Mobile device technical controls are essential for providing security and management capabilities regardless which mobile device management (MDM) solution you are using. However many organizations go out of their way to protect data on laptops, servers, and networks, but fail to protect the mobile computers that we all carry around in the form of a smartphone and/or tablet. This is often the case with both company-issued devices and instances where personal/BYOD (Bring Your Own Device) devices are employed, with BYOD severely compounding the issue. For every organization that has embraced an official BYOD programs, with policies, guidelines, and technical controls in place to protect data, there are also many more organizations that have “unofficial” BYOD programs without any data and security safeguards, whether they know it or not.
Regardless if your organization is using BYOD or corporate issued devices, it is essential that, at the very least, basic mobile device technical security controls are employed. Technical security controls can be deployed in the form of mobile device policies using common email systems such as Microsoft Exchange and Google Apps, or using native tools such as Blackberry Enterprise Server or Apple Configurator.
The basic controls and policies that should be deployed to mobile devices are as follows:
- Device Password/PIN Lock – At least 6 characters
- Reduced likelihood of a brute force access to device
- Device Inactivity Auto-lock – 1-2 minutes
- Reduces liklihood of unauthorized user accessing a recently unlocked device
- Device Password/PIN Expiration – 90 Days
- Reduces ability to use known password/PIN for unauthorized access
- Device wipe after exceeded failed password/PIN attempts – 5 failed attempts
- Reduces likelihood of success of brute force access attempt to a mobile device, especially for lost/stolen devices
Keep in mind that these are only basic security controls and there are MANY additional device policies are available, even without a full MDM solution such as AirWatch or MobileIron, and comprehensive mobile device security controls should be deployed to all mobile devices in your environment.