Security is always a delicate balance:  You need to provide efficient access, but only to those that are allowed that access.

Because there are a growing number of mobile devices, and more people utilizing them, there is more potential for breach – it’s just a numbers game, really.  Your networks require ever more attention:  In matters of security solutions and updates; watchfulness for any day-to-day breach; and investigation of any suspect activity.  At the same time, access has to be readily available to those authentic users, sustaining their productivity – and they must be be productive within a fully educated posture, based on well-communicated security policies.

First, before a user even authenticates, remember to have the device authenticate.  The network must recognize the device, allow it, and further – have your network survey it for currency in updates, patches and policy.  Now you’re swingin’.

Also, mobile devices use mobile-broadband, the same networks as mobile phones.  Here, it is basically essential to employ a virtual-private-network (VPN) – and also for any access coming through the public internet.  Generally, you want to encrypt any data/communications between devices which transmit through public broadband or internet.

The addition of firewalls is another layer of security.  They can be comprised of software, hardware, or both – and essentially emplace filters and authenticating standards before letting devices and/or data through. 

Remember that any security procedures and policies are only effective so long as the organization enforces them.  The organization must invest in security, in more ways than one.  More than monetary, it is the organization’s acknowledgement that security is paramount, and that people will be held accountable to security standards.  Regularized training and awareness sessions must be adhered to, and all modern and effective security measures must be undertaken in match to the accelerative nature of outside demands and threats.

Get on a schedule of regularized updates in all regards:  Organization, people, process, systems, data, communications, education…  Also, be certain to weave Business and IT leaders’ understandings and sanctions in creating and adhering to mutually defined and understood goals.

NP:  I Can’t Get Started, Cannonball Adderely, jazz24.org

No matter how tight your security policies, no matter how regularized your security training, no matter how careful your workforce – mobile devices are going to get lost.

Smartphones, laptops, tablets, cameras, flash drives, and anything that’s not nailed down is susceptible to being left at the airport, in the back seat of a cab, or on a table somewhere in a food court… as but a few examples.  And that’s just the possibilities involving loss through negligence – oversight, in leaving a locale without all of your possessions firmly in tow.

What of theft?  As difficult as it is to believe, people actually take things that don’t belong to them!  This is something you have to actively guard against – not just by maintaining your eyes on portable devices, particularly when you’re using them in public spaces, but in another important way.

It’s not so much the device itself that poses great risk – it’s merely any device’s potential manifest of harm, in the absence of appropriate controls when in the hands of an unauthorized person.

A device harbors content:  That is, the data any particular device contains.  Unauthorized physical access to the device cannot always be effected, as in the case of loss, so all other up-to-date methods of security must be employed.  The device must be password protected.  You might even consider fingerprint and card readers for total authentication and access.  Further, the data residing on the device should be encrypted.

Risk is also posed through the access that the device represents:  To your network, to your  central data repositories, to your business intelligence, to your client information, to your employee information, to sensitive and confidential data, to proprietary solutions and systems, and on and on and on…

Another security measure to consider, which would protect both data and the device’s potential for directing harm to whatever it logs into, is to enable a remote-erase (wiping) solution.  When a device goes missing, a trigger is pulled at the home office, sending a signal to the device to essentially destruct all data and mechanics of login.

March 12^th:  On this day in 1912, the Girl Guides (Girl Scouts) was founded by Juliette Gordon Low

Small and Medium Business (SMB) can really benefit from mobile readiness.  Beyond the obvious reasons (the idea of “readiness” and a paired security posture hardly needs to be sold), the SMB market can capture and leverage a whole population of assets that essentially have no overhead.  No TCO, no appreciable Time to Value (TtV); they’re here now, in that they’re often owned and maintained by people as personal assets:  Things such as smartphones and laptops.

Of course, often enough these devices are provided by SMB too, as tools of any particular job; but there does exist a ready population that can be exploited – and that must be protected.

Whatever devices (and associated users) desire to access your data, systems, and tools – you must take inventory and qualify access before you greenlight it.  Assess whether a particular user really needs remote access – is it going to be an efficient enhancement to work?  Will it be productive?  Does supervision agree that access is desirable?  Is a strong case being made?

Then the risks can be weighed against the benefits – and there are always risks.  Mobile devices will harbor sensitive data – and that data can easily be lost.  Also, mobile devices transmit updated data back into your central repositories – on your network:  filestores that represent the content feeding your mission critical applications.  Things such as the organization’s sensitive financial information; customer databases and records, sensitive correspondence – you name it.  You must ensure sourced mobile data is healthy, accurate, and whole.

Mobile devices also represent a portal through which malware may enter the organization.  Therefore, an entire regime of recurring user education is necessary, and a standard schedule for review of devices for compliances and updated protections for malware, etc., is absolutely essential.

When devices are lost, it is imperative that users alert IT – lost devices can allow unauthorized access to the network; IT must immediately bar a device’s ability to access upon loss.  And while on that subject, beware devices that have unsecured remote access – that is, no password or stored password, allowing the “greased entry” upon a simple switch-on of the device. 

Let’s keep rolling on this…

NP:  The “In” Crowd – The Ramsey Lewis Trio, jazz24.org.

Once upon a time, all an IT manager had to do was to secure an infrastructure and allied systems and tools that existed inside the “four walls” of the organization.  That is, some measure of a computer room (speaking in a virtual sense; any of these elements could stripe through multiple buildings, offices, allied agencies, etc.), fileserver(s), a wiring closet or two, a computer workstation population, and so on…

A few forward individuals, either by power, station, or adventurousness, dialed-in to the network.  Wow!  I remember jokes in the workplace:  Who the heck wants to bring the office home?

Today, we’re approaching universal connectivity.  There are so many mobile devices, and associated mobile apps – paired with new data-densities, new bandwidth and processing power considerations – that business is everywhere.

The challenge to business and IT leaders alike is not just protection to organization assets and daily production, but the challenge includes spec’ing up to accommodate present and future demands for the mobile workforce.  It also includes more than that…

It goes well beyond:  You must document allowances, as far as which classes of users have mobile access, when, and how.  And you must consider the blended environment of personal vs. business assets.  Keep in mind that folks access your organization’s central computing and data assets from personal computers, laptops, phones, tablets, etc.  The avenues for breach are many, in that you do not have an exclusive measure of control over these devices, and their associated “wellness” in terms of virus protection, malware protections, etc., etc.

Security demands are high.  You must guard against spam, spyware, malware, viruses… denial-of-service attacks, whether directed or random.  In this environment, it is prudent to consider data encryption for mobile devices.  Today, you must safeguard sensitive organization data on mobile devices:  Information is always vulnerable to theft and loss, but never more so when it’s repository is mobile and susceptible to loss itself.

More on this in the coming days…

March 10^th:  On this day in 1933, Nevada becomes the 1^st state to regulate narcotics.