paper
ITS 833 – INFORMATION GOVERNANCE
Chapter 14 –Information Governance for Mobile Devices.
Dr. Isaac T. Gbenle
1
1
CHAPTER GOALS AND OBJECTIVES
Challenges facing businesses with a mobile workforce
Greatest challenges to mobile device users
Trends in mobile computing
What is a push-button application for mobile devices?
What is MDM?
What function does MDM serve?
Trends in MDM?
Guidelines for IG for mobile devices
Best practices to secure mobile devices
How do you go about developing mobile device policies in your organization?
2
On the slide is a list of the types of things that you need to take away from this Chapter.
2
Information Governance for Mobile Devices
326 million mobile devices in use at the end of 2012-beginning of 2013
Significant Growth. Why?
Improved network coverage
Physically smaller devices
Improved processing power
Better pricing
Newer generation operating systems
A more mobile workforce
3
Mobile devices are everywhere! Per your author, there was over 326 million mobile devices in use in the United States. You would have to question this statistic considering this number is greater than the number of people in the United States at that time. The explanation is that many users have more than one mobile device. Over the prior decade the growth of mobile devices exploded. Why? A number of reasons: Improved network coverage, physically smaller devices, improved processing power, better pricing, newer generation operating systems, and the fact that the workforce was becoming more mobile, all contributed to this explosion.
3
THE NEED FOR INFORMATION GOVERNANCE WITH THE NEW MOBILE WORKFORCE
Greatest Challenges for IG due to heightened security risks with a mobile workforce
Data leakage and loss estimated to be in excess of $400,000.00
Mobile devices were not designed with security in mind
Androids running on different platforms/hardware are particularly susceptible
Social Engineering is widespread
Users are the weakest link
The key is:
Awareness and education of the criminal threats
Biometric Authentication –Retina, Voice, Fingerprint
Mobile Device Management
4
With all these new devices and the information that resides on them outside the realm of the traditional organization, comes a whole new set of challenges for information security, and therefore an entirely new set of issues related to information governance. This has become one of the greatest security challenges for companies with a mobile workforce. The risk for compromising confidential information is greatest in this arena. Experts estimate that data loss can cost an organizations as much as $400,000 per year from breaches related to mobile devices.
Consider that for the most part mobile devices were not designed with security in mind. In fact, the fact that androids were designed to run on different hardware makes those devices more susceptible to security breaches.
It is particularly vexing that smartphone viruses are more difficult to detect that viruses that infect your computer and they are more difficult to get rid of.
The rate of technological development on smartphones is changing almost daily, which makes it more difficult to keep up with ways to prevent security breaches.
Think about just the area of banking where you can now make remote deposits using your cell phone. Imagine what an opportunity this is for thieves and what a security challenge just that one change presents.
Social Engineering is a common approach used by hackers when dealing with mobile devices. Remember, social engineering involves using different ways of fooling the user into providing his private information. The user is the weakest link in preventing cyber crimes as it relates to mobile devices
The key to all this is awareness of the threat that exists and an appreciation for cybercriminal techniques. Of course it new biometric techniques that are used to identify the owner of the mobile device such as finger prints goes a long way to offset the occurrence of cyber threats.
The IT departments really have to stay on top of this. They need to remain vigilant and make sure their employees who have mobile devices containing sensitive information have the newest technology to protect the information, and that it is deployed and they know how to use it.
The term that has been coined for this area of security for mobile devices is “Mobile Device Management”.
4
TRENDS IN MOBILE COMPUTING
Long Term Evolution (LTE)
4G
WiMax [Worldwide Interoperability for Microwave access]
RFID and increased wireless support
3g and 4g Interoperability
Sprint’s dual mode cards
Smartphone Applications
Increased software for mobile devices from 3rd party vendors
GPS
More mobile devices with GPS built-in
5
This area of mobile computing is changing so rapidly that it is crucial to make sure your users understand the direction of current trends so they will better know what developments to anticipate and how to plan for them. In 2011 CIOZone.com predicted the trending areas of mobile computing and they have been right on target so far. They predicted at that time the following trend:
Long Term Evolution (LTE) – In 2011 it was predicted that 4th generation mobile computing would be made possible. It was.
WiMax [Worldwide Interoperability for Microwave access]-there is the expectation that as more and more 4G devices popped up in the US and more and more netbooks and laptops would be sold that are equipped with built-in radio frequency id (RFID) and more wireless support. Surely we are seeing the trend with regard to wireless support.
3g and 4g Interoperability-Sprint developed the duel mode card that enabled mobile devices to run on either 3G or 4G networks, depending on what was available in the particular roaming area where the user is at the time.
