SECURING

MOBILE
DEVICES Solution Guide
SECURITY CONNECTED
REFERENCE ARCHITECTURE
LEVEL 1 2 3 4 5

SECURITY CONNECTED
REFERENCE ARCHITECTURE
LEVEL 1 2 3 4 5

Security Connected
The Security Connected Securing the Whole Device
framework from McAfee enables
SECURITY
integration ofCONNECTED
multiple products, Challenges organizations are taking advantage of mobile
REFERENCE ARCHITECTURE
services, and partnerships for There are few recent trends in technology that devices by allowing their employees to be more
centralized, efficient,
1 2and3
LEVEL 4
effective risk mitigation. Built
5 have had such a dramatic impact on our personal connected, enterprise and line-of-business
and professional lives as mobility. Mobile devices applications are becoming increasingly popular.
on more than two decades of
proven security practices, the
such as smartphones, tablets, and laptops have These applications are as varied as their consumer
Security Connected approach changed many aspects of our lives, such as counterparts and include everything from CRM
helps organizations of all where we can communicate and what types and virtualized desktop infrastructure, or VDI, to
sizes and segments—across all of information we can access. The promise of finance applications and solutions for provisioning
geographies—improve security anything, anywhere, anytime, from any device has and policy management.
postures, optimize security
for greater cost effectiveness,
become a reality. It’s because of this extensibility
SECURITY CONNECTED
and align security strategically that mobile devices have universally become
REFERENCE ARCHITECTURE
with business initiatives. The necessities for personal and professional use— According to IDC, in 2012, the worldwide shipments
Security
LEVEL Connected 1 Reference
2 3 4 5 from email, calendaring, and social networking, of tablets will exceed 70.8 million units.2
Architecture provides a to banking, shopping, and business applications.
concrete path from ideas to
implementation. Use it to In addition to these devices being mobile—which
adapt the Security Connected introduces security management issues around Facebook has more than 500 million users spending
concepts to your unique risks,
infrastructure, and business
access control, compliance, data protection, and more than 750 billion minutes per month on its site.
objectives. McAfee is relentlessly so on, today’s mobile devices are much more than Of the hundred thousand plus applications for
focused on finding new ways their native hardware and software. Most are the Apple iPhone, Facebook is consistently in the
to keep our customers safe. application-ready and designed to take advantage top 10 downloads.3
of Web 2.0 resources. Many of these capabilities
are used interchangeably between personal and
business use, and the number of available mobile
device platforms is exploding. This combination There are 1,600 tweets per second; 40 percent are
of devices and capabilities results in greater risk from mobile devices.4
to organizations in terms of lost devices, data loss,

and unauthorized access.
According to a 2011 study
conducted by Carnegie Mellon One of the most significant areas of concern for
and McAfee, the biggest securing mobile devices is application enablement.
mobile security concern for Consider a typical mobile device. It will include
organizations is sensitive data several built-in applications, such as music, web
compromise. About 40 percent browsing, video, calendar, email, and contacts.
of the companies participating Additionally, there are hundreds of thousands
in the survey had experienced of applications for travel, entertainment,
the loss or theft of mobile banking, health, shopping, and more. Because
devices, and nearly half of
those devices contained
“business-critical data.”1
 Four is the average number of
devices used interchangeably
between personal and
professional use.

Laptop Tablet Phone MP3

Solutions should also set up their access to enterprise Best Practices Considerations
Securing mobile devices means securing the whole applications. Based on their user privileges • Protect the device; protect
device, including the device itself and the data it they should also be granted access to specific the data
contains. For IT organizations to be effective and applications relevant to their business unit. • Control what networks the
scalable, they should be able to centrally govern With mature solutions, this should all happen device accesses and what
all the disparate devices by setting and enforcing in the background within the IT environment data it interacts with
policies. For example, policies should be leveraged so that the user experience consists of simply • Enforce policies and privileges
that will only allow authorized, managed, secured, installing an application, supplying credentials, by associating a user with
and up-to-date devices to connect to the network and having access to organizational resources the mobile device and
a unique identifier
and define where in the network access is allowed. via their mobile device.
Further, because of regulatory reporting, IT needs • Embrace solutions with security
Additional capabilities that should be considered and scalability as well as ease
to be able to demonstrate and report on the
for enhancing the security on mobile devices of use for end users and IT staff
compliance of all the devices on the network—
include: using online tools to locate lost devices, • Leverage mobile device security
mobile or otherwise.
remotely locking or even wiping a device that has solutions synergistically with the
Strong authentication should be leveraged that been lost or stolen, and information backup and existing security infrastructure
associates a unique identifier with the device restoration. Virtualization offers other capabilities. • Expand the demonstration
and with the user so that policies can be applied VDI offerings from companies like Citrix, VMware, of regulatory compliance to
based on the user’s privileges irrespective of Microsoft and others can allow access to network include mobile devices
what device they are using. As such, for this and data resources to be limited only to the VDI
type of authentication to be scalable, it should client installed on the mobile device. With this
be associated with existing security policies and type of configuration limitations regarding what
user management systems. By embracing this can be accessed, determining whether information
association, it negates the need for supporting copying and pasting are allowed, are screenshots
user databases for non-mobile solutions, and allowed, etc, can be enforced. With VDI
another one for mobile. deployments the security controls are configured
within the datacenter, and specialized security
From a user perspective, installing the application
solutions, such as protection from malware, that
that enables this level of security needs to be as
have been optimized for virtual environments can
easy as installing the latest version of “Angry
be utilized to ensure that the VDI framework is
Birds.” Using the iPhone as an example, a user
not only secure, but efficient, and server density—
should be able to visit the Apple App Store,
the number of VDI images installed on a single
download an application, enter their credentials
physical server—can be maximized.
such as their email address and password, agree
to a corporate user agreement policy, and have For a holistic approach to security and compliance
the application automatically set up secure it’s necessary to include mobile device controls.
communication, apply policies, set privileges, and And it’s equally important that the controls
based on those privileges grant access to specific integrate with other types of solutions for data,
applications. From there the user should be able endpoints, network, and cloud. When leveraged
to use their native collaboration applications collectively, through a centralized management
such as email, calendar, and contacts, and be platform, security is effectively optimized.
automatically configured with directory services,
VPN, PKI, WiFi, and the like. Finally, this process
 Value Drivers

The right solutions for enabling your mobile devices should provide for operational value
to your organization by:
• Protecting personal and application data to help decrease legal fees and fines in the event
of a lost or stolen device
• Facilitating
remote locking and monitoring to help ensure compliance to corporate policies
and identification of devices if “misplaced”
• Decreasing overall compliance monitoring costs because of the ability to demonstrate appropriate
levels of due care and due diligence in tracking and managing devices
• Empowering employees to be more agile in terms of where and how they work and thus improve
productivity and the bottom line

Related Material from the Security Connected Reference Architecture

Level II
• Securely Enabling Social Media

• Enabling the Consumerization of the Workforce

Level III
• Securing and Controlling Laptops

• Securing Virtualized Desktop Infrastructure (VDI)

• Enforcing Security on Smartphones and Tablets

• Protecting Intellectual Property in Email

For more information about the Security Connected Reference Architecture, visit:
www.mcafee.com/securityconnected.

About the Author

Brian Contos, CISSP, is director of global security strategy at McAfee. He is a recognized security expert
with nearly two decades of security engineering and management experience. He is the author of
several books, including Enemy at the Water Cooler and Physical and Logical Security Convergence.
He has worked with government organizations and Forbes Global 2000 companies throughout
North, Central, and South America, Europe, the Middle East, and Asia. He is an invited speaker at
leading industry events like RSA, Interop, SANS, OWASP, and SecTor and is a writer for industry and
business press such as Forbes, New York Times, and The Times of London. Brian is a Ponemon Institute
Distinguished Fellow and graduate of the University of Arizona.

brian_contos@mcafee.com || http://siblog.mcafee.com/author/brian-contos/ || @BrianContos

1
http://www.mcafee.com/us/resources/reports/rp-cylab-mobile-security.pdf
2
http://www.appleinsider.com/articles/11/07/10/idc_bumps_2011_tablet_forecast_to_53m_as_apples_ipad_2_dominates.html
3
http://www.facebook.com/facebook
4
http://techliberation.com/2011/05/18/some-metrics-regarding-the-volume-of-online-activity/

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability
of the information to any specific situation or circumstance.

2821 Mission College Boulevard McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other
Santa Clara, CA 95054 countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are
888 847 8766 provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied.
www.mcafee.com Copyright ©2011 McAfee, Inc. 32701sg_mobile-devices-L2_1011_wh