The essentials of a smartphone, mobile security policy

However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smartphone device when away from the office, and therefore outside the confines of their organisation's secure environment.

This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smartphone's undoubted benefits, it is important to address smartphone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.

The essentials of a smartphone, mobile security policy
This means your mobile security policy needs to mandate:

• Device passwords with a minimum length, complexity and update frequency.
• Data encryption, depending on its sensitivity or classification level.
• Password-protected inactivity timeouts.
• No access to read-only parameters.
• Limited access to riskier features, such as Bluetooth and instant messaging.

I would also recommend only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.

And if you're concerned about shoulder surfers figuring out access PINs by watching which keys are pressed, consider using an authentication technology like PINoptic, which offers a picture-based passcode claimed to be 37 times more secure than a four-digit PIN.

How to secure enterprise instant messaging  IM in the enterprise is more popular than ever. Michael Cobb reviews the best ways to keep instant messaging under control.

Although the actual number of software-based attacks on smartphones and PDAs is still low, the total is likely to change as the user base grows. Interestingly, the relatively few vulnerabilities discovered on smartphone operating systems have all been fixed very quickly. At the time of this writing, mobile OSes such as Symbian, iPhone, RIM's BlackBerry, Windows Mobile, Linux, Palm WebOS and Android have all been patched according to Secunia's vulnerability reports. (This may be due to the intense competition amongst vendors in the enterprise market where device security is a key issue.)

It's not just the smartphone OS that can be attacked, however. Running only IT-vetted applications is key to avoiding mobile malware. Security products aimed at the enterprise smartphone can therefore play a vital role in mobile security policy, letting organisations control custom and third-party applications installed on the device and the resources they are permitted to access.

For example, an application could be permitted to reach internal and/or external domains, or prohibited from using Bluetooth or GPS. Controls like these can dramatically reduce risk.

For organisations that need to control a variety of smartphones, there are now products that provide consolidated reporting across different mobile OSes on the status and the compliance posture of all monitored devices. GuardianEdge Technologies Inc.'s Smartphone Protection, for example, supports the Apple iPhone, Windows Mobile and Palm OS devices. It can prevent untrusted applications from being installed or used while allowing trusted applications to run and access encrypted data.

There are plenty of smartphone and mobile security products for large and small business smartphone users, such as the eWallet from Ilium Software Inc., Splash Data Inc.'s SplashID, mSafe from smartphone software developer MotionApps, Symantec Corp.'s Norton Smartphone Security and Mobile Anti-Virus from F-Secure Corp.

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve. Read more about data protection topics on SearchSecurity.com Connect with your peers to ask and answer data protection questions on ITKnowledge Exchange

However, overloading devices with too many security tools can drain the batteries very quickly and strain CPU performance. It's important, therefore, to maintain some sense of balance between mobile security and usability –-- always consider how difficult it will be for users to follow your security procedures; otherwise they'll try to find ways to circumvent them.

One area that has been seen as frustrating and complex by users and administrators alike has been setting up a VPN connection on a smartphone. End-to-end encryption from the smartphone, over the transport medium, to corporate resources is essential to prevent over-the-air data leakage, and thankfully vendors are upgrading products to make the whole process far easier.

Network security company Astaro Corp. claims its users can now set up and use the iPhone's IPsec VPN capabilities with no technical knowledge, while SSL VPNs from SonicWALL Inc. offer clientless remote access for smartphones.

The Mobile VPN in Microsoft's System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.

Depending on the nature of your mobile workers' voice calls, you may want to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified "Top Secret," as well as restrict access to "Secret" email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.

The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.

If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?

Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they're still Internet-connected computers, so don't let them become a double-edged sword.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network security tips Microsoft security tools: MBSA and MSAT explained Pros and cons of Skype security for encrypted phone calls Network security 101: Default router settings, network hardening Network security 101: Password policy best practices, security documents A wireless LAN security update: Developments in technology and law Portable USB thumb drive encryption: Software and security policy Buying an IPS: Determine why you need intrusion prevention SMS two-factor authentication for electronic identity verification Three portable data storage encryption methods UTM appliances in the enterprise: Are they enough? Wireless Network Security: Setup, Issues and Threats A wireless LAN security update: Developments in technology and law Panel debates 'buy vs. build' mobile device security policy management Best practices to secure wireless networks How to prevent iPhone spying: mobile phone management tips Configuring a Windows network infrastructure: Wired, wireless security College learns lessons in choosing the right NAC appliance GSM cell phone encryption crack may force operators to upgrade How to keep networks secure when deploying an 802.11n upgrade Researchers find thousands of flawed embedded devices Wireless network guidelines for PCI DSS compliance Endpoint and NAC Protection In any given app for smartphone, security risks are being neglected Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks Perimeter defenses deemed ineffective against modern security threats Market snapshot: PC virtual desktops on a USB Apple iPad security debated as U.K. launch approaches Microsoft to issue two critical bulletins, SharePoint to remain vulnerable Logical and physical security integrated by U.K. startup Panel debates 'buy vs. build' mobile device security policy management How to configure IIS authorization and manager permissions RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.