The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Mobile Device Management: The Missing Piece of the Puzzle almost never kept within the safety of your protected network. They travel to home networks, coffee shops and hotel rooms, and these are just a few of many threats related to using mobile devices. Mobile device malware is a booming business and will only continue to grow, as security controls are weak ... where they exist at all. The distribution of applications in the mobile world is very different from traditional computers. Some mobile platforms take steps to protect users from malicious programs, while others offer an open marketplace that creates an opportunity for malicious apps to propagate. Most of the new mobile device malware target personal and confidential data. After all, what's really important, the device or the data? The device we can replace easily enough. The trust and loyalty of our clients is not recovered so easily. Mobile devices provide a number of means to access protected data, such as flaws in password management, encryption and application verification. Mobile device users themselves might be as big a threat as attackers, as most are unaware of the new threat landscape of the mobile world. For example, one of the earliest iPhone vulnerabilities existed on jail-broken devices only. Rooting and jail- breaking mobile devices does give the user more control over what can be done with the device, but it often removes security controls put in place by the manufacturer. Data Bring Another Layer of Difficulty If mobile devices can access sensitive and confidential data, a data leak is waiting to happen. A mobile device can be a conduit for information to leave the confines of the firm through apps, such as Dropbox, or simply through email. How do you know if the mobile device falls within the scope of a legal hold or subpoena? Are confidential discussions happening across insecure channels? The amount of data being stored on each device continues to grow with: • Email messages and attachments • Text messages, iMessage, PIN-to-PIN messages and other instant messaging services • App data (Dropbox, Accellion, Facebook, Google+, Skype, etc.) • Multimedia files (movies, photos and voice memos) • Metadata (phone call history, Web browsing history, Skype history, etc.) Mobile devices are used for both business and personal purposes. We might be able to wipe the data from the device remotely to prevent leakage, but we also wipe out personal photos, albums, movies and contacts. If the device is firm-owned, this might not be an issue. However, devices that are personally owned might not be subject to this policy. Governance Provides Instructions It all starts with governance: policies and standards. Mobile device policies are needed as a firm foundation for an MDM strategy. After all, we can't prevent a certain application or mobile platform from being used if we don't have a policy that states what is allowed. There will be many areas to address in mobile device governance. In my experience, the big thorny ones are personal device use (BYOD), what mobile platforms and carriers are supported and/or allowed for use, and device termination. A BYOD policy is in demand from employees inside and outside of the legal profession. People want to be able to use their favorite type of iPhone, Android or BlackBerry rather than a firm- issued model. Allowing personal devices presents unique security issues, as well as legal challenges. The selection of mobile device platforms and carriers is a surprisingly big issue in many organizations. As with BYOD, employees want their preferred platform and carrier. This presents security concerns as each device platform has its own risk profile (threats and vulnerabilities). For example, your policy might state that only devices that implement data encryption are allowed. This would eliminate a large portion of devices from availability. Depending on how the firm governs personal device use, the process for decommissioning devices could prove difficult. This policy typically indicates that firm-owned data and applications will be removed upon departure from the firm. That can mean personal data might be removed as well. While every organization is different and will have different policies, defining your mobile device policies first is key to a successful MDM deployment. Essential MDM Technical Controls The most fundamental goals of a mobile device management strategy should cover these four things: • Asset Management: If devices are the property of your firm, there are very good odds that at least some sort of asset management is being done. MDM solutions offer multiple ways of tracking and categorizing assets. They can automate your inventory maintenance by collecting information from enrolled mobile devices, such as OS version, hardware model and specifications. Monitoring for changes is simplified as well. Additions, changes and deletions are all collected automatically. MDM can link devices with their owners and track their movements, and can also group devices together by practice or department. Peer to Peer 83