But along with the greater flexibility and productivity that users gain from these devices, comes yet another challenge for compliance officers: tracking and properly securing mobile applications running on them.
These applications figure to be a varied mix of business and personal. They will range from applications meant for just goofing off to ones responsible for processing sensitive business information. Some will store data locally, while others will do so in the cloud. Many of the business applications will be produced in-house, while others will come from trusted and untrusted third parties.
If you haven’t formulated your thinking for securing mobile applications, don’t fret -- few compliance officers have. But I would advise you to get moving on it. The problem is going to get worse before it gets better. Why? All “simple” servers, desktops and systems in between have always proven to be major headaches for IT professionals.
So, how exactly do you get your arms around the problem of securing mobile applications? There are a couple of approaches you can take. You can standardize on one mobile platform and so deal with a finite and trusted set of mobile apps. What’s tricky about this approach is that you’re going to get pushback, and people are going to use their own personal devices -- regardless of what’s officially supported. That’s an uphill battle that may not be worth fighting.
The other approach is to support multiple platforms and hope for the best. Hope as a strategy may work in politics, but not so much in security and compliance. You’ve got to achieve a reasonable balance that is shaped by a long-term perspective.
This leads me to the 10 steps you need to take to gain and maintain control of mobile applications in your environment:
- Get management on board. Without the support of management, you’ll be yelling at the
mountaintops to no avail.
- Determine how mobile computing is being used in your environment and how it can help your
business down the road.
- Decide on which mobile devices and applications best align with your business needs and then
standardize on specific hardware and software.
- Ask your vendors, especially software vendors, tough questions about an application's security
capabilities and any compliance gaps it may cause.
- Find out what sensitive personally
identifiable information and other regulated information is stored and processed in your mobile
- Analyze how this information is at risk.
- Take advantage of the controls built into your mobile devices, or invest in a third-party
solution to address the risks you uncovered.
- Establish a set of best
practices for mobile users and make sure they are enforced.
- Review your mobile environment every quarter or once a year to see what needs to be tweaked or
- Regularly remind users of what there is to lose and how their choices can prevent or facilitate such problems.
This is a proven method for securing information, regardless of the platform. Just keep one thing in mind: It’s not foolproof. Given the pervasiveness of mobile devices and the inherent difficulties in controlling them, it’s only a matter of time before the inevitable happens.
It would be better to say you made the effort to put a good system in place, rather than having to admit you did nothing at all.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheelsinformation security audiobooks and blog.Let us know what you think about the story; email Ed Scannell, Executive Editor, at email@example.com
This was first published in January 2011