As more and more employees use their personal tablets at work, IT managers are struggling to protect sensitive company data. Requiring employees to use secure hardware can play a key role in meeting that challenge. But even among company-owned devices, security issues can persist when employees log onto the office Wi-Fi or open company email on their tablets.
“The castle walls have moved from the corporate network to the hand-held device,” said Michelle Megarry, a marketing account manager at Intel. “Cyber criminals are beginning to prioritize mobile devices due to their popularity as a device of choice for many employees and businesses.”
Conditions of computing
The first line of defense is to talk to employees about the possibility that their devices could get hacked or fall into the wrong hands. Many companies are requiring employees to sign agreements about the practices they need to follow, applications they can or cannot install and security standards the devices must meet.
“Give them an opportunity to opt out,” recommends J.J. Thompson, CEO of Rook Consulting, an IT security consulting firm. “If they don’t connect to the company, then they don’t have to worry about security. If they do, they have to follow company policies.”
But what exactly should these policies include?
Beyond rules about what data employees can download and store on their tablets, IT managers can also insist on specifications for any devices that simply access data.
What to require
Here are some key tenets to include on that list:
- Passwords – The device should not open unless a password is entered. This is a standard feature on most tablets, though the user may need to enable it through a setup menu. Biometric hardware, such as fingerprint readers, can take the place of a password. An even more secure device requires both a punch-in password and biometric recognition.
- Inactive time out – The device’s screen should go blank after a set period of time and require a password to unlock.
- Tracking ability – Software installed on the device should tell the user and the IT manager the location of the device in case it is lost or stolen.
- Remote access – The company should be able to remotely view the company data stored on the device. Windows 8 devices can be remotely disabled until recovered.
- Remote data wiping – The user and IT manager should have the option to erase data remotely. Some programs, such as MobileIron, can distinguish between personal and company data.
- Encryption – The device should support good encryption of business data, including public key infrastructure. It should support Secure Sockets Layer (SSL) encryption for communication between the server and the mobile device, as well as certificate-based authentication with a self-signed certificate, a certificate from an existing public key infrastructure, or a third-party commercial certificate. Many of these capabilities can be found in Microsoft’s Exchange ActiveSync and other programs.
- Hardware-based authentication – The device should incorporate private keys, one-time password tokens and public-key infrastructure certificates. These measures eliminate the need for a separate physical token. And if the credentials are secured inside the platform, they ensure that the tablet accessing the VPN is the one assigned to the employee.
- Protection below the operating system – Penetrating rootkits, malware and similar attacks can strike the hypervisor, BIOS and other firmware. The device’s architecture should resist these attacks. For example, Intel vPro includes a system for checking the launch of each component on the device against a known launch-time configuration and blocks the launch of any unapproved code. Some Dell products also include unique extensions to vPro that allow IT managers to remotely read and write BIOS settings, read the battery’s status and wipe the hard drive.
- Protection against screen scraping – The device should be able to confirm user presence, verify transactions and allow PIN input prior to the release of credentials to eliminate the risk from screen scrapers and key loggers.
Of course, none of these measures will help much unless the employees use them. So communication and some basic training will always be essential as tablets and their owners come and go.