Securing Mobile Estates and Workers

By James Taylor, Product Development Manager, Wick Hill Group, specialists in secure IP infrastructure solutions The first thing to consider when looking at mobile security is ‘What is...

blog_phone_graphic_blue

By James Taylor, Product Development Manager, Wick Hill Group, specialists in secure IP infrastructure solutions

The first thing to consider when looking at mobile security is ‘What is the mobile estate?’ The mobile estate is any device or storage which is outside our corporate fortress (either physical or logical). Mobile devices, or more importantly the data on them, raise security issues that necessitate additional security measures.

In recent years, the myriad of mobile devices, as well as cloud storage, needing protection has exploded beyond the traditional laptop to include tablets, smart phones, iCloud, SkyDrive, etc. All of this makes the CIO’s job exponentially more difficult.

Who are the mobile users? In the traditional workplace, they were the field personnel and board members. But with disaster recovery considerations, as well as work-from-home policies, they could be the entire workforce.

From a training perspective, we should be including everyone in managing their mobile devices. We need to encourage staff to respect corporate property as if it was their own, and to take personal responsibility for the safe use and storage of equipment. Moreover, we must allow employees a safe reporting procedure if anything is lost, because the faster the IT department is made aware of any loss, the quicker it can react.

Once we understand who is using portable devices, we can consider the data risk. We need to ask where the data is held and what our exposure is, in the case of loss. Management of data is a critical step. When data is held centrally and securely, and is accessed via a Virtual Desktop Infrastructure (VDI), this will always provide a stronger security profile than allowing data to be stored at the edge on mobile devices.

However, in order to recognize the risk, we must have first defined our sensitive corporate documents, by protectively marking our data. Protectively marking data can be kept to three simple levels.

Sensitive
Employee records, intellectual property, etc.

Confidential
For business matters, profit and loss statements

Not Classified
An RRP price book or the canteen menu are examples of documentation that should not be embarrassing if seen by anyone outside the organisation.

Security at the gateway

Mobile devices which are used for company business have to be fit for business purpose and, importantly, they must be capable of either running corporate software or providing a thin client back to HQ. You might also consider limiting the choice of operating system on such devices. The benefits include more manageable vulnerability patching, as well as mobile device management (MDM) software suites which are compatible with industry standards.

Now we can get smart with our security provisioning. If the remote end point is there to provide a remote desktop session, our security can be centred on strongly authenticating the user at the point of entry – the gateway.

Two factor authentication is absolutely essential today for mobile workers. With a VDI session, one assumes the data is securely and centrally held back at HQ. With VDI, there’s the added bonus that we don’t need the most powerful computer in the world for the mobile worker, because the computer is just providing the screen and keyboard for the remote worker. All the grunt work is being done by the server farm.

Unfortunately, not many of us have adopted a VDI environment. We run around with a fat client, not a thin client, and use the standard operating system that came with the appliance. With a fat client, all the inherent security problems with mobility are exacerbated.

Because we don’t centrally store data, there are a lot of things we need to do in order to ensure security. We need to encrypt drives, control the ports, load anti-virus programs, possibly adopt an MDM solution, and so on.

Working as the CIO, we really need to question whether we require a full client for remote enablement. By running on skinny operating systems, and being configured to only access back to HQ, we gain portability, without all the overheads of managing a fat client.

Smartphones, BYOD or CYOD devices, tablets, etc. complicate our mobile estate further. There’s no doubt that the high degree of portability, instant access to e-mail, and so on, that we get with such devices, has really improved efficiency for the remote worker.
However, from an infrastructure, security and support point of view, this situation definitely creates the need for much more vigilance, organisation and stronger security policies.

Whilst corporate e-mail is one concern, the ease with which documentation can be attached “for your review” means we have the potential for multiple, unsecured documents across many platforms. It’s more secure to link document back to the central location, than to blindly send to multiple recipients.

Having identified our remote worker, fully trained them, marked our documentation and given them the right mobile devices, we now need to think about our remote access gateway.

Should we enforce end-point security checks and give an appropriate access, dependent on the risk? If you have someone accessing the corporate network from an internet café in an untrusted foreign land, then it’s sensible to grant minimal access permission. For someone who is strongly authenticating, on a fully patched corporate device, over an IPSec client, from a trusted geo-location, the risk profile is much lower and we can allow greater access.

Most UTM firewall technologies can easily handle company security needs at the gateway, including mobile SSL traffic. With this scenario, there’s the added bonus that any additional security features which we bolt onto the firewall, such as anti-virus, can also be applied to our remote workers’ sessions.

The great benefit of running a UTM firewall is that the IT Security team only has to deal with one interface. The protective marking methodology we used to prevent sensitive documents leaking out over email, can also now be applied to our mobile workers’ remote sessions.

With regards to personal cloud storage, I propose it is simply not allowed, because it can’t be controlled by corporate policy. We can prevent this happening, by leveraging the capability of the firewall, from within the corporate local area network.

Wireless and MDM

Now we come to the question of wireless. With wireless mobile devices being issued to more staff, as well as multiple appliances to single users (I have three), the requirement to secure, monitor and control these devices, as well as reviewing the wireless infrastructure, is much greater. We need to keep wireless connectivity secure and we need to keep up to date with the current changes in wireless technology.

A key driver for the future of wireless is the newly ratified 802.11ac standard. Starting initially at 1Gbps, with future potential up to 7Gbps, this new standard is going to transform the use of wireless in the office and will move many environments from wired to wireless. As many users already have 802.11ac routers at home, there will be a strong demand for the same experience at work. Securing and managing expectations early will be a key element in minimising the security risks that this will create

One way of addressing these issues is to adopt a mobile device management (MDM) solution to secure and manage mobile devices, and that should be able to encompass devices with different operating systems and from different manufacturers. We need to know whether mobile devices belong to the employee or the company and whether sensitive company data is held on those devices.

The sort of features which are going to be necessary from an MDM system include anti-malware for the devices, the ability to remote block or wipe data, and GPS-find. One very desirable function is the encryption and secure containerisation of company critical data and applications, keeping them separate from employee personal data.

Some systems will allow you to manage all ‘end points’ within your network from one central management console, whether that be a mobile phone, tablet, laptop, workstation, file server or virtual server/desktop. With this option, you can rest assured that you have done everything you can to enforce compliance to your company-wide data security policy.

Conclusion

With strong guidelines, approved devices and reinforced training for mobile workers, companies can take advantage of mobility and become more flexible and more productive. However, mobility has to go hand in hand with proper planning and appropriate security measures, such as MDM systems. If you get it wrong, you have to be prepared for the consequences.

In this article

Join the Conversation