How to Plan for Smartphone Security in the Enterprise

By Chris De Herrera  |  Posted 2009-07-13

How to Plan for Smartphone Security in the Enterprise

If you are a CIO, you face several challenges when it comes to deploying smartphones in your enterprise. Among the most important, you must determine the security requirements of your organization. Just like laptops and notebooks used in the enterprise, smartphones often contain corporate data and can access internal corporate resources. Since these devices are used as an extension or replacement of the desktop or laptop, they need to be secured and managed at the same level of security.

In most companies, IT security policies are already addressing mobile security for laptops and notebook PCs. The security policies applied to those computers should be used as a basis for creating policies that specifically address smartphone configuration and use in the enterprise. After you have thoroughly defined your security requirements, you need to apply the typical "who, what, where, when and how" approach to securing your organization's smartphones.

One of the initial steps requires defining who owns the devices your organization's employees use to perform their jobs, and who is responsible for their cellular contracts. Then you need to determine what data is (or is likely to be) stored on the device. With that information, you can determine what level of security should be configured on it.

Today, about half of the smartphones deployed are "individual-liable" devices, meaning their users acquired them and are responsible for their service contracts. The other half are "corporate-liable" devices. When individual users acquire their devices, the company accepts responsibility to secure users' data on those devices, as well as any corporate data stored on them (because security is applied to the smartphone as a whole). The situation becomes more complex when the company does not own the devices or phone numbers used by employees.

Security concerns can arise when the user of one of those devices leaves the company, retaining both the phone and the number. Keep these issues in mind as you decide which approach would work best for your organization. With corporate-liable devices, you control all aspects of the acquisition, cellular service and security of the smartphone.

Content Is Critical

Content is critical

As you consider how to secure your organization's mobile devices, you want to take a look at the content stored on the smartphones that access your network, as well as on the removable flash cards used with them. Such content can be secured in a variety of different ways, depending on the device.

Your options may include requiring employees to use a power-on password, so that after N number of failed attempts to log on, the data stored on the device is wiped. Or you might consider encrypting data stored on the device or any flash card used with it, or using a device management solution that allows an administrator to remotely wipe the data in the event the device is lost or stolen.

In addition to data storage, you should consider controlling which applications are installed on the device. Some smartphone security solutions, for example, allow configuration of an "accept list" and "deny list" to restrict which applications can run on a mobile device. However, keep in mind that while this is helpful in controlling the applications the user is able to execute, it may not fully protect the smartphone from executing programs that have been compromised.

You may also want to restrict the operating system to allow only digitally-signed applications to execute on the smartphones. These applications can be signed by the company or certified by the operating system manufacturer. Third-party applications, including viruses and malware, would not be allowed to execute on the device in this scenario because they are not signed by your company. This approach provides the highest level of security, in which you exercise control on an application-by-application basis.

Some smartphones can also be configured to use your company's rights management system. In the enterprise, those systems are used to prevent unauthorized access to data-and with a smartphone, can prevent unauthorized users from viewing data regardless of their location. Further, when an employee is terminated, all access to content stored and controlled by the rights management system on the user's device can immediately be made inaccessible to the user.

Managing Connectivity Risks

Managing connectivity risks

Smartphones present additional security risks to the enterprise when they access internal systems such as e-mail, intranets and access to the Internet. As a result, you need to manage device connectivity to reduce the risk posed by third-party applications, as well as by viruses and malware.

In addition, you should consider how you will control which Web sites users can visit on their smartphone. Usually Web site filtering is accomplished by using a VPN to access the corporate proxy server, which extends the same controls used to control Web site access within the corporation.

This VPN can also be used to access intranet or line-of-business (LOB) applications, just as a laptop user can from the field. Alternatively, some devices can use a local application to perform Web site filtering. However, there is no centralized logging of failures with this approach.

The fact that smartphones can be plugged into a desktop to synchronize data also poses security risks. You should decide whether your organization wants users to plug their smartphones into desktops to synchronize data within the enterprise or to do so remotely. Then you must set security policy accordingly. Keep in mind that even when smartphone synchronization is disabled, a user still can plug the device into a PC or Mac to charge it.

One of the functions that enterprises are integrating with their smartphones is corporate instant messaging (IM). The latest IM solutions also integrate voice over IP (VOIP) and video conferencing. By implementing a corporate IM standard, the company is able to log all conversations, including conversations from the smartphone. The IM functionality can be implemented over the Internet with Secure Sockets Layer (SSL) or via a VPN, depending on the desired configuration.

Security Solutions

Security solutions

Servers such as Microsoft Exchange (which provides an e-mail system) offer a multi-platform solution to implementing device security. However, the level of security that can be implemented on each device varies greatly, depending on the smartphone's integration with the security functionality Exchange supports. Other device security and management solutions are also available. Because they offer a range of functionality, you may want to work with different vendors to assess how well the functionality of different solutions applies to your particular requirements.

The suggestions offered here are just some of the steps you need to take to assess how your organization should secure the smartphones employees use to access corporate resources. You will find that the speed at which smartphones change will affect your choice of security solutions. Typically, major changes to smartphone operating systems and security functionality happen annually or even more frequently. This is dramatically different from the operating systems of desktops and laptops, which have changed approximately every three or more years.

Because of the rapid rate of change in mobile device technology, you may wish to reassess security functionality for those devices annually in order to take advantage of new security features (as they are made available by updates in the smartphone operating system). You might require a temporary waiver of security requirements for devices that do not meet your company's security requirements.

By following the approach to assessing and creating a smartphone security policy outlined here, modeling your existing desktop and laptop security, you will find ways to provide your enterprise users with the productivity advantages smartphones provide, while protecting corporate data and other resources those devices regularly access.

Chris De Herrera is a Mobility Architect for Enterprise Mobile. He is a recognized expert on Windows Mobile, and has worked with customers to analyze, configure, manage and support many kinds of smart phones. He can be reached at

Rocket Fuel