Article

Mobile UC security is tricky, but basic IP networking is a good start

Michael Morisy

Even as companies cut budgets, mobile device security is something that precious dollars must be spent on. Luckily, the move to mobile unified communications coincides

    Requires Free Membership to View

with a move to more IP-based communications, like SIP. If administrators take a holistic approach to device security, they can benefit from years of best practices developed for Ethernet and other wired networks.

Mobile device security has long been a tricky problem, due in large part to two factors. For one, unlike a desktop or server, mobile devices -- whether smartphones or netbooks -- go with their users into the wild.

It takes only a second of negligence for any of these to slip out of sight and into the hands of a techno-savvy thief who can pull off any unencrypted data in a matter of minutes.

For less than $200, a device known as a "CSI Stick" makes it even easier: Just plug it into a cell phone to grab the phonebook, call logs, SMS text messages and more, without any fuss.

Mobile device security is further complicated by the fact that, unlike most work desktops or other company-issued devices, users expect a large amount of input into what device they get, and how they use it. This means mobile administrators have to plan for a wide array of devices if they want a truly comprehensive security plan.

Despite these challenges, a down economy hasn't tethered workers to the office -- if anything, it has increased the focus on mobility by allowing workers to be more efficient on the road or even ditch traditional PCs altogether in favor of less expensive mobile devices.

Fortunately, the coinciding move to mobile unified communications -- with voice, IM, email, and more all coming to a handheld -- can be something of a blessing for those trying to keep information secure.

More and more sensitive data, for example, is being passed over IP rather than through less securable protocols like SMS or MMS.

"A lot of the best practices are in place ... because our networking brethren ran into them a few years ago," said Bob Bradley, a product line manager for voice infrastructure vendor Sonus Networks. He said much of the best material he recommends to customers to help guide communications security can be found at the SANS Institute security reading room.

"You don't need to hire 10 security experts," Bradley said. "It's all well documented."

Email was perhaps the second "killer app" -- after voice calls -- to make its way from the desk to the mobile device; and most major platforms include strong encryption options for it, as long as the administrator is alert enough to ensure that the settings are on and enforced for users.

"Email is very secure, particularly if you have a BlackBerry with AES encryption on the device," said Chris Hazelton, a research director with the 451 Group.

Windows Mobile devices and even Apple iPhones, if properly configured, also offer a relatively strong security package, Hazelton said.

But enterprises have quickly seen the value of moving beyond email for their mobile communications, and this is where the modern smart device's IP-centricity has come in handy.

For example, almost any modern mobile browser comes fully equipped to handle SSL certificates, making it relatively simple to securely deploy Web apps on mobile devices.

Many other mobile communications applications are also tapping into well-known encryption techniques to ensure that even as your workers leave the office, their data stays behind a closed door.

But all this encryption could mean nothing if your users are not educated about proper usage policies and some enforcement mechanisms are not in place to ensure they are followed.

Hazelton pointed to a host of other risks, ranging from the relative insecurity of SMS to the dangers of unsecured Wi-Fi hot spots that could infect your users with viruses, bypassing all the security measures in place.

The best response is a mix of sensible on-device defense -- taking advantage of administrative configuration options along the lines of BlackBerry Enterprise Server (BES) and Microsoft Exchange -- and a healthy dose of user education.

For the latter, it's often best to advise users of the dangers while offering an alternative best practice.

"There's been a lot of publicity of high-profile customers having their SMS messages read," Hazelton said.

Smart policies that educate users on risk can cut down on these threats. For example, once educated that sensitive information should be sent over email instead of via SMS text messages, most users will happily comply.

Giving users practical alternatives is a key to implementing a truly comprehensive security strategy. Too lax a policy leaves too many security holes, but an ultra-restrictive policy either hampers productivity or pushes users to bring in their own unauthorized and unmanageable devices to get their work done.

It's a trend companies should not fight against too hard, Hazelton said. A little leeway can help prevent opening up new security holes and cutting off employees from useful features that a more "open" policy might safely allow.

A corollary to that principle is that any security solution you implement should be as seamless as possible for the user – any extra steps, even a few extra digits to make a call, for example, push them to use less secure, perhaps unauthorized, methods.

Options range from the ability to "push" security policies onto phones from a centralized management solution to more dedicated solutions, such as specialized chips that provide hardware-based encryption for data connections and even voice calls.

Have your own mobile security worries, or have an idea for a story you'd like covered? E-mail the article's author Michael Morisy.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: