9 ways to secure tablets in the enterprise

Telling employees that their devices could get hacked is the first step

Sponsored by
tablets

It may sound like common sense, but tablet security policies need to specify that employees protect tablets with passwords. Credit: Watcharakun

As more and more employees use their personal tablets at work, IT managers are struggling to protect sensitive company data. Requiring employees to use secure hardware can play a key role in meeting that challenge. But even among company-owned devices, security issues can persist when employees log onto the office Wi-Fi or open company email on their tablets.

“The castle walls have moved from the corporate network to the hand-held device,” said Michelle Megarry, a marketing account manager at Intel. “Cyber criminals are beginning to prioritize mobile devices due to their popularity as a device of choice for many employees and businesses.”

Conditions of computing

The first line of defense is to talk to employees about the possibility that their devices could get hacked or fall into the wrong hands. Many companies are requiring employees to sign agreements about the practices they need to follow, applications they can or cannot install and security standards the devices must meet.

“Give them an opportunity to opt out,” recommends J.J. Thompson, CEO of Rook Consulting, an IT security consulting firm. “If they don’t connect to the company, then they don’t have to worry about security. If they do, they have to follow company policies.”

But what exactly should these policies include?

Beyond rules about what data employees can download and store on their tablets, IT managers can also insist on specifications for any devices that simply access data.

What to require

Here are some key tenets to include on that list:

  1. Passwords – The device should not open unless a password is entered. This is a standard feature on most tablets, though the user may need to enable it through a setup menu. Biometric hardware, such as fingerprint readers, can take the place of a password. An even more secure device requires both a punch-in password and biometric recognition.
  2. Inactive time out – The device’s screen should go blank after a set period of time and require a password to unlock.
  3. Tracking ability – Software installed on the device should tell the user and the IT manager the location of the device in case it is lost or stolen.
  4. Remote access – The company should be able to remotely view the company data stored on the device. Windows 8 devices can be remotely disabled until recovered.
  5. Remote data wiping – The user and IT manager should have the option to erase data remotely. Some programs, such as MobileIron, can distinguish between personal and company data.
  6. Encryption – The device should support good encryption of business data, including public key infrastructure. It should support Secure Sockets Layer (SSL) encryption for communication between the server and the mobile device, as well as certificate-based authentication with a self-signed certificate, a certificate from an existing public key infrastructure, or a third-party commercial certificate. Many of these capabilities can be found in Microsoft’s Exchange ActiveSync and other programs.
  7. Hardware-based authentication – The device should incorporate private keys, one-time password tokens and public-key infrastructure certificates. These measures eliminate the need for a separate physical token. And if the credentials are secured inside the platform, they ensure that the tablet accessing the VPN is the one assigned to the employee.
  8. Protection below the operating system – Penetrating rootkits, malware and similar attacks can strike the hypervisor, BIOS and other firmware. The device’s architecture should resist these attacks. For example, Intel vPro includes a system for checking the launch of each component on the device against a known launch-time configuration and blocks the launch of any unapproved code. Some Dell products also include unique extensions to vPro that allow IT managers to remotely read and write BIOS settings, read the battery’s status and wipe the hard drive.
  9. Protection against screen scraping – The device should be able to confirm user presence, verify transactions and allow PIN input prior to the release of credentials to eliminate the risk from screen scrapers and key loggers.

Of course, none of these measures will help much unless the employees use them. So communication and some basic training will always be essential as tablets and their owners come and go.

Laird Harrison
Laird Harrison has written about technology, business and health for Reuters, Time and WebMD. Living in Oakland, California, Harrison is also a novelist.
Laird Harrison
Tags: BYOD,Technology
  • Mark Rockett

    Um…

  • http://bellsouthpwp.net/h/t/htos1/blogs.htm 2jeffwilliams

    The pc is dead.Yeah, I’m gonna need you to come in on S aturday….

  • RudeDudeAintNude

    “Meanwhile, companies should make these tablets so difficult to use by burdening them with overstated security controls that employees will just decide to not use the tablets because all of the functionality of the tablets is stripped by said security controls…..”

  • Rancher

    Do I need all that for just home use? I do have all mine set up with a password and it has to be used again when it times out.

    • Benster

      If your device’s (and most due) support encryption of the OS and the SD card used in it, by all means encrypt it. Yes its a pain to enter a password in evertime it times out but then again its more of a pain cleaning up the damage done from Identity theft. Password alone is not good enough, if you device does not support encryption then use a third party software, trucrypt is free as well as many other open source solutions that are avaialble, and don’t stop with your mobile device, home pcs should be treated the same, any device containing personal data should be protected!

      • Lawman561

        I do the same thing (encrypt and require PW when my Sony Experia times out). It sometimes is a pain, but I have a mid level time out, so it’s a small price to pay for some security peace of mind. Good point

  • tony castelli

    you dont need any of that stuff unless you dont want anyone using your tablet your kid wife ect.oh yea you can leave the tablet at home

  • silentfor56years

    Rename your wireless router to NSA Vehicle 1331. You will scare away the hackers.

  • Grumpy2012

    The Surface Pro (if it ever gets LTE) will be a game changer as it has the ability to run x86 applications.

    Can’t wait to access the corporate database from the beach at Cancun.

  • Phillep Harding

    Basic problem? Hardware is not designed to be secure. Momentary push button? Not secure. Need a throw switch, but the people who make computers, hubs, modems (yes, yes, no more modems, but same/same), and computers? They refuse to use them. Same for cell phones, from what I hear.