Monday, July 9, 2012

5 Tips - Protect Private Data on #iPad or Android #BYODchat #byot #byod

Consider these interesting tidbits of BYOD Information.... 
Source: Cisco particular area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device - not IT. In short, accept that BYOD will, at some level, be used, with or without authorization, and focus on the security issues raised to minimize the risk of loss, theft or disclosure of [confidential information]. (Adapted from Source)
Mobile devices are entering the workforce is large numbers. According to Gartner, it is estimated that nearly 300 million tablets and 2 billion smartphones will be deployed by year 2015. Additionally, it is expected that almost 75% of these devices are personal devices. While 75% of the devices are personal, over 90% of the organizations are expected to support corporate applications on these devices. (Source: Gartner Group Report).
 The iPass 2012 Mobile Workforce Report recently found that 64 percent of mobile workers now carry a tablet (the vast majority use an iPad). (Source)

In yesteryear, laptops were often stolen because they were portable, served as data-rich sources for identity thieves. Now, iOS/iPads and Android tablets are the new target for theft. Although a fraction of a cost, tablets are hot items that thieves continue to be on the lookout for...and your school district's confidential information may be on it, especially since you implemented that nifty Bring Your Own Device (BYOD/BYOT) program!

Where does your program fall along the Cisco continuum shown below?

Two other questions come to mind: 

  1. Often, desktop and laptop computer hard drives are drilled, shredded, erased a la Darik's Book and Nuke (DBAN)...but what happens with someone's personal device they happened to view content on? What happens to devices (e.g. smartphones) that get replaced? If they stored data on them at some point, how are those devices wiped? Whether it's a smartphone that is acting up or an iOS device that gets taken back to Apple for fixing, how is that data secured?
  2. How can remote wipe be accomplished on personal devices?
  3. Questions from the Gartner Report cited earlier:
    • What are the security implications of connecting mobile devices to the corporate network?
    • Should personal devices be allowed to connect via VPN – where they have unfettered access to the entire corporate network?
    • How to securely connect mobile devices to corporate repositories like SharePoint, file servers and other document repositories?
    • How to manage whether a mobile device should be allowed to store corporate data locally?
    • How to ensure that local copies of data on the device are encrypted?
    • Can users be prevented from emailing the documents?
    • Can users be prevented from opening the documents in other applications?
    • Active Directory compatibility?
    • Is there support for multi-factor authentication that doesn’t require entering a passcode every time the device wakes up from sleep?
    • How does “jail breaking” a mobile device affect the security and access?

Some recommendations and apps that may help:
  1. Use encrypted access (https) to access confidential documents on your mobile device/tablet.
  2. Require a passcode or swipe combination on all mobile devices that hold confidential information.
  3. Modify your BYOD policy to reflect this perspective: "If the employer is saying that you do not have an expectation of privacy with a personal device that you use in conjunction with corporate systems, this lets the employee know the device could be subject to a search or a review." (Source)
  4. Use services (MS ActivSync is one example) to enforce a passcode on a mobile device and wipe data if needed (e.g. in case of loss or theft).
  5. Use a portal to access confidential data that doesn't involve downloading documents to the device.
  6. Use something like Auto-anchor Mobility is a configuration included in many current network manufacturer OS’s that allows for secure tunneling of wireless devices, useful for BYOD and personal devices.
  7. Protect your passwords with Keepass - Encourage your staff and students using individually assigned devices to take advantage of solutions like Keepass for Android and/or iOS devices (e.g. iPad, iPodTouch, iPhone).

    Here's a list of platforms available:
    PocketPC Smart Devices KeePassPPC & KeePassSD (for PocketPC & Smart Devices; 1.x & 2.x) 
    Windows Phone 7Pass (for Windows Phone 7) 
    iPod MiniKeePass (for iPhone/iPad) 
    iPod iKeePass (for iPhone/iPad) <---This is the one I use on iPad
    iPod MyKeePass (for iPhone/iPad) 
    iPod KyPass (for iPhone/iPad) 
    Link KeePassDroid (for Android; at Google Play) <---This is the one I use on Android
    Mobile KeePassMobile (for J2ME / mobile phones) 
    J2ME Website KeePassJ2ME (for J2ME / mobile phones) 
    BlackBerry Website KeePassBB (for BlackBerry; compat. with KeePass 1.x) 
    BlackBerry Website KeePassBB2 (for BlackBerry; compat. with KeePass 2.x) 
    PalmOS Link Export to Keyring (for Palm OS) 

    Linux Link KeePassX (for Linux / Mac OS X; compat. with KeePass 1.x) 

To be honest, this list of tips appears quite feeble to me. While a part of it may come from the fact that BYOD makes it tough to secure data, another may be I'm just ignorant. What suggestions do you have?

Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

1 comment:

Anonymous said...

I think this is a very good post and the moment you buy the gadget, you should work on securing the data you will store in it. Do not ever give your memory cards to any one or sell them as data can be retrieved from them even you have completely deleted it.



ipad 2 cover

The Courage to Lead