Smartphones are now rich in features that include network connectivity, enough storage space with efficient processors. These enter your network through authorized corporate users while others are brought in by employees who purchased it themselves.
The following are some of the security considerations for smartphones in an enterprise:
- Have a proper enterprise security policy in place for smartphone that can be applied and enforced for everyone.
- Education and training is important for the awareness of such policies.
- Security policies and standards should be enforced in such a way that the use of the device should be seamless to the user. While having efficient disk encryption for sensitive information, it’s also desired to have easy access to 911 without a password.
- Smartphone used in the corporate world needs to have applications on a need to have basis. It should be treated similar to the way we treat locked down laptops. Each application needs to be mandated by a business case.
- Ensure that smartphones cannot access your intranet directly. Have a separate network segment for its gateway and supporting applications.
- Like any other operating system, the smartphone OS need to be updated regularly with timely patches.
- All communication from an end user of the enterprise network should be encrypted end-to-end; not just from the device to the receiving terminal. Emails, file transfers, and IM are some of the communication channel that may be considered for the end-to-end encryption; of course based on the data classification of the information that is in scope. For highly sensitive communication, use encrypted tunnels such as VPN. This applies mostly for data streams.
- Sensitive information contained in emails and messages needs to be stored securely at the server as a backup in case the device gets stolen or lost.
- Smartphone sensitive to dictionary attacks on access password of the device are better. These devices will wipe out all data after certain number of attempts.
- Smartphone cannot be considered as out-of-band communication channel anymore as they may be part of the same network. It cannot be considered for identity verification for anything to do with mobile devices or remote access. A smartphone with smardcard reader is a viable option for those who need to authenticate using something they possess.
- Ensure the integrity of the data and applications are maintained. A password or token based challenge may be ideal for access to the smartphone. Have a synchronization option to back up important and critical information. The backup would always help to retain such information in case of loss or theft of the device. Try to prevent installation of unwanted and malicious software to the device.
- At the time of disposing an outdated smartphone, ensure sensitive orphaned data and logs are completely removed before disposing it. Tools are available in the market to ensure that residual data is removed before the disposal. If the device memory can’t be erased completely, destroy it in such a way that no information can be recovered after getting it from trash.