Establishing a Corporate Smartphone Policy for Security

Establishing a Corporate Smartphone Policy for Security
Page content

A smartphone is a mobile device that allows users to make telephone calls, but also adds in other features that users might find on a personal digital assistant (PDA) or on a computer, such as the ability to send and receive email and edit Office documents. Smartphones have an operating system and software. They are able to access the web; they often have a QWERTY keyboard, and they can send and receive text messages. However, another feature that is important is smartphone security.

Smartphone Vulnerabilities

While the smartphone is moving into PC communications territory, it is moving away from PC security protocols. The main reason is location, or specifically, relocation.

In some ways, mobile phones are like laptops; they can go anywhere. However, laptops have security features. They have firewalls, encryption software, access points for wireless with security features like WEP. If you were to scale it from 1 to 10, with 1 being unsecured, and 10 highly secure, then PC’S are about a 7; laptops about a 5 and mobile phones about a 3.

Anyone determined to hack into a PC, laptop, or mobile phone can do so. That is an unfortunate fact of life. However, PC’s and laptops have many security features enabled to prevent unwanted access. Mobile phones, because they roam around, are going to be exposed from multiple locations.

Smartphone content is open to theft or loss. Some of the common elements of a network are access codes, user names and passwords, and they are often unsecured or set for automatic log-on. Other times, users who break into phones to customize features or carriers may leave themselves open to root password hacks. The very nature of mobile communication leaves the call exposed to random pickups. Once the call is in the air, it is vulnerable.

Smartphone Protection Technologies

Users and businesses would do well to have some security policies in place to minimize the impact of an outsider hooking up and intercepting the calls. Under no circumstances should anyone send confidential communication, like texting, or sending files without encryption. Security SSL VPN should be in place to guarantee the confidentiality of the transmission. Decryption should use DPI SSL.

Clientless SSL VPN (WebVPN) works by allowing limited but secure access to the corporate network from any location. In this way, users can achieve secure browser-based access to corporate resources at any time.

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) technology inspects HTTPS traffic and other SSL-based traffic. If the traffic is encrypted, the SSL traffic is first decrypted transparently, then scanned for threats and re-encrypted before going to its destination. If no threats or vulnerabilities appear, DPI-SSL is a security layer that provides application control, and data leakage prevention.

VoIP How It Works

Firewalls can control the flow of calls going out and coming in to a corporate site. Wireless and VoIP (voice over IP) technologies have their own encryption mechanisms that should be implemented. In the area of VoIP tools and policies should be implemented following the best practices outlined by VOIPSA’s Best Practices Project.

Smartphone Security Policies

There are other security policies that should be in place. Security administrators should scan all smartphone traffic with the use of a firewall; then maximize firewall bandwidth throughput in order to eliminate application latency. Latency can open the door to hack attacks. Security administrators should establish controls over smartphone application traffic. In this case, application control technology should be in place in the network to report how much application usage is occurring on the smartphones.

Keeping That Data Safe

In order to establish a corporate smartphone policy for security, businesses should understand the range of vulnerabilities that a smartphone is open to. By their very nature, smartphones are more prone to information theft, password compromises, hacks, and theft in general. The policy should take into account ways to minimize how unsecured information is transmitted and how to handle the smartphone. A policy of only secure information transmission should be the highest goal of the company.

References