Even apart from the hacking and internet virus threats, there must be increasing attention to security as more employees are using UC on mobile gadgets and accessing corporate data and contacts from a handset. This means existing security, authentication and management infrastructures have to be extended and adapted to cellular and Wi-Fi products.
Another important aspect of a UC security policy is central tracking and management of devices and policies when they get lost (e.g. many vendors now support remote disabling or wiping of lost and stolen phones).
The three main areas where we think mobile security must be tightly managed are:
- securing and managing every device
- managing all connections
- protecting all data
The first is easiest if the company standardizes on just a few devices, barring users' own phones from the system. Device passwords and PINs should be implemented with automatic lock after three failed attempts. More comprehensive device management can be achieved using a centralized application such as Microsoft System Center Mobile Device Manager or Sybase Afaria, or relying on a third party managed service from an operator. These policy-driven suites combine monitoring and enforcement and also work with back-end authentication servers.
On the second point, connections, VPN connections with IPsec are best, and there should be automatic software to bar devices that do not conform to enterprise security policies, e.g. if their antivirus software is outdated or they are accessing from an insecure public hotspot.
In the third area, data, selective data encryption is important to secure sensitive files and items such as email inboxes, contacts and certificates. Encryptable removable storage devices like SD cards are also useful.
This was first published in August 2009