By Tanu Sood-Oracle on Jan 24, 2013
This blog is the fourth in a series of blogs regarding Mobile Security, and focuses on strategies for mobile security deployment.
Mobility poses challenging risks and existing security, IT support resources and infrastructure typically cannot be extended to cover mobile devices and applications without significant investment in developing new skills, technical capabilities, operational processes and deployment of a mobility infrastructure. Existing operational processes may not be efficiently designed or mobile-ready which may hinder expected productivity.
After gaining an understanding of the specific risks that affect your business, the next step is identifying and defining your approach to a mobile security solution deployment. When identifying the right approach, it is important to understand your specific use cases and incorporate your primary business drivers and objectives.
Strategic Choices: After identifying the desired approach to meet your overall mobile security objectives, a critical next step is to address a few critical strategic choices and/or decisions that your organization should consider. This, in turn, will likely impact how your organization executes on the chosen approach and also the development of the overall mobile security strategy. In an earlier blog in this series, we’ve discussed the challenges an enterprise may face regarding the bring-your-own vs. enterprise provided device decision. Other decisions facing organizations regarding their mobile security strategy include:
- Manage mobile security in-house vs. outsourcing: Organizations should balance the bandwidth and mobile security experience required to viably manage their own mobile security against the reduced control and flexibility they may have by partnering with a third party provider
- Simplify application development and distribution: Consider establishing a mobility-aware enterprise architecture and application design framework. Use cross-platform software development kits that support multiple mobile operating systems and support disconnected and loosely connected local applications, browser-based applications that decouple the application from the mobile operating system, and virtual desktop solutions that reduce the need for a local client where appropriate
- Reduce device support: Implement centralized device management (commonly referred to as “Mobile Device Management” or MDM) by installing an agent on the device or by registering the device with a central management application so you can monitor it for health status and configuration settings, and push applications, configuration settings, and software patches as necessary. Adopt a cross-platform solution to support the broadest array of devices from a single management console
- Full vs. restricted data access: There is a continuum of choices to be considered when determining what type of data and applications mobile devices should have access to. The more critical the data accessed, the higher the potential risks and the more stringent the security measures need to be to mitigate that risk. The drive to enhance the productivity of mobile workers will likely result in more critical data types being exposed and corresponding security measures to be employed
- Reduce security risk: Develop a tightly coordinated suite of technical and policy-based solutions and consistently applied processes for device and network access controls, local and remote data wipe, device configuration, data encryption, patching and updating, authentication, device partitioning, security and appropriate use monitoring, and the like. Establish a private enterprise application store so employees can have a single trusted place to download the latest mobile applications. Partitioning is a particularly important aspect of BYOD as it allows a clean separation of personal and business applications and data. This in turn makes it possible to lock down and manage business applications and data without affecting personal assets running on the device
- Managing user compliance: To reduce business risk and legal liability, consider developing user agreements and providing training so users understand mobile security risks, their responsibilities, acceptable use policies, prerequisites for connecting any device to the network, inappropriate use, and more. Implement processes for notifying users when they are out of compliance and explain why they are out of compliance, along with the steps they should take to become compliant. For global operations, tailor user agreements and supporting practices by country to comply with local regulatory requirements
Tips for Securing a Mobile Environment: There are many aspects to consider in order to provide a secure mobile environment. The following are tips to consider when deploying (or gaining secure control of) an enterprise mobile environment:
- Consider the installation of a network access control system (NAC) to confirm that the enterprise network is prepared to work with and adequately secure mobile device access
- Check to see if the enterprise physical locations have a strong wireless infrastructure so that mobile devices are as effective in the office as on the road, without incurring the expense associated with 3rd Generation (3G) / 4th Generation (4G) cellular access. 3G and 4G are standards for mobile communication and these standards specify how the airwaves must be used for transmitting information (voice and data)
- Automate the distribution of anti-virus updates and OS security patches
- If deploying enterprise owned devices, there are several processes that should be considered to effectively manage the physical devices, including:
o Asset management, inventory control and physical security
o Device refresh procedures (mobile devices have a short shelf life and are probably obsolete within two years)
o Lost device wiping and replenishment
o Damaged device replenishment (and data recovery)
Mobile Security Framework: The implementation and deployment of a mobile security strategy should be approached broadly as there are several areas of the enterprise impacted both from a business and IT standpoint. As mentioned in the first blog in the series, having an understanding of the components comprising the mobile ecosystem, its inter-dependencies, the various organizational risks, the underlying mobile security objectives/approach and strategic choices is critical in the development of an effective, requirements driven strategy.
- Coordinate with IT, Legal, HR and other business owners to define the current business model, future objectives, leading to a publication of a mobility vision and strategy. Develop a mobile security policy framework and initial operational procedures.
- Gather business, functional and technical mobility requirements, followed by security requirements in support of the others. Conduct a gap analysis to identify a prioritized set of people, process and technology recommendations.
Architect and design:
- Define and construct the mobile security operations framework, including hardware, software, services, business processes and HR requirements. Define an ongoing oversight and management review process.
- Define supporting technologies such as mobile OS security baselines and secure mobile application development procedures. Develop an implementation roadmap and project plan.
Technology Acquisition and Deployment:
- Perform make vs. buy analysis for important decision points. Identify resource requirements and skill sets and embark on training/acquiring the necessary resources.
- Engage with procurement team to define and acquire the services required to support the mobile security environment.
- Perform the analysis of current mobile device vendors to determine what OS platforms, carriers and devices meet the requirements of the business.
- Follow normal IT protocols for piloting, testing and user acceptance. Conduct a mobile device, application and operations security assessment.
- A detailed communication strategy should precede and accompany full deployment.
- Rinse and repeat! The mobile landscape is ever evolving and new requirements, use cases, platforms and devices require proactive and periodic updates to the enterprise mobile security strategy. Initiate a broad process to stay abreast of the ever changing mobile environment and an update/patch process to keep the network safe.
Conclusion: Enterprise mobility is redefining long-standing rules for end-user support, device management, acceptable use, risk management and data protection. As a result, mobility is creating significant new challenges for enterprise IT departments. With the proliferation of mobile devices, rising expectations of end users and the velocity with which uninvited devices are entering the network, these challenges simply should not be ignored. CIOs should seize the initiative and start to align business strategy and needs, IT capabilities and user expectations. By doing so, the enterprise may be able to cost-effectively and securely satisfy end users, streamline and reduce IT support costs, and ideally position the enterprise to embrace and reap the rewards of increasingly sophisticated mobile devices and mobile applications. Conversely, failure to act may lead to the IT organization being perceived as “tone deaf” by end users (including executive management) and may significantly increase the security, privacy and regulatory risks to your organization.
We welcome your thought and feedback on this blog. What challenges has your organization faced in deploying a mobile security strategy? What best known practices has your organization adopted to meet these challenges?
Previous posts in the series:
Laura Hars is a Manager in Deloitte & Touche LLP’s Identity and Access Management (IAM) practice. Laura is a specialist in the following capabilities: IAM, IT Risk Management, IT Compliance Management, Security Architecture Design, Program Management, Data Loss Prevention, Systems Engineering, and delivering customized IAM designs for programs. Laura has a rich background in security engineering with over 10 years of experience. Most recently, Laura is focused on requirements and architecture designs for mobile architecture platforms.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited