Businessperson working in airport.png

How to Keep Data, Devices Secure When Mobile Is the Norm

When "work" can happen in any place, security breaches can happen any time and any way.

The "mobile" qualifier for they way people work is almost unnecessary these days. What don't we do using mobile technology? Of course, this means that the mobile threat landscape gets bigger every day, requiring organizations and individual users alike to consider how they are securing everything from the paper they throw away to the enterprise app they access through their iPhone or Android device.

There is an undercurrent in business intelligence that watches the competition carefully. Trade secrets, new unannounced models and initiatives have a way of leaking to the press, the competition, even new employees. While data loss prevention (DLP) is an evolved science, DLP generally covers internally guarded assets.

Mobile device management (MDM) software and cloud access security brokerage (CASB) are two methods of providing asset control, tracking breadcrumb trails as users manage real life in a highly mobile world.

While the stuff of spy thrillers and storied political subterfuge, some of the techniques offered by imaginative writers and journalists make sense when trying to keep ahead of nosy competition. If information is a strong asset, protecting that information is a best practice that should be woven into organizational DNA.

The Physical

Paper trails are huge. Despite much progress in collaborative software, meetings, proceedings and memos are often still printed. People write notes on them, and dumpster divers make money on the unshredded results.

Indeed, as mobile personnel may carry very sensitive information in printed form, finding a shredding device is important. I recently watched an executive-type deposit two thick file folders of papers into the trash at an airport coffee stand. Three minutes later, someone who was watching reached into the can and started thumbing through the papers.

WI-FI Worries

Many MDM apps also have built-in VPN software that allows an organization to specify network routing--which they’ve hopefully secured. This choice is important: Airports are known cesspools of WI-FI activity, including fake APs and worse. Users should know which of many ostensible free WI-FI access points are the real thing. Even on Boingo and other subscription-based networks, security is not ensured.

International airports and airport vendors may offer WI-FI for a purchase or a free one-hour logon, given credentials. Because of the distance from a home-country connection, VPNs may inject considerable delays because of their long data paths. These WI-FI access points may also be heavily oversubscribed, leading to even more delays.

Some domestic carriers offer international data access for only a nominal increase in cost, allowing phones to be tethered to notebooks. Even a phone-carrier WI-FI tethering doesn’t eliminate the need for VPNs, although carrier-tethering can be much faster than international airport or airport vendor WI-FI.

Hotel networks can be equally problematic. Top hotel chains often offer dramatic speed increases, but the use of a VPN is also mandatory because of unknown trust with hotel infrastructure. One colleague of mine carries a passport, Yubikey, and credit card in a Mu-metal container around her neck. She’s been the victim of purse thieves. Her VPN authenticates through WebAuthN and her Yubikey. She leaves herself no excuses.

Remote Wipers

Pickpockets frequent airports and other crowded areas teeming with electronic devices.

Most MDM software has the capacity to perform remote system wipes. Although tedious, it’s not a bad idea to try a sample on platforms supported by an organization to see how the process works. Some machines permit booting from media in a specific order. Should one be bright enough to have a flash drive with Linux or BSD on it, and boot-from-USB (or DVD/CD in older machines), then disk-resident wipe software is easily, even laughably, thwarted. If stolen hardware was stolen for fast resale, it’s unlikely to be checked in this way, and a remote wipe will serve its purpose. Others are looking for data assets to steal.

Smartphones are different in this regard, and are most often sold for fast resale. Apple phones are much tougher to steal and resell, thanks to Apple’s theft prevention/logon prevention procedures. These are only effective, however, when implemented correctly by users.

Recent versions of Android phones may have very good security, device location and barriers to hacking. Unfortunately, there is no cohesive marking that connotes a minimum set of standard features that ITSec organizations can enable for their fleets. Tracking is available via MDM--until a phone is wiped, if it can be.

Remote Replacements

Remote phone replacements may work locally, and at the costs associated with a local phone account if you can indeed get one. Traveler’s accounts may require a passport and could be hideously expensive, depending on the locale. Try to replace with an international phone, or one that is SIM unlocked, so that subsequent account reinstatement can use the replaced phone in an unlocked state.

Additional replacement phone problems often amount to access control lists, meaning that if the user’s phone number changes, or the certificates in the phone are incorrect, re-enabling even basic online services like Google accounts can be very difficult. VPNs may reject access. MDM software will be absent until it can be verified, then downloaded, then installed, along with all of the policy controls that MDM software adds to the specific phone. Until a home locale SIM can be installed, many accessibility issues may arise.

Laptop payloads are often much different when being installed remotely by IT security personnel to a remote user. Much depends on how the MDM/MAM management software is installed, and how much specific configuration is needed to gain minimal access, do partial restoration, or bring at least some efficiency to a worker whose machine has been replaced remotely after a loss. The costs of shipping data internationally can be high. Dropbox, Box, iCloud, OneDrive and other online shareable repositories can help users become productive in a pinch by restoring the basics.

Remote restoration can still be tedious and expand threat potentials. Restoration states vary, and beg to be tested to determine what’s practical and what isn’t. Procedures will be different for Windows 10, Apple Mac and the increasing number of Linux systems. None of it will be painless.

Backup before travel to an accessible and secure data store is always the best policy. Carrying the backup with you is ill-advised, as they often disappear at the same time a device is lost.

WIth so many people working wherever they happen to be--whether that's traveling for business or catching up on the soccer field--it's critical for organizations to have plans in place around duplicate asset stores, print material disposal, backup plans for identification loss, and procedures for remote security and asset restoration.

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish