Is Your Mobile Enterprise Subject to Law Enforcement Scrutiny?
The mobile technology boom and its impact on enterprise computing have changed the way we approach workplace security. IT managers now have to extend support beyond servers and workstations and provide employees with mobile access to corporate data anywhere at any time using handheld devices. It has become routine to access company email, files, and database records from laptops, tablets, and smartphones from home or in public coffee shops, which presents new security challenges to IT manager – how do you keep corporate IP secure while still providing remote access to wireless users?
If you think of smartphones, tablets, and netbooks as portable workstations, they need to be tracked and secured just as you would any corporate asset. Unfortunately, IT staff don’t have direct access to wireless assets so it’s harder to manage security patches and software updates. And if a device is portable it can be lost or stolen, which means any sensitive data on that device needs to be secured. And then you have to consider the growing “bring your own device” (BYOD) phenomenon, which makes data security even more complex.
Procedures and protocols for protecting mobile enterprise users have evolved over time and it’s easier to protect corporate data, but what about protection from government and law enforcement? The FBI and Apple were recently embroiled in a prominently public dispute over whether Apple should furnish the means to unlock a particular iPhone as part of the investigation into the San Bernardino terrorist attack. By complying with the request, Apple would have had to create the means to unlock any iPhone, not just one unique device; which raises new concerns about personal and corporate privacy in the U.S. and abroad. The FBI ultimately dropped its demand for an iPhone skeleton key, announcing that they had found their own means to unlock the iPhone in question, but if the FBI did succeed in unlocking the iPhone then it now can unlock any iPhone. This could be just the beginning of law enforcement overreach. Of course, the problem with backdoors is that they can’t care who is using them: bad guys have an irresistible incentive to acquire such a tool.
From an IT security perspective, this creates a new set of concerns regarding mobile enterprise security. Now, in addition to keeping the mobile devices themselves secure, the data on those devices has to be even more closely protected from prying eyes, including bad actors that have the means to unlock secured devices and, potentially, law enforcement.
It’s time we developed new strategies to protect against a mobile data breach.
Securing the Mobile Enterprise
First, let’s consider how much risk mobile users pose to enterprise systems. Like every security tradeoff, it is impossible to eliminate all risk so you need to determine the degree of risk you are willing to accept in order to protect your organization’s intellectual property and sensitive data.
If your primary concern is a data breach or cyber-attack, then restricting Internet access to your critical services is one way to protect your network. To prevent mobile devices from becoming a security risk, you can restrict mobile access data encrypted via VPN or through secure connections. Mobile devices disclose sensitive data or metadata as background processes attempt to connect to enterprise services for updates when connected to any network. Encryption or creating a secure connection prevents interception of details about data traffic over unsecured connections.
As part of best practices, critically sensitive data should never be stored where an attacker can gain access by guessing a single password or network address. However, even the strictest technical controls can be defeated through determination by an attacker or carelessness by a user. For example, the NSA and CIA attempted extraordinary measures to protect their secrets, but Edward Snowden found a way to expose them. Custodians of sensitive data, i.e. your employees, must be incentivized to protect company IP and watch for weaknesses that may have been overlooked.
If potential data loss or theft is your greatest concern, then your best strategy is to adopt strong encryption and authentication. Data in motion should be encrypted to prevent unauthorized access or interception. Stored data or data at rest, including data stored on mobile devices, also should be encrypted. For example, most PC and mobile operating systems include robust whole-disk encryption that can protect data in the event a device is lost or stolen. Most mobile operating systems enable this feature by default, although this feature needs to be configured in desktop computers.
Of course, the risk with encryption is that if the accompanying passwords to access the data are lost, then the encrypted data is lost. That was the problem the FBI experienced in its investigation. Passwords and passcodes are normally the weakest links in the chain of security; simple passwords can be easier to guess but overly long or complex passwords that have to be changed frequently will aggravate users. Authentication can be somewhat easier to manage. Most workstations or PCs can incorporate decryption as part of device authentication. Mobile users often have additional options with biometrics such as TouchID. Each authentication.
