Recent allegations of an ex-Tesla employee syncing the Autopilot source code to his personal iCloud account is yet another classic case of how poor data security is, even in some of the most technologically advanced organizations. The Tesla leak isn’t even the first time that a data breach of such immense magnitude pertaining to self-driving technologies has occurred; in July 2018, an Apple employee was caught using AirDrop to transfer 40GB of confidential data to a personal PC.
While cases of data breaches instigated by hackers are becoming more commonplace, the Tesla and Apple data breaches were inside jobs, highlighting how fortifying data security inside the enterprise is as important as protecting against external threats.
With more organizations becoming aware of intellectual property (IP) theft, advanced data loss prevention (DLP) strategies, considered the foundation of data-centric security, are quickly being put in place to secure this information.
Mobile device management (MDM) solutions provide enterprises with baseline configurations to set up fundamental policies to proactively and reactively secure data at rest, in use, and in transit. Let’s take a look at the configurations provided by MDM solutions to secure data.
Configure basic security policies
Despite passcodes acting as the first line of defense, weak passcodes such as “password” and “admin” are still widely used. These passcodes can simply be guessed by brute force, making unauthorized data access easier. MDM solutions let enterprises configure complex passcode policies remotely, and ensure devices have strong passcodes.
Yet another policy related to secure data access is the use of a virtual private network (VPN). Enterprises with a mobile workforce require employees to access data anytime, anywhere. In a scenario like this, secure access to data is of paramount importance, and a VPN lets enterprises achieve this. As the name suggests, a VPN creates a virtual private tunnel in a public network (such as the internet) to securely access confidential data. Using an MDM solution, enterprises can remotely configure VPNs for multiple devices, specific apps, and even particular websites.
In case the enterprise is using Apple machines extensively, they can also configure FileVault on devices. FileVault is an on-the-fly encryption mechanism that encrypts all data present on macOS machines, and can be remotely configured in bulk. MDM can force data encryption on mobile devices as well.
Set up additional restrictions to beef up security
In addition to remotely configuring Exchange and email on devices, MDM solutions can also add additional restrictions such as forcing the usage of SSL and TLS to secure email communication. Enterprises can also prevent moving of messages to other accounts, block account usage from non-mail apps, and use S/MIME for encryption.
Further, MDM solutions let enterprises go granular with restrictions. To prevent unauthorized data sharing, enterprises can restrict the following: AirDrop, USB pairing, Bluetooth, AirPrint, pairing with an Apple Watch, the addition of iCloud accounts, and data backup in iCloud. Finally, data sharing from enterprise approved apps to user-installed apps (and vice versa) can also be prevented.
Secure access to Exchange mailboxes
Email continues to be the primary means of communication in enterprises, and enterprises need to secure the corporate data stored within employees’ mailboxes.
Unfortunately, once employees know their email credentials, they can use that login information on any device, which may or may not be managed by an MDM solution. To ensure only managed devices can access Exchange mailboxes, enterprises can configure a conditional Exchange access policy, which mandates devices to be enrolled with an MDM solution to access Exchange.
Containerization is the answer to the conundrum of managing corporate data on personal devices. Bring your own device (BYOD) policies are here to stay. However, while managing corporate devices, enterprises need to consider user privacy, and manage corporate data without affecting personal data.
Containerization, as the name suggests, logically separates the corporate data stored on a device into a container. The container is completely in the enterprise’s control, while the personal data is in the hands of the user. That means any corporate data or app configurations pushed by the MDM solution are only applied to the container. IT admins can configure a passcode specifically for the container and ensure there is no data shared to or from the container, providing total isolation for corporate data.
Create virtual perimeters with geo-fencing
Most organizations have devices with lots of confidential data that are expected to stay within the organization’s premises. In such cases, geo-fencing enables enterprises to create a virtual geographical perimeter; if the device moves beyond this perimeter, it is automatically locked, and the IT admin is sent a notification about non-compliance. MDM tools can also completely wipe non-compliant devices if need be.
Gain complete control of apps
Rogue apps are one of the primary perpetrators of unauthorized data access and sharing in enterprises. Controlling apps is possibly one of the most difficult tasks for an IT administrator. In addition to silent app installation and uninstallation, MDM solutions can prevent non-enterprise-approved apps from being installed on devices. Further, enterprises can choose to blacklist apps, both removing existing installations and preventing subsequent ones.
Securely share confidential data
Lots of third-party services are usually involved when a document is sent to devices: one service to share the doc, and yet another to view it. Further, these attachments can be saved to third-party cloud services as well. MDM solutions enable enterprises to securely share documents with managed devices. These documents can be downloaded, viewed, and saved only within the agent app, thereby providing a sandbox-like environment for corporate data.
Implement reactive measures to secure data
Having devices containing corporate data be lost or stolen is a frequent occurrence in most enterprises. In such a scenario, the primary requirement is to save the data first. MDM solutions provide enterprises with various security commands, such as remote lock and remote wipe, to prevent unauthorized data access. Further, you can prevent stolen Mac machines from being booted up using external startup disks using Firmware password.
If you’re looking for an MDM solution with extensive DLP capabilities, look no further: Mobile Device Manager Plus is an MDM solution that lets you secure your corporate data across multiple platforms and device types. Start your fully functional, 30-day free trial of Mobile Device Manager Plus today.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: