Security Basics mailing list archives
[Mobile Security] Help with Un-managed Devices
From: Chris Davis <cdlists () gmail com>
Date: Fri, 23 Sep 2005 01:54:55 -0500
We just finished an audit of our mobile device infrastructure and I'd like to throw a question out to you guys. Think benchmark. We have concerns about un-managed devices such as someones personal HP Smartphone or latest Palm device. How do you handle this? I would love to know how other companies approach this. We are a large, well-known company (50k+ employees and 200+ locations worldwide). Are there others on the list that struggle with the same issue? We lobby managed solutions using Goodlink and Blackberry Enterprise Server to our users. A managed solution has features to remotely lock or wipe the device and forces the user to use a password. Users are given 10 attempts before the device is wiped. We only require 4 characters with moderate filtering for things like 1111 or aaaa. The premise behind this is the mitigating control of 10 attempts till the device wipes itself. A managed solution has a software client that installs on the mobile device and allows for centralized control. Un-managed devices do not have a client, and come into the company and leave at will. I was a mobile hardware security engineer a few years ago and worked a lot with software developers. Basically in both cases BES and Goodlink disables ports (using software - yes) till the password is entered. This makes tools like Paraben Cell and PDA Seizure useless. Not perfect - but effective. At my company we have strong policies, but we're not using technology to stop users from bringing smart mobile devices into work. We're not using tools to stop users from loading software on their desktop that use the devices. We don't stop users from connecting to the network. Are loose mobile devices an issue? We think so. So bottom line - How are you guys handling un-managed mobile devices? Thanks in advance, Best regards, Chris
Current thread:
- [Mobile Security] Help with Un-managed Devices Chris Davis (Sep 26)