Employee-owned handhelds: Security and network policy considerations

Organizations have taken various positions regarding personally owned network devices. Some provide wireless Internet access to employees and visitors as a convenience, while other companies restrict their networks to corporate systems. Many enterprises struggle with the threat of data breaches that may be caused by the storage, processing and transmission of corporate data on personally owned devices.

In this tip, we'll discuss the security implications of managing smartphones, handhelds and other end-user devices within the enterprise. First, it's important to decide whether to allow the use of any non-corporate devices on your network. While answering this question with a simple "no" may seem like an easy way to resolve the issue, the question deserves more thorough consideration. Allowing personal devices that access the Internet may be a move that increases employee morale. Also, hard-line policies have a way of changing quickly -- especially when the boss is the one who shows up with a new wireless toy!

For more information Are future smartphone attacks inevitable? Some experts are predicting a rise in mobile malware. Sandra Kay Miller offers advice about expanding antivirus to the mobile enterprise. Ask Mike Chapple a network security question.

Isolating personally owned devices
The vast majority of personally owned devices will connect to an organization's wireless (rather than wired) network. Enterprises can react by simply adding a different SSID to access points, which will provide an isolated network for personally owned systems. Once this change is implemented, decisions should be made about giving the network completely open access or instead requiring authentication through the use of a "captive portal." Captive portals, often used by hotels and coffee shops, redirect all HTTP requests from unknown clients to a special Web page until users authenticate with valid credentials; upon doing so, they are then granted access to the Internet.

Devices on isolated networks should not have direct access to corporate resources, especially if authentication is not required. If your policy does allow the use of corporate data on personal devices, users on the guest network should be required to connect to your VPN prior to accessing those resources. The goal is to maintain the "untrusted" state of the guest network.

Posture checking with NAC
Many organizations are struggling to find the proper place for network access control technologies in their enterprise security architectures. A guest network, however, is a clear-cut case where system posture verification provides powerful benefits. In fact, it's a great place to run a NAC pilot if an organization is considering an enterprise-wide NAC deployment and wants to test out this complex technology on a limited scale. Before allowing any device to connect to a guest network, enterprises can use NAC to verify that the endpoint meets minimum security standards, including -- at the very least -- having properly configured antivirus and host firewall software.

Use of corporate data
When employers allow personally owned devices to handle corporate data, the security concern transcends a company's buildings and reaches into employee homes, possibly even affecting a worker's productivity. In today's society, it's commonplace for employees to work from home, either to regularly telecommute or simply catch up on email during evening and weekend hours. If you have remote workers who use their personal mobile devices, take the time to clearly spell out the corporate policy on appropriate behavior: what type(s) of data may users process on non-corporate systems and in what manner? If you haven't clearly stated your requirements in this area, it's almost certain that there's a "gray market" of unofficial use in your organization.

Decisions regarding the use of employee-owned devices in the enterprise require balancing security requirements with practical concerns. This balance will vary greatly from one organization to another and requires a combination of careful thought and appropriate security controls.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Wireless Network Security: Setup and Tools,   Handheld and Mobile Device Security Best Practices,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Handheld and Mobile Device Security Best Practices Screencast: Find rogue wireless acess points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Handheld and Mobile Device Security Best Practices Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.