The enterprise ecosystem for mobile users and devices is complex and must be understood before a complete security approach can be designed.
The ecosystem consists of four major subsystems:
- End user
- Mobile device (hardware, operating system and applications)
- Corporate enterprise (servers, applications and services, and data sources)
- Network path (connects the mobile device to the corporate enterprise, e.g., local Wi-Fi or cellular communications, network carriers, the Internet, routers, etc.)
To achieve sufficient security for the entire mobile ecosystem, it is necessary to secure all four of these subsystems. Each subsystem exposes a particular set of vulnerabilities and, thus, each requires a security solution that addresses the subsystem’s needs.
CGI’s mobile device security solutions address each of these four areas in different ways—according to industry best practices, NIST guidelines and other associated regulatory requirements that may apply in specific customer environments—so each solution is tailored to address and/or mitigate the needs of each agency or enterprise environment.
THE IMPORTANCE OF POLICY
CGI recommends that mobile device security begin with the development and socialization of an organization-wide mobile device policy. Decisions made during the development and documentation of this policy will form the foundation of the resultant solution architecture, application development and testing policies, platform and/or device choices, technical implementation tools, processes, and procedures, acceptable use policies and more. For example, end user service agreements become particularly important in BYOD environments, as certain measures taken to protect organizational data in the event of a lost device—such as a full device wipe—could cause the user to lose personal data and/or pictures that were stored on the personal device when those measures are activated. Organizations should ensure the policy covers topics from all four major areas listed above.