There was a time, seemingly not so long ago, where business cell phones had clunky keyboards, terrible screens, and limited every-day functionality outside of making calls and checking emails. The introduction of the iPhone in 2007 changed all of that, combining not only the abilities listed above but also a music player to drown out the cubicle noise in the office, simple games to keep a person distracted from actual productivity, and a decent digital camera which enabled users to fill their storage with photos of their food, children, grandchildren, and pets. While these new features were great for the average consumer and led to an increased adoption of smart phones, they created an additional headache for businesses with regard to balancing device security and user data on small, easily lost, and often personally-owned devices. Users began wanting access to their business email on these smart phones yet still have control over the devices themselves. This issue persists to this day, on phones as well as tablets, and it is imperative that controls are in place to ensure company data is kept safe.
Several settings need to be managed for this data to be secured, regardless of who owns the device, as well as several methods of enforcing these settings:
- Encryption with PIN. If users are allowed to access company data on a smart device, the device needs to be encrypted and a PIN enforced (four digits is okay, six is even better). For Android devices and other tablets that allow the use of removable media, an additional restriction that enforces encryption on the media needs to be enabled.
- Auto-lock. The auto-lock feature should be set, along with a short time frame for inactivity before the device locks again. This time can vary depending upon the needs of an organization, but five minutes is the standard recommended setting for auto-lock.
- Device wipe. A maximum number of attempts needs to be set before the device wipes itself. This usually causes some concern, as it is far too easy for a smart device to end up in the hands of a curious toddler (personal experience speaking), but understand that as the number of attempts climbs, so does the time required between attempts. As a result, a setting of ten attempts is recommended but once again this can vary based upon organization needs.
- Remote wipe. The device should be configured to allow remote wipe should it be lost or stolen. Remote wipe can result in full data loss, including pictures, videos, and apps, but there are ways to prevent personal data loss, depending on management method or software chosen as we discuss below.
- Additional settings. Some optional settings that could be addressed are: disallowing rooted or jailbroken devices, disallowing applications installed from unapproved locations (i.e. anything besides Google Play on Android or the official App Store on iOS), enforcing antivirus installation, and disabling Bluetooth.
As previously mentioned, there are several methods for enforcing these recommended settings. The first, and most common, method is to use Microsoft Exchange ActiveSync. Bundled with various versions of Exchange Server, ActivSync allows the standard recommended mobile device settings to be enforced. The second method is commercial mobile device management software. There are a few options available, including AirWatch, MobileIron, and Maas360, and each option has its own pros, cons, and costs. One benefit this third-party software can offer is containerization of data, which allows the selective wiping of devices (also referred to as enterprise wipe). With enterprise wipe, only company data is lost while personal data is retained just in case the device is recovered and the data has not been backed up. The last option, and perhaps the most secure, is email access software only, such as ZixOne. This application allows access to email through the application but prevents any data storage on the device itself. One caveat to this approach, however, is that it is important for screenshot capabilities to be restricted to prevent local data storage outside of the application.
In summary, mobile device usage is only going to increase and users are always going to misplace their devices or have them stolen at inopportune times. Organizations must ensure their information is kept secure on mobile devices, especially on those not owned by the business but instead allowed access to sensitive data through a BYOD (bring your own device) policy. Balancing security and privacy is not easy, but fortunately a number of software options and settings make this balancing act feasible.