Avatar

It was a dark, cold, and scary night when I returned from dinner with friends and noticed that my mobile phone was missing. It had corporate sensitive data such as emails, calendar events, and documents, as well as personal data (including pictures, videos and other documents). Well, let me be honest with you, I didn’t really lose my phone. However, many cell phones, tablets, and other gadgets are lost or stolen on a daily basis. The problem of stolen mobile devices is huge. According to a report from the Federal Communications Commission (FCC) earlier this year, about 40 percent of robberies in Washington, D.C., New York, and other major cities now involve mobile devices. The FCC has teamed up with the nation’s top wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint, to develop a database of stolen mobile devices.

Allowing employees to access corporate email, critical business applications and data makes workers more productive and effective. Finding just the right balance when allowing easy access to the applications that users need to be more productive, while maintaining the integrity and security of enterprise resources, will give your organization a competitive advantage.

Stolen and lost devices are among the many challenges of mobile device security.

There are many third-party tools and solutions for mobile device management (MDM) and mobile application management (MAM) that allow administrators to set mobile device policy or provision software (apps). An MDM can perform and facilitate the following features:

  • Enforce an encryption policy for both the mobile device, as well as media components such as Secure Digital (SD) cards.
  • Lockdown security for the device camera, SD, Bluetooth, or Wi-Fi
  • Remote lock and wipe
  • Real-time remote control
  • Enterprise data boundary with selective wipe and privacy policies
  • Access control, device visibility and blocking of email access
  • Digital certificate distribution
  • Secure administration with role-based access, group-based actions and persistent log and audit trails
  • Lost phone location and recovery
  • Password enforcement
  • App inventory, distribution, blacklist

The following are a few examples of MDM vendors:

There are other less sophisticated apps such as “Find My iPhone” and “Where’s my Droid” that allow you to locate your phone, tablet, or even your laptop (MAC) on a map, display a custom message on the device screen

, play a sound (even if your device is set to silent)

, and remotely lock or wipe your device

.

Identity, authentication, and system-wide visibility showing you who and what is on the network (wired, wireless, or VPN) is also very important. Cisco Identity Services Engine (ISE) provides a consistent enforcement of policies across wired and wireless networks. It integrates authentication, authorization, and accounting (AAA) services, as well as profiling, posture, and guest services to simplify deployments and cut costs. Cisco ISE provides greater visibility and control of the endpoint with Mobile Device Management solution integration. MDMs take a device-centric approach to management while Cisco ISE takes a network-centric approach. Each solution provide distinct services and they are not mutually exclusive. Many administrators deploy both an MDM and Cisco ISE solution in parallel. Cisco is working with several MDM vendors to continue to integrate services and functionality that are part of the “Bring Your Own Device (BYOD)” solution.

At some point in the life cycle of a device or employee, it may become necessary to terminate access to the device due to a lost or stolen device, employee termination, or other changes. Network and security administrators must have the ability to quickly revoke access to any device and “remotely wipe” (erase) some or all of the data (and applications) on the device.

Share your experiences while addressing these issues and how you overcame some of these challenges.



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations