand what the line of business is going to want to do with these
solutions, but make sure of course that it's going to play nicely with what the
IT department needs to do."
2. Develop a Configuration Plan
In a report titled "Q&A: 10 Smartphone Security Failures You Want
to Avoid," Gartner analyst John Girard noted that any system that lacks a
known, trackable and updatable configuration is impossible to properly manage,
secure and support. The result is users handling troubleshooting and
modifications on their own, which can in turn open up its own set of worms
if their changes make the device less secure, he wrote. When it comes to
planning operational requirements, smartphones should be treated like PCs, the
report continues.
"When companies move to personal liability phones, or tell people to
use their personal phones at work, serious vulnerabilities arise if the company
does not at least have a plan for managing diversity and controlling
exposures," Girard told eWEEK. "Ideally, companies would still invest in
centralized management consoles for phones and take policy control of personal
phones whenever possible."
3. Set Sound Default Browser
Permission Rules
One of the main doors malware walks through to get on a system is the
browser. "Today's smartphones increasingly include more fully functional browsers
that are quickly moving toward a level of functionality rivaling that of
desktop versions," said Scott Crawford, an analyst with Enterprise Management
Associates. "Considering that attackers increasingly focus on both Web
applications and the vulnerabilities not only of browsers but of their many
multifunctional add-ons, this increases concerns that mobile devices may add to
the Web and browser attack surface already highly targeted."
Gartner recommends setting conservative companywide security policies,
disallowing Java applets and scripts and regularly cleaning up the browser
cache.
Doing all this, however, depends not only on how
much control enterprises want over the devices, but how much they can
actually have, Crawford said.
"In the iPhone's case, for example, on-device control [a management
agent, for example] is limited by what Apple is willing to make available via
the App Store," he said. "Otherwise, the customer must either
consider 'jailbreaking' the phone-not an option in the typical enterprise-or
considering an off-device alternative. ... Other than that, organizations may
want to deploy solutions that enable a secure 'wipe' of information from a lost
or stolen device-whenever it connects to the network, for example."
Email
Print