The New Mobile Security Challenge from Law Enforcement
The greatest source of enterprise security risk has traditionally been company employees. Employees are unaware of security concerns so they ignore security protocols without thinking, such as exchanging passwords or accessing sensitive data from the local Starbucks. If the company issues its own mobile hardware, then IT has more control over mobile security. However, workers can still expose sensitive data accidentally, or they can use company equipment for illegal activities. In the case of our FBI example, San Bernardino terrorist Rizwan Farook was a county employee and it was a county-issued iPhone that the FBI was seeking to crack in their search for incriminating evidence.
Most companies are more concerned with protecting IP and their employee records from the prying eyes of hackers, but protecting corporate data from law enforcement could also be a concern. Sensitive company data can be exposed when company-issued equipment or BYOD-enabled mobile devices are seized by police or the FBI. Even if the company is not guilty of any wrongdoing, a criminal investigation could make any data recovered from mobile devices recovered as evidence part of the public records. Even if you want to cooperate with law enforcement, you don’t want to give the FBI an excuse to start rooting through your servers.
If you are concerned about protecting company data from law enforcement, then the approach you choose for device security certainly matters. For example, if an employee is arrested and their company-issued phone is entered into evidence, you run the risk of company information on that phone being exposed. With strong authentication, you may be able to defeat attempts to unlock the phone. For example, the courts have ruled that law enforcement can legally compel a suspect to surrender a fingerprint, which can be used to unlock a biometric-protected device. However, you cannot be compelled to surrender a password. If you are concerned about losing control of data stored on mobile devices, passcode authentication may be more secure than biometrics. Most mobile devices also can also be configured to erase themselves after a predetermined number of authentication attempts to prevent someone guessing a passcode. In the case of Farook’s iPhone, the FBI was concerned they might compromise data stored on the phone if they attempted to recover his passcode through guessing.
Best Practices for Mobile Enterprise Security
Mobile Device Management (MDM) software can be an extremely effective tool in defending against a mobile data breach. An MDM solution gives you total control over remote devices. It provides a means to remotely enforce data encryption and authentication, including regularly updating passcodes. You can use MDM to distribute software and security updates over the air. You also can track mobile devices, gain remote control over device settings, and even disable, unlock, or even wipe a mobile device from a remote console.
In the San Bernardino terrorism case, for example, if the county had activated its MDM system and Farook’s iPhone had been properly configured, the FBI wouldn’t have had to ask Apple to create a cyber skeleton key. The MDM system could have unlocked the phone remotely, and even could have controlled the types of data that could be accessed so sensitive information could be protected.
If your organization has a BYOD program, then you need to mandate that they become part of an MDM program. Any device that either contains sensitive data or that could potentially provide access to sensitive data needs to be under IT control to ensure that security patches are up to date and the devices are secure when not in use. Training is also essential. Explain to users the need for security and make sure all personnel has a clearly defined set of mobile device security protocols to follow. Training is the only way to cover cases that cannot be addressed directly by MDM or other controls.
Corporate data is going to be subject to some kind of attack. When balancing the risk the mobile enterprise presents in exposing that data, you have to consider the importance of the data, the acceptable barriers to access, the cost of security, and other factors that have to be balanced against risk. You can secure your network data by building a digital moat around your network, and you can protect data that flows outside the firewall with encryption and authentication. However, if you are supporting remote users, enforce the necessary security protocols as a prerequisite for access to sensitive systems.
As demonstrated by the dispute between Apple and the FBI over iPhone encryption, no technology is absolutely secure. Any approach to mobile security needs to balance the real need for tighter security against required resources, cost, and user aggravation. The challenge is striking the right balance between adopting draconian levels of security and promoting user productivity; a task that you don’t have to take on alone. Independent security experts can be a valuable resource when mapping out the right mobile enterprise security strategy.
About the Author:
Andrew McDonnell is Vice President, Security Solutions, for AsTech Consulting, independent cyber security experts specializing in software and IT infrastructure security. Andrew has more than a decade of experience in developing and deploying information security and technology, having designed enterprise vulnerability management programs and embedded security processes into software development life cycles (SDLCs). Andrew holds a degree in Computer Science from Harvey Mudd College.