Tuesday, 27 September 2011

Your mobile data: under lock and key

The subject of mobile security is currently under a violent spotlight with phone hacking being revealed at the highest level. In this item, CEO of TBS, Steve Reynolds answers questions about security in enterprise mobility.
Q. With the phone-hacking scandal engulfing the news at the moment, how can businesses be sure that the enterprise level data travelling through mobile channels is secure?

SR. The current phone-hacking scandal revolves around voicemail, which is much easier to access than raw mobile data. A generic voicemail pin number is given to mobile users, who are encouraged to change it by mobile networks. But most people don’t. This enables anyone to dial your mobile number, press a few keys and listen to your messages. It’s clearly an issue to people in public eye, and serves to remind us all that we really should change our pin numbers.

In the enterprise space, the data exchanged is extremely secure. Standard 3G network protocols and GPRS networks support encrypted data communications, while most developers even use a second layer of encryption to ensure data is as secure as possible. An alternative is to use closed user group SIMs, allocated by a network to a single point of access – otherwise known as a VPN tunnel. This is an encrypted pipe which nobody can hack into, giving the best security available over a wireless connection.

A risk which we’ve touched on in earlier Q&As is that of executives bringing smartphones and tablet devices into the workplace and asking for them to be connected to enterprise servers which gives access to email and files. Security at this level requires another layer of third party security system to counter potential data breaches.

Q. Sony’s recent issues with PlayStation customer data underlined the risks of data extraction and rogue applications being downloaded onto devices. How can these risks be mitigated in the enterprise space?
SR. Businesses should be concerned with open platforms where fewer safety checks and validation processes are in place. This makes it possible to download rogue applications and malicious viruses that are able to remove data. When taking smartphones into the enterprise, we recommend using generic device management to limit the use and freedom of downloading applications. TBS has device management and security integrated within all products as standard. This is a priority for all enterprise based smartphone usage, and especially for our customers such as Group4Securicor and ADT, operating in security and managing high profile alarm systems.

Q. How can large amounts of data contained on devices be protected throughout the course of a working day?

SR. Basic device security must be considered in terms of passwords and protection, in case of loss, damage or theft. A minimum of pin protection should be set up, while additional ‘remote wipe’ functions allow for the content of a device to be erased from a separate point, helping to give another layer of security.

There are two key ways of protecting data. One is through data synchronisation, whereby all data is synchronised (or synched) to server system. In this case, if all data on a device is lost, it can be re-synched back to the device, or to a new device, directly from the server.

The other method of protection is to treat a device as a transitory information store. This means that the majority of information is stored on a server, and ONLY the data being used at the time of a task will be held on the device. Once a task is completed, all data is synched away from device, back to the server.

Q. How can we protect information from being modified by potentially unscrupulous fieldworkers?
SR. Data contained on a mobile device should always be accessible through a larger workflow system, or IT database. If task data has been completed and stored in an encrypted database, it cannot be viewed or edited retrospectively. Fieldworkers cannot get access using a file system to delete or change any data, ensuring safe and traceable working practice.

Q. With the proliferation of smartphones and blurring of platforms – mobile, laptop, tablet; won’t security become more difficult?
SR. Security becomes more complicated with multiple Operating Systems and creates a permanently shifting security target for IT departments. While any IT department should embrace smartphone technology rather than shy away from it, this is easier said than done.

What we recommend is the publishing of a list of phones or tablets which executives can securely use within the working environment. This serves to focus control and security to a manageable number of handsets and Operating Systems, and means no staff are disappointed by any incompatibility.

Ultimately all security is subjective. What some organisations consider secure, other organisations will not. So it’s important for mobile devices to be flexible in how they can be locked down, which is where the flexibility of applications can help.

No comments: