Crafting a mobile device strategy that fits your organization's needs while protecting information assets. These slides were prepared by Neil Jones, senior systems engineer at Nexxtep Technology Services. Learn more about Nexxtep on our website at ncare.com.

1. Mobile Device Security
Crafting a mobile device strategy that fits your organization’s
needs while protecting information assets

2. Mobile Device Trends
 Smartphone shipments in 2012 are projected to be at
around 631 million units, up from 468 million in 2011
 Tablet sales in 2012 are expected to nearly double last
year’s tally of 60 million, at 119 million units
 Apple’s iPad platform is expected to account for 60% of
those tablet sales
 PC hegemony over the market as the primary computing
device in business is being challenged

3. Frequently forgotten factoids
about mobile devices
 They’re little computers; processor, memory and
storage, just like the desktop or laptop PC in your office
 A would-be thief is more likely to steal a smartphone or
tablet than a laptop
 If your device is stolen, and lacks both a passcode/PIN
and data encryption, whatever’s on the device might as
well be posted on Facebook
 Without a means to remotely manage a device, you
have NO recourse in protecting/erasing sensitive data,
should the device be lost or stolen

4. Mobile Device Security:
Key Considerations
 Will my company furnish the devices, or will we allow
BYOD (Bring Your Own Device)? What about both?
 Where will sensitive data reside? On the server(s) or on
the device itself?
 How is the information accessed?

5. Company-furnished devices
 Cost for cellular service and repair/replacement of
lost/damaged phones is generally borne by the company
 Makes sense for organizations that publish the mobile
phone number of these devices in the phonebook, on
websites or in marketing materials
 Be as draconian as you’d like in managing these devices
(they’re property of the company). No Facebook,
Twitter, YouTube, etc.; just business. Erase at will if
necessary.

6. BYOD (Bring Your Own Device)
 employees use their personal smartphones/tablets to
access email and applications, which they're already
familiar with (little to no training)
 employees bear the cost of service and
repair/replacement when necessary
 a more measured approach to governing the encryption
of information stored on the device, and the recourse
with which to protect the data should the device
become lost or stolen

7. BYOD cont’d
Example: An employee uses his/her personal device to
access company email, where sensitive information
sometimes crosses. Whereas a company-provided device
could be erased without question, an employee's BYOD
likely has personal contacts, personal email, music, etc. A
mobile device strategy should outline clear boundaries as
to how far a company can go to protect its data. In this
case, a mobile device policy could be designed in such a
way, that only the company email access for that device is
revoked, and the data removed, with no impact to other
apps/services on the device.

8. Company-furnished device versus
BYOD conclusion
 Different levels of device management can be applied
to both classifications of device, whether you want to
completely lock the device down, or you want the user
to freely use the device as he/she wishes, as long as the
device meets security requirements

9. Where the data resides
 Server: This is always preferable to any sensitive
information residing on the device. Risks of data
compromise are mitigated through PIN/password
enforcement, and revocation of access to applications,
services and data can be easily revoked on the server.
More on this later.
 Device: We strongly discourage saving sensitive
information on mobile devices, but if it can't be
avoided, more stringent password/PIN requirements and
encryption, coupled with the ability to erase the device
in the event it's lost or stolen, protects against losses on
this front.

10. How the information is accessed
 Email: Through mobile device management, we can encrypt
data as it's stored on the device, revoke email access when
warranted, and protect access to the device with passcodes
or PINs.
 Desktop applications: Using technologies such as Citrix
XenApp or Microsoft RemoteApp/Remote Desktop, we can
provide secure access to programs and data residing on the
server, without any of that information actually being stored
on the mobile device. This is the preferred method for
accessing your line-of-business apps. The actual processing of
data resides on the server at all times, and you're simply
viewing/interacting with it on your tablet or smartphone.

11. How the information is accessed
cont’d
 Web applications/webclips look and act like apps, but
are really websites that are optimized for viewing on
your mobile device. Similar to the Citrix/Terminal
Services method for accessing apps and data, the data
does not get stored on the mobile device, but instead
just viewed. Transactions still take place on the server.

12. Wrap-up
Though the rapid adoption of mobile devices had initially
provided flexibility and opportunities for businesses, it's
also opened up businesses to old fashioned computer
security risks, just on a newer class of devices. The
methodology for securely incorporating these devices,
whether company-owned or personally owned, is taking
shape and should become a part of your overall IT
strategy, in the same way you'd secure a desktop or laptop
computer.