Dealing with Enterprise Mobile Security

From mobile malware to device management, enterprises need to have a plan for securing the BlackBerrys, iPhones and other devices connecting to their networks.

Cyber-criminals were recently seen targeting BlackBerry and Symbian devices to steal authentication data from online banking customers, another example of mobile devices being on attackers' radars.

Still, security experts agree most of the threats to mobile devices come in the form of people losing their devices or having them stolen. Rather than dealing with malware, the primary challenge for enterprise mobile security is figuring out how to best manage the plethora of devices employees can bring on to the network.

The number of players in the mobile market presents a challenge. Research from IDC reported Symbian held a 40 percent share of the market during the first half of the year, but also put BlackBerry, Apple iOS and Android at a combined 50 percent.

From a management perspective, organizations have three options, Gartner analyst Eric Maiwald said.

"One - use the BlackBerry Enterprise Server," he said. "BES only manages BlackBerry devices but it gives you the best management system. Two - use Exchange and ActiveSync. This will work for any device that includes an ActiveSync agent. However, it provides limited capabilities - you can verify authentication and encryption prior to allowing the device to connect and you can remotely wipe the device - and you have to rely on the device to tell you about itself."

The third option is to use third-party management products, which come in three major flavors: products focused on the security configuration of devices; messaging products, which typically deploy their own agent to send and receive e-mail securely; and service management technology focused "on the quality of service for the device" that provides a detailed view of the device and its configuration, Maiwald said.

"Basically, what I am saying is that you need to understand what you are trying to do: what is your policy, what is the goal for the management product, and what devices do you want to manage," he said.

Having a mobile device management strategy to enforce on devices other than BlackBerry is a common gap in enterprises, Gartner analyst John Pescatore said, as is having a definition of what minimal security policies need to be enforced.

Best practices include having the ability to wipe a device remotely, as well as policies around encryption and passwords, Kevin Mahaffey, CTO of mobile security firm Lookout, told eWEEK.

"A password is the first line of defense to prevent thieves or casual snoops from accessing sensitive data on a smartphone," he said. "While a password won't necessarily stop the most determined attackers, it can go a long way in keeping sensitive data safe. Some phones can set policy to automatically erase the device if an incorrect password is entered too many times."