The number of tablet owners continues to soar, making it difficult for manufacturers to keep up with demand. New tablet owners are increasingly business users, particularly within industries such as retail, banking, and healthcare. Estimates indicate that 25 percent of tablet sales in 2011 will be made by enterprises, leading some to call 2011 the year of the enterprise tablet. All estimations aside, a tablet’s ability to provide mobility and flexibility is irrefutable, and businesses are noticing. But can tablets be deployed in an enterprise without sacrificing security?
With newer technologies, there’s always risk; however, the natural progression from laptops to tablets (compared to the leap from workstations to laptops in the ’90s) provides risk maturity that can make the move relatively seamless for an enterprise. Still, there are considerations that should be made prior to migrating.
The use of tablets within a business poses several risks specific to the device (largely due to its mobility) that should be communicated to employees to ensure that the appropriate precautions are taken to secure company information. Mobile device security training should be administered to all employees that require the use of mobile devices before they’re allowed to connect these devices to the organization’s internal network. Training should include but not be limited to:
Similar to inactivity timeouts and “ctl+alt+del” in a typical workstation or laptop environment, passcodes and autolock settings should be implemented to protect the tablet from unauthorized access. Inactivity settings, passcode strength, and the required frequency for passcode changes should all be adjusted to meet business or regulatory requirements. This can be done per device or centrally with the use of third-party mobile device management (MDM) software. The latter is recommended, as it provides for greater corporate control.
Using MDM, a configuration profile is installed on each device that manages security settings. This configuration profile should be protected from alteration by the end user by restricting access to the profile with the use of an administrator password. In this manner, only authorized individuals can make changes to the settings. Configuration profiles used in conjunction with MDM allow an administrator to make configuration changes centrally and push the updates out to users without the need of any interaction from the end user.
Tablets do not have built-in logging capabilities; however, applications are available that allow an enterprise to centrally log and monitor the following types of activities:
Logging and monitoring activity is always good security practice; however, depending upon the industry, logging and monitoring may be a requirement!
Many companies currently protect laptops with full disk encryption. The need for encryption on tablets is no different. Tablets should support strong encryption to secure all data on the device. For further protection, tablets should be configured to accept remote and local wipes. The remote wipe feature allows an administrator to remove all data and deactivate devices remotely in the event that they’re lost or stolen. The local wipe function automatically erases all user data on the device after 10 failed passcode attempts.
While encryption and remote wipe features clearly enhance the security of data, they also reinforce the need for regular data backups. Without an enforceable way to require tablet backups, policies and procedures are integral to data availability and protection. Enterprises should communicate to tablet end users the importance of frequent, periodic backups and discourage the creation and/or storage of confidential or critical information on tablets whenever possible.
General guidance for securing mobile devices is available and in most cases can be applied directly to a tablet regardless of platform; however, no federal regulatory or standards agencies have released guidance specifically for the use of tablets. MDM software allows IT administrators to employ many of the same security mechanisms that are recommended or required by federal regulation and guidance for traditional IT systems, but it’s important to note that the risks posed by mobile devices are not one in the same with standard equipment typically deployed by IT departments.
There are many things that need to be taken into consideration when looking at “incorporating” tablets, but remember that the majority of these security implications are going to be addressed for any new technology. The main security risk that tablets pose is mobility and the decentralization of information, but there are ways to implement security. With businesses going mobile, tablets can be powerful tools.