Mobile Device Security


Published on

Crafting a mobile device strategy that fits your organization's needs while protecting information assets.

These slides were prepared by Neil Jones, senior systems engineer at Nexxtep Technology Services. Learn more about Nexxtep on our website at

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Device Security

  1. 1. Mobile Device SecurityCrafting a mobile device strategy that fits your organization’s needs while protecting information assets
  2. 2. Mobile Device Trends Smartphone shipments in 2012 are projected to be at around 631 million units, up from 468 million in 2011 Tablet sales in 2012 are expected to nearly double last year’s tally of 60 million, at 119 million units Apple’s iPad platform is expected to account for 60% of those tablet sales PC hegemony over the market as the primary computing device in business is being challenged
  3. 3. Frequently forgotten factoidsabout mobile devices They’re little computers; processor, memory and storage, just like the desktop or laptop PC in your office A would-be thief is more likely to steal a smartphone or tablet than a laptop If your device is stolen, and lacks both a passcode/PIN and data encryption, whatever’s on the device might as well be posted on Facebook Without a means to remotely manage a device, you have NO recourse in protecting/erasing sensitive data, should the device be lost or stolen
  4. 4. Mobile Device Security:Key Considerations Will my company furnish the devices, or will we allow BYOD (Bring Your Own Device)? What about both? Where will sensitive data reside? On the server(s) or on the device itself? How is the information accessed?
  5. 5. Company-furnished devices Cost for cellular service and repair/replacement of lost/damaged phones is generally borne by the company Makes sense for organizations that publish the mobile phone number of these devices in the phonebook, on websites or in marketing materials Be as draconian as you’d like in managing these devices (they’re property of the company). No Facebook, Twitter, YouTube, etc.; just business. Erase at will if necessary.
  6. 6. BYOD (Bring Your Own Device) employees use their personal smartphones/tablets to access email and applications, which theyre already familiar with (little to no training) employees bear the cost of service and repair/replacement when necessary a more measured approach to governing the encryption of information stored on the device, and the recourse with which to protect the data should the device become lost or stolen
  7. 7. BYOD cont’dExample: An employee uses his/her personal device toaccess company email, where sensitive informationsometimes crosses. Whereas a company-provided devicecould be erased without question, an employees BYODlikely has personal contacts, personal email, music, etc. Amobile device strategy should outline clear boundaries asto how far a company can go to protect its data. In thiscase, a mobile device policy could be designed in such away, that only the company email access for that device isrevoked, and the data removed, with no impact to otherapps/services on the device.
  8. 8. Company-furnished device versusBYOD conclusion Different levels of device management can be applied to both classifications of device, whether you want to completely lock the device down, or you want the user to freely use the device as he/she wishes, as long as the device meets security requirements
  9. 9. Where the data resides Server: This is always preferable to any sensitive information residing on the device. Risks of data compromise are mitigated through PIN/password enforcement, and revocation of access to applications, services and data can be easily revoked on the server. More on this later. Device: We strongly discourage saving sensitive information on mobile devices, but if it cant be avoided, more stringent password/PIN requirements and encryption, coupled with the ability to erase the device in the event its lost or stolen, protects against losses on this front.
  10. 10. How the information is accessed Email: Through mobile device management, we can encrypt data as its stored on the device, revoke email access when warranted, and protect access to the device with passcodes or PINs. Desktop applications: Using technologies such as Citrix XenApp or Microsoft RemoteApp/Remote Desktop, we can provide secure access to programs and data residing on the server, without any of that information actually being stored on the mobile device. This is the preferred method for accessing your line-of-business apps. The actual processing of data resides on the server at all times, and youre simply viewing/interacting with it on your tablet or smartphone.
  11. 11. How the information is accessedcont’d Web applications/webclips look and act like apps, but are really websites that are optimized for viewing on your mobile device. Similar to the Citrix/Terminal Services method for accessing apps and data, the data does not get stored on the mobile device, but instead just viewed. Transactions still take place on the server.
  12. 12. Wrap-upThough the rapid adoption of mobile devices had initiallyprovided flexibility and opportunities for businesses, itsalso opened up businesses to old fashioned computersecurity risks, just on a newer class of devices. Themethodology for securely incorporating these devices,whether company-owned or personally owned, is takingshape and should become a part of your overall ITstrategy, in the same way youd secure a desktop or laptopcomputer.