Mobile security -- as with most aspects of network security -- is a process and not a goal. Threats continue to...
evolve, as do the tools enterprises can harness to meet those threats. As a result, it's essential that an organization's mobile security process remains flexible and adaptable. And a key tool to achieve those ends is an overarching security requirements checklist.
As strategies evolve, there are certain fundamental steps all organizations should take to protect their mobile network assets. The following steps should be included in any mobile security requirements checklist:
- A comprehensive security policy. This document is actually quite simple: It details what information is defined as sensitive and therefore requires protection, who has access to this information and under what circumstances, and what to do in the event of a breach or compromise. Not having an effective security policy -- one published and regularly reinforced -- is the single most common failure we see in mobile security today. Knowing what to protect is an essential ingredient in your mobile security requirements checklist. Put a cybersecurity policy in place, educate and reinforce it on a regular basis and revise the policy as required.
- Authentication (identity management). Authentication is the proving of identity to a party in any communication and is ideally mutual in nature. Modern identity management products are the latest generation of authentication, authorization and accounting software. ID management gives enterprises the ability to encrypt important data and determine who has permission to access and modify that data. With mobility, the familiar -- and largely ineffective -- username and password authentication can be buttressed by authentication standards that include a requirement for the use of a specific device, location, time of day and more. Two-factor authentication, often described as "something you have plus something you know," is the preferred approach, with a person's specific mobile device often serving as the second factor. Monitoring and management reporting remain critical, in addition to on-the-fly analytics engineered to spot potential authentication problems.
- End-to-end encryption. Sensitive data must be encrypted to render it useless to unauthorized third parties. It's a mistake to rely solely on encryption that is now intrinsic to cellular, Wi-Fi and most other forms of commercial wireless communications. Instead, make sure applications enforce their own encryption; no data is intrinsically secure unless the application in question implements the necessary protection itself. The general rule: Sensitive data must be encrypted at rest -- stored in a cloud service, mobile device, USB key or anywhere else -- and in transit across any network, wired or wireless. Decryption can only occur when all identity management conditions -- driven by the security policy -- are met.
- BYOD considerations. With BYOD now the dominant organizational device-provisioning strategy, a clear and concise BYOD policy -- with appropriate end-user agreements -- must be in place. It should specify requirements for operating system and app updates; antimalware software, which includes detecting and mitigating viruses and any other malicious code; and enterprise mobility management tools, including mobile device, application and content management. It's also good practice to limit the universe of approved devices -- as specific device and mobile OS release pairs -- to minimize the possibility of errors and to cut the load on compliance and support staff.
- Management and support. Organizations that have 100 employees or more should have a designated IT mobile security staffer, whose primary responsibility is to monitor potential threats and remedies.
The key is to minimize the chances an end user can take to compromise security and maximize the responsiveness an enterprise can muster to counter mistakes when they occur. Smaller organizations, of course, are not immune to security challenges. Fortunately, there is a broad array of (increasingly cloud-based) approaches now available, along with consulting help as needed.
It's also important to consider that security has an equally important counterpart: integrity. This includes the physical security of critical network and IT infrastructure, as well as hot-standby or redundant network and IT resources. Cloud-based strategies can really help here, but be sure to have a security checklist to review with all suppliers. And note, again, that all good security practices include the wired network as well.
Remember, today's mobile-centric IT increases the number of potential attack vectors, entry points and other vulnerabilities. Also, remember that once sensitive information is compromised, it can never be made secure again. Security may indeed be the one aspect of IT that is never done, but having a mobile security requirements checklist -- and using it to perfect your approach -- will help reduce the chance that your organization will be a victim.
Experts have shown that checklists can make most processes safer and more efficient. Follow the steps in this mobile security requirements checklist, and you'll be on your way to locking down mobile in your company.
Mobile executives raise security concerns
An essential guide to mobile device endpoint security
Mobile security can be a difficult balancing act