Recently we got a call from a client, they had an employee who’s laptop was stolen. According to a recent study there is a laptop stolen every 50 seconds. That is a pretty alarming statistic, but what does that really mean to you or your business? Just think about all of the things that are on your computer.
- In most cases a copy of all your emails.
- Do you use the save password feature in your web browser?
- When was the last time you cleared your browser cache and history?
- What documents are on your computer and what type of data do they contain?
The list can go on. Before you say “But I have a password on my computer!” there is one more important piece of information you should consider! In a few minutes more than it takes to download a small compressed CD image and burn it, hackers can unlock the Administrator password on almost any Windows laptop. Once they have administrative access to the computer, they can get at anything. There are even a host of applications that will pull the saved usernames and passwords out of web browsers. Applications that can, in mere seconds, provide them with the password to Office documents.
To expand upon the problem, people are using their tablets and smart phones to access corporate data. The question then becomes how does one incorporate all of these devices their your network infrastructure while maintaining the integrity and security of the network infrastructure. To do this you must do the following three things:
- Define your IT requirements
- Define your legal requirements
- Implement some type of mobile management software
1. Define your IT requirements
To begin, you must select the types of devices and operating systems that you are willing (and able) to support. It is not possible to standardize management for mobile devices since each operating system and even the hardware itself can impact IT capabilities. For your Mobile Device Policy, here are baseline criteria to use for assessing operating systems and device types:
Based on these criteria, you should be able to define the list of form factors and operating systems you will support.
Next, you must create an environment that will support employee-owned devices during the enrollment process. The simplest solution is to set up a guest wireless network that is separated from the internal network. This can serve as the enrollment network for employee-owned devices. Once enrolled, your MDM solution should automatically evaluate and assign privileges and restrictions based upon the policies you’ve created.
Basic privileges include access to company email, company Wi-Fi, and VPN configurations. These privileges should be tied to a policy that defines the security requirements of the company. Devices that do not comply with the security policy should be blocked. For instance: devices that are jailbroken, rooted or have blacklisted apps installed.
Provisioning access through your MDM solution benefits the organization and the employee:
- Employees receive access immediately
- IT doesn’t need to manually provision devices
- Wi-Fi passwords are not shared with employees
- Remediation of future violations will be automatic since access is tied to the security policy
The final component for IT readiness relates to management policies and restrictions to employee-owned devices. This is broken down into three basic considerations:
- Policy-based management: Employee information is already organized within directory systems such as Active Directory or Open Directory, including departments, geographies, and job titles. Save yourself a lot of time and base your device policies on these groupings.
- Security: Create a baseline security policy that enables automatic remediation when devices fall out of compliance. Other criteria should be identified and implemented including company passwords and app blacklists.
- Document Management:Unless you provide employees with a means to securely access corporate documents, they will invent their own. The best practice is to provide a centrally administered document repository that manages file availability by policy, while allowing IT to delete files as necessary. This is the best model to secure company data while respecting device ownership and user experience.
2. Define your legal requirements
Mobile Device Policy
This is a comprehensive document that should incorporate the specific requirements of your organization, based upon guidance provided by various internal stakeholders including general legal counsel, IT, Human Resources, employees and others.
Each policy is unique but generally should address some or all of these aspects:
- Defines accountability and responsibilities
- Defines process for policy violation including consequences
- Focuses on a set of standards without including details such as device type and operating system
- Sets expectation that standards will be updated periodically
Users & Funding
- Defines how devices will be used by employees
- Defines how security requirements will be communicated to employees
- Whether a technology stipend program is needed and if so, who will pay
- If required, defines the reimbursement process for recurring costs to employees
- Includes support for contractors using their own devices on the corporate network
- Whether regional or country data privacy laws will restrict security measures available to IT and consents required
- Rights to audit and monitor activity on personally owned devices and any limitations based on local laws and regulations
- The ability to distinguish liabilities between users and the organization for usage of features, licenses, apps, etc.
- Consent for the company to access the device for business purposes
- Includes how to remove devices from the population and how sensitive data and company property are removed
- Obligations for employee to report loss of device and employer’s right to wipe it
- Details of control over corporate information stored on employee-owned devices
- HR policies that can govern the use of personally owned devices for personal use during work and non-work hours or in a work or non-work environment
3. Implement some type of mobile management software
Now that you have all of the internal requirements identified and in order, you need to select the appropriate software application that will allow you to properly manage and secure corporate- and employee-owned mobile devices.
Similar to the criteria you applied while assessing the different types of operating systems and form factors, you need to ensure the solution you select is able to deliver some baseline and supplementary capabilities: