Updated: January 17, 2006
Understanding the Security Challenges of Mobile Devices: The Checklist
Ensuring security for the mobile devices in your organization is just as important as ensuring security on your desktop computers--maybe even more important.
Use this checklist to step through five key tasks that will help you make sure the mobile devices in your organization are as secure as they can possibly be.
1. Perform a security audit
First, identify all critical resources on your network and identify who has access to this data and how they utilize it. You may decide to allow certain people access to e-mail from their mobile devices, but not access to your customer’s database. Next, determine the risks associated with the unauthorized exposure of this data and develop a security strategy.
For example, your may decide that it is an unacceptable risk to allow the storage of corporate usernames and passwords on a mobile device; one solution is to require that mobile devices be authenticated with PKI certificates.
Tools like the Security Risk Management Guide on the TechNet Security Center offer insights about how to develop this important plan.
Microsoft also offers a free Security Risk Self-Assessment Tool to help you evaluate your organization’s security practices and identify areas for improvement.
As with other corporate assets, you may find that people are using mobile devices that will not support your security policies. If the potential risks of these devices exceed the replacement costs prior to their planned end-of-life, then you should invest in new devices.
2. Publish written policies for mobile devices used by employees, vendors, contractors
For example:
| • | Get feedback from your security team and end-users to make sure your policies meet your security requirements while still keeping the end-users’ needs in mind. If the end-user chooses to connect a personally owned device to the corporate network, she must comply with the corporate security policy. |
| • | Companies should educate end-users about how to comply with their policies and why those policies are in place. For example, your policy may require that certain sensitive e-mails be digitally signed and/or encrypted with industry-standard S/MIME. |
| • | Choose passwords that are appropriate for the device. If a company needs greater security, it may want to consider a mobile device with a small version of a qwerty keyboard, or a standard keyboard, to be able to use strong passwords; or it may want to consider devices with an add-on or integrated biometric authenticator. |
| • | Have a policy for lost or stolen devices. If a device is lost or stolen: | • | Notify corporate security and have them issue an automatic data wipe command for the device. Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0. MSFP for Windows Mobile. 5.0 works well with Microsoft Exchange Server 2003 SP2 to support security features such as the automatic wipe command.
Exchange Server 2003 SP2 is available for download here. |
| • | In addition, you’ll want to notify the mobile operator and have the service turned off. |
| • | And, finally, notify the appropriate police authority so the device can be returned if it is found. |
|
3. Secure your network, then secure your mobile devices
To secure your network, make sure you are using the latest versions of Exchange, Active Directory, Windows, Outlook, and Windows Mobile. The newer versions have better security enhancements. As always, we strongly encourage you to install Windows XP Service Pack 2 and upgrade your servers to Windows Server 2003 R2.
| • | Contact your mobile operator or device manufacturer about obtaining the MSFP for Windows Mobile 5.0. MSFP includes direct push technology, which helps business users keep their Outlook Mobile information current by delivering e-mail, calendar, contacts, and task updates quickly and directly to a Windows Mobile-based device from Exchange Server 2003 without requiring businesses to pay for additional and costly servers and middleware. MSFP also enables IT Administrators to support users sending and receiving S/MIME digitally-signed and/or encrypted e-mails directly from their Windows Mobile devices. More information can be found here. |
| • | As the threat of mobile malware increases your security policies may include the requirement for antivirus, firewall or related security solutions on your mobile devices. Such solutions are available from Microsoft partners including Symantec, McAfee, F-Secure, Credant, Bluefire Security, and RSA Security. |
| • | As with laptops and tablet PCs, we discourage dual-homing for mobile devices. Mobile devices such as 80211X that can connect to the corporate wireless LAN should not be allowed to simultaneously connect to a mobile operator WAN network such as GPRS or EVDO. |
4. Enforce the solution with centralized IT policy
Exchange Server 2003 Service Pack 2 combined with the Windows Mobile 5.0 MSFP allows the administrator to require that all users who wish to synchronize their personal information management data to subscribe to a central IT policy. If the benefits of allowing devices that do not support central IT policy outweigh the risks, then MSFP solution can allow those non-complaint devices to have access to the network.
For older devices, the solution allows the administrator the flexibility to allow those devices access even though they don’t support these policies.
5. Monitor and re-evaluate policies regularly
Re-visit your obsolescence schedule for older devices to ensure that you are making replacements as planned. Perform a regular spot-check audit and make sure your initial audit is up-to-date from a usability and security standpoint. If you’re allowing older devices to connect, review whether you are keeping to a schedule of when these devices will be replaced. From a usability standpoint, make sure help-desk and user-training costs are in line with your budget.
Related Resources
