For any enterprise, a thorough security risk assessment will take into consideration the hardware, its intrinsic security features and any vulnerabilities that may have arisen around configuration changes over time. But hardware is just the starting point. Comprehensive mobile security also takes into account software and systems, with a particular emphasis on the operating system. Some would argue that operating system (OS) security, in fact, lies at the very heart of the effort to safeguard mobility.
In an era of increasing profit-motivated attacks on enterprise systems, IT decision-makers need to take a three-pronged approach to OS security. They need to consider the operating system when onboarding new devices. They must integrate the OS into the enterprise mobility management (EMM) system. And they must pursue rigorous ongoing hygiene of the system once devices are distributed, ensuring the latest iteration of the OS is fielded across the enterprise.
Onboarding Your Enterprise Mobile Plan
Any new mobile device will come equipped with a range of safeguards inherent in the operating system and the device. IT leaders must familiarize themselves with these tools and capabilities in order to maximize their effectiveness.
“There are the device security features that are built in, turned on by default,” says Gartner research director Patrick Hevesi. These may vary depending on the OS in hand, but will typically include full disk encryption, a process of encoding all user data, as well as the mandatory use of pass codes to access key functionality. Other measures may include required activation of the lock screen, as well as biometric security protocols; mobile operating systems are increasingly incorporating fingerprint authentication as a security measure. New devices also should be configured to accept the automatic download of OS-level security patches.
By getting to know the OS and device security protocols right out of the box, as a routine part of any security risk assessment, IT leaders position themselves to make the best use of those intrinsic features in the effort to protect devices and lock down critical data, without needing to immediately develop proprietary measures.
Once a device has entered service, it should be integrated into the mobile device management system at the OS level. This means using the mobility management tools as a means to enhance the protections inherent in the operating system.
“How can I put more complexity on the pass codes? How can I ensure the encryption is there, making sure it’s not jailbroken or rooted?” Hevesi asks. At this level, the EMM becomes a tool to apply additional application controls, for example, or to construct containers around corporate data.
The EMM becomes a key security enabler, sending automatic software updates either to individual devices or across the entire enterprise at once. This capacity to bulk manage devices serves as a kind of force multiplier to enterprise IT leaders with large numbers of devices in their inventories.
Integration of EMM and OS-level protections also enables enterprise IT leaders to wipe a device if it becomes compromised through loss or theft.
Finally, security at the operating system level requires IT leaders to keep their eye on the ball in terms of keeping devices current. Typically, in mobility this refers to the imperative to allow and apply regular security patches promptly as they are published.
Many enterprise managers come up short in this area: Based on data collected in February 2017, just 18 percent of Android devices had January’s patch, and 10 percent had patches released in February, reported security firm Duo. Nor surprisingly, two-thirds of those surveyed (64 percent) doubted that their organization could prevent a breach to employees’ mobile devices.
While timely patching is critical, OS-level thinking asks IT leaders to go a step further.
Is the OS in use across your mobile inventory the most recent? Many enterprise users eventually build up a fleet of devices of varying vintages, and yet it’s always the most recent version of the OS that includes the most current security protections and protocols. A current version of the operating system thus is a keystone in the mobile security infrastructure, yet only 27 percent of Android phones are running the latest major version, according to the Duo report.
“Monthly patches for Android devices do protect against known vulnerabilities, but each new major OS version also adds security features to proactively protect users. Both are important pieces that help complete the security puzzle,” notes Duo.
While hardware is a prime consideration in the enterprise security risk assessment, the operating system also merits serious attention. By optimizing the OS security profile up front, integrating OS considerations into the EMM and always running the latest version, enterprise IT leaders can maximize their investment and leverage the security strengths inherent in the operating system.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.