Through this article, three important aspects regarding the security in the use of mobile devices within corporate networks will be addressed, which have to do with the establishment of business policies, security mechanisms to be implemented and recommendations for their use. As mentioned by Murgante, Gervasi, Iglesias, Taniar and Apduhan (2011), many companies are adopting the use of smartphones for the implementation of a smart work environment or smart office. Through their article, they show that the implementation of VPN between the company and the mobile client represents an effective security technology for network protection between corporate information systems and smartphones.
On the other hand, reports submitted by companies such as CISCO, Juniper and Symantec on the use and security of mobile devices, also coincide in the growth in this area since 2011, the trend responds to the need to access company information being out of it.
As Carey Nachenberg, Vice President of Symantec Corporation points out, users often synchronize their devices to public cloud services, being out of the control of network administrators; It is therefore important that companies define security policies and control strategies for the use of such devices in the corporate network.
BUSINESS STRATEGIES AND POLICIES
Protection of mobile devices in business networks Today, the use of smartphones and tablets both on a personal and business level has become a growing practice due to the multiple functionalities provided by these devices as well as the applications that can be installed in the same. I refer to its use in the environment of companies, which have adopted their incorporation as a labor practice so that staff can access information systems, databases, email, telephone and other corporate resources both from the interior as from the outside of the company. What is sought is to obtain greater productivity.
It is important that before implementing and providing greater mobility through such devices, use policies and strategies are designed and implemented that safeguard the integrity of the company’s information as well as the security of all the technological resources it has.
According to Saro and Fernández (2013), the strategy and security policies for the use of mobile devices must be defined by a commission composed of personnel from the areas of ICT, human resources, legal and management, with the aim of planning, design, implement and make them known to the company’s staff. All aspects that may represent a security risk for corporate information must be taken into account and, on the other hand, must be within the framework of the organization’s ISMS.
When defining a security strategy and policies for mobile teams aligned to the information security management system, the company will have procedures in accordance with the institutional objectives, in addition to defining and implementing security controls based on a risk analysis. In the blog Business Under Control, specifically in the article entitled Management of the Security of Corporate Information on Mobile Devices (2013), the author presents a table suggesting possible risk factors and control strategies to implement each of them so that the security of corporate information is not threatened by the use of mobile devices.
Establishing adequate security policies and strategies is not an easy task, but it is necessary and indispensable for companies that adopt the use of these technologies because each mobile device must be considered as an asset that represents a security risk in corporate networks.
SECURITY MECHANISMS FOR THE USE OF MOBILE DEVICES
Technology companies such as Symantec, Cisco, Juniper, Enterasys and Citrix, to name a few, are aware of the imminent concern on the part of companies and IT department personnel to protect the integrity of corporate data. When considering the risks of using mobile devices, they currently offer solutions to implement various security mechanisms.
Going deeper into these strategies, companies can adopt several of them in order to protect their resources. Among the main mechanisms are:
MDM (Mobile Device Management). Mechanism oriented to the management and centralized control of corporate or personal mobile devices. It allows you to have all the information regarding the device, monitor it, configure policies, applications and have a history of each device, among other features.
MDP (Mobile Device Protection). Mechanism used for the protection of the mobile device itself through the installation of a VPN / SSL client, an antivirus, the use of encryption and robust authentication methods.
NAC (Network Access Control). Mechanism to control access to the corporate network of each mobile device. It allows, among other things, to determine if the equipment is personal or of the company, to apply security policies for sensitive operations carried out through the device and to repair devices through the installation and updating of applications through VLAN and considering the authentication profile of it.
MAM (Mobile Application Management). Manages applications from black and white lists, provides virtual environments, applies P2P policies, among other features.
MDS (Mobile Data Security). Mechanism responsible for data security, protection of the device’s Wi-Fi, Bluetooth and mini USB ports, as well as the installation of a DLP client (to control and prevent data loss) and the use of MRI (to administer information rights).
An important point for the implementation of these security mechanisms is that they can be implemented using the public cloud services offered by different solution manufacturers, or use a private cloud. This decision will depend on the specific needs and resources of each company.
Staff awareness is an important aspect of security so that the corporate network is not vulnerable by the use of mobile, personal or corporate devices, contributes to the adoption of security policies and strategies established for access to data and resources of the company.
In the event that personnel will use their own devices, they should be aware of aspects such as the use of complex passwords for blocking / unlocking their equipment, using firewalls, making backups, using antivirus software for data analysis and applications, configure options for blocking and / or deleting data from the device in case of loss or theft, among many other good practices that currently exist for the safe use of devices in business networks.