Smartphone Applications-Third party software has grown by leaps and bounds. Nearly every type of software you can imagine is available for mobile devices today
GPS This is exploded. Nearly every mobile device today will have GPS to identify the user’s whereabouts
5
TRENDS IN MOBILE COMPUTING
Security
VPN software and hardware-based VPNs
Antivirus
Improved and expanded antivirus software for mobile devices
Push-button Applications
More like the pull down commands generally seen on desktop computer
Supplemental Broadband
Sprint – Expanding wireless broadband capabilities
Solid State Drives
Improved controllers and firmware built into the SSDs
6
Security-To rise to the growing challenge corporate IT departments are expected to being using more of a combination of Virtual Private Network software and hardware based VPNs
Antivirus-The need for greater and smarter antivirus will be realized by executives and this will drive the creation of newer and improved antivirus software that will reside on the mobile devices
Push-button Applications – I am not so sure that the author was able to convey what he meant by a “push-button application” with the example he gave in the book, so we will try here. Traditionally, when you talk about a push-button being built into a software application on your desktop computer you are talking about a menu of commands where when you click on an application button a menu of commands is displayed. Generally, the menu contains file-related commands such as Open, Save, Print, and Exit. So I think what the author is trying to say here is that you will have more applications on your mobile device that will function like that and will be more automatic. In the example the author gave on page 274, this would mean that the driver would not have to actually dial his dispatcher and request assistance to have the obstruction moved. He would have a more automatic application on his mobile device where he would just need to push the button to take care of the situation.
Supplemental Broadband-This comes with extended LTE and WiMax. Innovators and leaders in the industry such as Sprint are expected to expand their wireless broadband capabilities to small business that don’t have access to fiberoptics
Solid State Drives – This is a prediction that there will be improved technology in the area of controllers and firmware built into the solid state devices in the hardware.
6
Security Risks and Securing Mobile Devices
Contributing Factors for Security Risks
Increased storage capabilities
Advancements in SSD technology
Easier to lose and more susceptible to theft
More susceptible to intrusion during wireless communication.
Securing Mobile Data
Remove the confidential information from the device
Encrypt the confidential information
7
There are particular and unique security risks related to mobile devices. Things like the increased storage capacity caused by the shrinking circuits and advanced SSD technology. Further by their very nature they are more susceptible to being lost or stolen. In addition, they are more susceptible to having their communications stolen while in transit using wireless communications.
The smartest thing you can do to secure mobile data seems obvious. It is to remove the confidential information off the device when it is no longer needed. Don’t leave it residing on that particularly vulnerable device.
While it must reside on the device, encrypt the confidential information.
7
MOBILE DEVICE MANAGEMENT
What is Mobile Device Management?
Software used to manage mobile devices remote
What can MDM do?
Improve security
Streamline managing remote devices in mass or individually
Provides management in the BYOD environment
Can control configuration settings
8
Mobile Device Management comes in the form of software generally. This helps organizations to remotely monitor, secure and manage their mobile devices such smartphones, tablets and PCS. It improves security and streamlines the process of managing remote devices since the manager has the option of managing individual devices, a portion of the mobile devices or all of them at the same time. It can be used to manage the company owned devices that are all the same, and in addition, can be used to manage the employees devices that they bring to the workplace.
MDM can be used to remotely wipe the device clean, or to control the configuration settings, and a variety of other functions
8
TRENDS IN MDM
MDM Software Expansion and Maturity
Consolidation of MDM major players
Cloud-Based MDM
Emphasis on mobile device policies
Diversity/Expanded mobile monitoring and security
Infrastructure Consolidation
9
Certain trends have been identified in the area of MDM. They include things such as the following:
MDM Software Expansion and Maturity-Most experts believe this will become much more sophisticated and will emerge as a technology that begin with the purchase of the device and will follow it through the retirement of the device
Consolidation of MDM major players-Fewer but stronger developers of MDM software resulting from mergers of the big players
Cloud-Based MDM-It is expected to become the norm with MDM software
Emphasis on mobile device policies-More formalized policies and awareness and education and training in the organization
Diversity/Expanded mobile monitoring and security- Will expand beyond the current types of mobile devices that are controlled with MDM software and will begin to be possible with such things as other types of machines and equipment like things used in transportation management
Infrastructure Consolidation-This is very disjointed today. It is expected that these different pieces, like mobile computing, social computing and cloud computing will merge to form a new infrastructure paradigm.
9
GUIDELINES FOR IG FOR MOBILE DEVICES
Smartphone and Tablets
Encrypt Communications and Storage
Password protections
Timeout – self locking after being idle for a period of time
Updates – Keep patches and updates current
Protect from hacking-Make sure not jailbroken or rooted
Manage –Operated in a managed environment
10
Some of the guidelines for assisting in the IG for mobile devices are relatively easy to implement. It is just a matter of awareness and forethought. These includes such things as:
Smartphone and Tablets
Encrypt Communications and Storage
Password protections
Timeout – self locking after being idle for a period of time
Updates – Keep patches and updates current
Protect from hacking-Make sure not jailbroken or rooted
Manage –Operated in a managed environment
10
GUIDELINES FOR IG FOR MOBILE DEVICES … Continued
For Portable Storage Devices:
Create User Names
Create Passwords
Utilize Encryption
Use additional levels of authentication
Use Biometric Identification
11
Some of the guidelines for assisting in the IG for mobile devices are relatively easy to implement. It is just a matter of awareness and forethought. These includes such things as:
For Portable Storage Devices – Create User names and passwords to protect the device from unauthorized access, Utilize encryption to protect the data, use additional levels of authentication and management, use biometric identification
11
GUIDELINES FOR IG FOR MOBILE DEVICES
For Laptops, Netbooks, Tablets, and Portable Computers
Password protection in the form of user names and passwords
Timeout
Encrypt
Secure physically
12
Some of the guidelines for assisting in the IG for mobile devices are relatively easy to implement. It is just a matter of awareness and forethought. These includes such things as:
For Laptops, Netbooks, Tablets and Portable Computers:
Password protect-create a user name and password
Timeouts- after a period of time the machine will timeout and require the user to reenter the password
Encrypt
Physical Security –physical locks
12
MOBILE APPLICATIONS
Examples:
Mobile e-commerce
Mobile banking
Increases security risks
Make sure the data is secure
Make sure the mobile app is secure
13
Mobile applications themselves are sources of security threats. This includes such things as mobile banking apps and mobile e-commerce, for example. So while you may take measures to secure your mobile data, people are too frequently forgetting to secure their mobile apps.
13
BEST PRACTICES TO SECURE MOBILE APPS
Use seasoned app developers trained in secure-coding and who use secure software development life cycle
Use enhanced authentication methods
Require employees to reenter credentials after a period of time
Use information security expert to assess security around mobile application server
Encrypt sensitive data
Use security expert to test security of mobile app before deploying it in your organization
14
While this is a new and emerging area of best practices for mobile apps some have been identified as follows:
Make sure to use seasoned app developers who have secure-code training and who use secure software development life cycle (SDLC)
Use enhanced authentication methods available for the industry or type of app
Make sure the user is required to re-enter his or her credentials after a period of time
Hire an information security expert to assess the security of the mobile app server
Encrypt sensitive data
Hire a security expert to test the security of a mobile application before you implement it company wide
14
BEST PRACTICES FOR DEVELOPING A MOBILE DEVICE POLICY FOR THE ORGANIZATION
Form a cross-functional mobility strategy team
Clarify goals for your mobile strategy – that is start with a discussion of the big picture. Looks at your mobile device business needs.
Drill down into policy requirement details. – Talk to people in peer organizations who have a policy in place to really get an in-depth feel for what kind of policy you want to have. Then begin with the basics.
Budget and control expenses. Think about whether your company will purchase all the devices and pay the monthly bills? If so, what cost controls will you need to put into place?
Consider the legal aspects and the liability issues related to mobile devices in the hands of your employees. Where could your employees run into trouble using their own devices instead of yours? Think about your policy for wiping clean devices and will that run afoul of the law.
Weigh device and data security issues. Is it worth having the mobile device? Will they create such a great risk of security breaches that you want to chance using them?
Develop your communications and training plan.
Update and fine tune – that is evaluate the plan. See where you have left loopholes open. See where you have made missteps. Always continuously evaluate your plan and tweak it where there are issues or where you have been shortsighted.
15
So how do you go about developing the mobile device policy for your organization? How do you even start? Begin by getting input and representation from the stakeholders. Best practices are of course also just evolving and being developed in this area but there are a few that are recommended regardless of your industry. They include the following:
Form a cross-functional mobility strategy team
Clarify goals for your mobile strategy – that is start with a discussion of the big picture. Looks at your mobile device business needs.
Drill down into policy requirement details. – Talk to people in peer organizations who have a policy in place to really get an indepth feel for what kind of policy you want to have. Then begin with the basics.
Budget and control expenses. Think about whether your company will purchase all the devices and pay the monthly bills? If so, what cost controls will you need to put into place?
Consider the legal aspects and the liability issues related to mobile devices in the hands of your employees. Where could your employees run into trouble using their own devices instead of yours? Think about your policy for wiping clean devices and will that run afoul of the law.
Weigh device and data security issues. Is it worth having the mobile device? Will they create such a great risk of security breaches that you want to chance using them?
Develop your communications and training plan.
Update and fine tune – that is evaluate the plan. See where you have left loopholes open. See where you have made missteps. Always continuously evaluate your plan and tweak it where there are issues or where you have been shortsighted.
15
The End
16
16