Securing Your Digital Transformation: Devices

After a brief summer hiatus (seriously, where has the time gone?!), I'm back and it's time to talk about the next step in securing our digital transformation...

We've previously covered identities (here) and data (here) so now let's look at devices. This article is going to focus on laptops and mobiles, although I know there is a major problem with IoT devices about to hit the market (who knew you could hack a fridge?!) but I'll leave that topic for another day... So, let's get stuck in! 

What's in Our Estate?

When we do a digital transformation project, we're pushing our data to the cloud. Why? Well apart from increased resilience and reduced operating costs (no more server refresh and patching, wahey!), a lot of the time it's to allow our teams to work when they're not in the office. We give them laptops and there's no point having a portable device if it has to be locked down to a desk to work, right?

So when we're talking devices, the first thing to look at is our device estate, i.e. what devices do our employees have that they'll be accessing corporate data on? Obviously, that will include corporate-owned devices like laptops, and mobile phones provided to employees, even tablets if you're fancy and like to read slides on an iPad. But what about companies who let us bring our own devices? 

Bring Your Own Device (BYOD) can be easily overlooked, but it can account for a bigger percentage of our devices than corporate-owned. Personally, I hate having two phones. So, when offered the chance to have a work mobile, I said, "No thanks! I've just bought myself a shiny new iPhone XR." I still want to access my emails on it, message the Man Utd fans on Teams about Rashford's missed penalty (ouch) and update my ever-growing sales pipeline on Salesforce though. Other people might want to use their own iPads, Android devices, Macs, Chromebooks, etc. So how can an organisation facilitate this securely?

Mobile Device Management v Mobile Application Management

Well, one of the first things to invest in is a mobile device management, or MDM, solution. For me as a Microsoft girl, Intune is the way to go (other MDM solutions are out there and will have similar functionality, but it'll be Intune I'm focused on here). An MDM solution lets organisations put controls onto mobile devices that enables users to work securely, keeps data safe and ensures peace of mind for your organisation's infosec team.

When working with an MDM solution, the first thing to look at is whether we're securing our data on a corporate or BYOD device. Intune allows organisations to differentiate between the two and provides options for stricter sets of controls on corporate-owned devices. Once a corporate device is enrolled into Intune, you can create configuration policies to do things modify settings on the device (e.g. The device could be non-compliant if it's operating a legacy OS), pushing out or blocking specific applications, and performing a full device wipe, e.g. if a device is lost or stolen.

When it comes to BYOD, the options are more limited. Users don't want their workplace to see all data on their personal mobile, and certainly don't want them to have the ability to remotely wipe the full device. This is where MAM, or mobile application management, comes in. MAM policies can be created to be used on both corporate devices and BYOD, and are used to protect an organisation's data within specific applications. For example, on my personal mobile, I have the Outlook application which contains all of my work emails, contacts, etc. Now I'm not dodgy (not in that way anyway!!) and I have no interest in corporate espionage, but if I did, my organisation has had the foresight to set up policies which block me from being able to copy and paste data from any corporate applications (i.e. the ones I sign into with my work credentials) to any personal applications.

The below screenshots show what happens when I try to copy Shelley's email from my Outlook work inbox (so a corporate app) to the Apple Notes application (a personal app). As an aside, if I was trying to copy from my personal Outlook account, then I wouldn't run into any issues, as that's my personal data and I can copy and paste that where I want to. 

That shows one of the ways our corporate data can be protected from malicious actors, but what happens if I leave the organisation? As I mentioned above, people don't want their employers having access to remote wipe their device. I have over 10,000 pictures of my daughter on my phone (yes, I am one of those mothers, and yes, they are backed up to the cloud) so if I leave the business, I don't want our IT team to get rid of all those. That's where the ability to selectively wipe devices comes in. Companies can choose to just wipe corporate data off an employee's BYOD-device - protecting their own data and not affecting the employee's personal use of their own device.

So that is a extremely high-level intro to basic MDM / MAM capabilities. And a lot of organisations will have this kind of thing implemented already - I've found when working with Microsoft EMS E3 / E5 clients, Intune is usually the first thing that has been implemented by their internal IT team / external IT provider. But we need to look beyond this now and think about the other threats that could affect our mobile devices. 

The New Corporate Network

 When we think about mobiles, we don't tend to think about network security. But that's one of the main risks to our corporate data. How many times have you sat in Starbucks (other coffee establishments are available) with your mobile device, hooked up to their wi-fi, and then accessed your emails? I bet you a grande skinny chai latte that the answer is "loads".

So Starbucks wi-fi is effectively your new corporate network. And how much do you know about it? Do you know if it has a firewall? Do you know all the people connected to it? Are there any network monitoring tools on there to look for dodgy traffic? Who knows? But we're still trusting these unsecured wi-fi networks with our most precious corporate assets every single time we hook up our phones or tablets and start scrolling through Outlook or Salesforce or ZenDesk or whatever application you've got open.

But what's the answer? Well, apart from not logging on to unsecured wi-fi networks (the clue is in the name, people!), we should be applying additional mobile endpoint security tooling to our mobile devices to provide an extra layer of protection. Man-in-the-middle attacks happen. People intercept wi-fi connections. So why not give yourself a safety blanket? The one I use, and would recommend to others is Lookout. If you've not heard of these guys, then you really should look out for them (sorry, couldn't resist).

Not only does their application provide you with a VPN, meaning you've just connected securely on an unsecured network, it provides you with application protection, system protection, and phishing protection. So if you download a dodgy app from the App Store / Google Play Store (trust me, not every app on there is secure), have an outdated OS on your device, or get sent a dodgy link via text / app notification / email, then you'll be alerted to it and can do something about it. Dark mode is for your apps, not your knowledge.

We'll be doing more of a deep dive into mobile endpoint security on our podcast (release date TBC) and I'll be doing another article on the ins-and-outs in more detail but for now, hopefully that got some brains thinking. Make sure you know what devices are accessing your data, think about a solid MDM / MAM solution, and be aware of the mobile threat landscape. If you want to talk in more detail about securing your devices, then drop me a line on [email protected].