Mobile Security Can’t Rely on Bring Your Own Device Policies
As businesses become more dependent on mobile devices to enable employees to work from anywhere, information security is becoming more dependent on the mobile devices being secure. It isn’t enough to have a Bring Your Own Device (BYOD) policy that theoretically limits how employees access corporate data on their phones; you need to enforce your security policies with tools that enforce security on the devices.
Achieving Mobile Security
The first step towards achieving mobile security is to know which mobile devices your employees use to access your network. The types of devices and the versions of the operating systems they run are what define the threats your systems face.
Because threats are so closely tied to devices and operating systems, limiting the devices and operating systems that can connect to your network is an important first step. Mobile device management software (MDM) allows you prevent unsupported versions that may have unpatched vulnerabilities from accessing your systems.
Another important step is to tighten authentication and authorization controls. Again, much of this can be done through MDM software. First, require devices to be password protected. If an attacker can’t get beyond a locked home screen, they can’t attempt to login to any applications.
All corporate applications should require 2-factor authentication to verify identity; you can define policies to only apply this extra check to mobile devices so you don’t inconvenience users who are working at their desk in your office. Make sure all applications are downloaded from official, trusted sources: either the provider’s app store or your own corporate site.
Any applications your internal team creates should be designed with mobile access security in mind, and you need to test the security controls as part of your development process. Know the security risks of the libraries and other tools used by your development team.
Take steps to protect data stored on devices, as well. All stored data should be encrypted. You can consider using a cloud access security broker to prevent sensitive data from being downloaded to mobile devices. Also be sure to prevent data from being accessed over insecure networks; require use of a virtual private network to connect to corporate data sources. Your MDM tool can enforce that policy.
Finally, don’t rely on cloud providers to implement the security controls you need. You can certainly leverage tools they provide, such as role based access controls, but be prepared to introduce additional tools into your cloud to provide the level of security your data needs.
What steps have you taken to ensure your mobile users can access data safely? Contact Prescient Solutions to talk about additional measures you can put in place to protect your data.