Making sure that lost iPhone doesn't get you burned
- 11 July, 2008 11:46
If you haven't implemented a mobile device policy, now is the time to start, according to an Info-Tech Research Group analyst.
With established devices such as RIM's BlackBerry already in rotation at most companies, and new handhelds like the Apple iPhone and Samsung Instinct on the way, IT departments must ensure employees using mobile devices are doing so in a safe and secure manner.
Mark Tauschek, senior research analyst at the Canada-based Info-Tech, said a well balanced acceptable use policy - with a strong focus on mobile device security - is essential to every major organization.
"Security is probably the most important aspect of the policy because if a mobile device is stolen, it's not just about the device, it's about the data that's on it and the cost for the company to recoup that data," Tauschek said. "You want to make sure that if a device is lost or stolen, it basically becomes a paperweight to whoever gets it."
Some of the guidelines to consider, according to Tauschek, include ensuring all mobile devices are registered with IT, making sure data protected is by strong passwords, and that IT provides centrally managed encryption for the mobile devices. He also recommended that end users who wish to connect their devices to enterprise systems through non-corporate networks employ a company-approved firewall.
Tauschek said IT departments would be wise to consider investing in technologies that can help them enforce these guidelines.
"One thing to consider is wireless intrusion protection and prevention systems that now have branded out into mobile devices," he said. "This will prevent users from connecting to unapproved networks. So, maybe you're employees won't be able to connect to that unencrypted Wi-Fi connection at their local coffee shop hotspot."
Besides security, Tauschek said, CIOs and IT managers will also have to consider the costs and usage of mobile devices and balance these issues to effectively managing their mobile fleets.
"You need to work out who pays for it, whether you have a component in the policy that allows your employees to use it for personal use, and if you plan to put a cap on how much they can spent for their voice and data plans," Tauschek said.
Clearly outlining the repercussions an employee will face for violating the policy is also important, he said.
Tauschek's acceptable use tips come on the heels of the impending iPhone 3G phone launch, which promises to bring enhanced security features over the previous model - including a feature that will enable the device to be connected more securely into corporate networks. But, according to one Gartner Inc. analyst, that doesn't mean the 3G should immediately be given the same kind of broad access to internal applications that PCs typically enjoy.
For now, at least, the iPhone remains largely untested from a corporate security standpoint, Gartner analyst Ken Dulaney said. He added that although Apple's upgraded handheld may be capable of doing many of the same things that a laptop or desktop PC can do, it has yet to be proven that the iPhone can be locked down in the same manner as PCs can be.
As a result, it may be better for companies to consider providing iPhone access to only a limited set of applications, such as Exchange and Apple's Mail e-mail client, instead of opening up their entire networks to the device, Dulaney said.
"Much about being secure is being consistent," Dulaney said. "If you have two platforms, a PC and a handheld, one of which has years of improvements in security and is very mature, against one that is barely a year old, you are only going to be as secure as the second piece of hardware."
Tauschek said that while organizations should weigh the pros and cons of approving any device, the added enterprise capabilities in the 3G phones - which include remote wipe (the ability to wipe the phone's data if lost) and the ability to sync with Microsoft Exchange Server - make it more suitable for the enterprise space.
"There are benefits in just being able to sync up with Exchange alone," he said. "Because now you can set up group policies in Exchange after the e-mail is pushed out, so if the device is lost or stolen you can wipe out and protect the data."
-- With files from Jaikumar Vijayan, Computerworld (US)