May
8

MS Exchange: Mobile Device Security Challenges and Solutions

MS Exchange: Mobile Device Security Challenges and Solutions

May 8
By

Mobile device usage has skyrocketed in the business world. The any time, anywhere availability they offer comes with immediate access to pools of useful information. Unfortunately, this access can be both a gift and a curse when those devices tap into an Exchange server. When you introduce mobile devices into this environment, you also welcome three potential security scenarios:

1. An employee loses their phone, potentially making emails, tasks, contacts, and calendar data available to whoever finds it.

2. An employee shares confidential information from Exchange with unauthorized third parties.

3. A hacker gains access to the device and Exchange data by seizing administrative control.

Unlocking Security Tools in Exchange ActiveSync

Formerly known as AirSync, Exchange ActiveSync (EAS) is a Microsoft technology that allows you to synchronize your Exchange mailbox with a smartphone or tablet. It has become a standard method for syncing messaging servers and mobile devices – non-Microsoft servers and devices included. In addition to syncing data, EAS does mobile device management, which allows it to enforce a variety of security settings and policies.

Let’s take a quick look at some of the mobile device security features in Exchange ActiveSync:

Password protection. There are several features available to help you protect passwords in EAS. You can enforce length and complexity standards, and also activate functionality that helps users recover lost passwords.

Device encryption. EAS offers various encryption features you can use to prevent access to Exchange data on a mobile device. You can encrypt all mailbox data on the device, or encrypt that same data on a removable storage medium such as an SD card.

Remote wipe. EAS allows you to lock or wipe a device clean from a remote location, which might come in handy if a user loses their phone. It’s also possible to program the device’s memory to automatically erase its data after a specific number of failed login attempts.

Attachment control. Attachments have been known to carry viruses, worms, and other malicious payloads. EAS gives you the power to determine whether or not attachments can be downloaded to connected devices.

Automatic disabling. Lastly, EAS helps beef up security by allowing you to disable a number of sensitive components. Wi-Fi, Bluetooth, and infrared are some of the components it would benefit to disable on devices that are believed to have been compromised.

Exchange ActiveSync has come a long way in the security department since Microsoft released it back in 2009. Using it to address these security areas before connecting mobile devices to your mail server is highly recommended. However, while EAS is the standard for syncing and managing connected gadgets, it’s not the Holy Grail as far as security goes. This tool is very effective at what it does, but should be considered a mere piece in a larger program of numerous security practices.

Doubling Up Security with VPN

Companies looking for bulletproof-like protection can get something close by using a VPN to connect mobile devices on top of EAS. The ideal VPN solution will allow you to create an encrypted network that securely carries Exchange traffic without needing to be directly installed on end-user devices. In general, adding a VPN to your Exchange security stack offers the following benefits:

Secure by design. Be it software, hardware, or a combination of both, VPNs are made to provide safe travels to and from the internet. As a result, they generally come equipped with all the features, fixes, and updates needed to provide adequate protection against attacks that threaten connected devices.

Built-in authentication. Even basic VPNs use passwords, digital certificates, smart cards, and other authentication methods to identify users connecting to the network. These features provide an added peace of mind when combined with the authentication mechanisms in Exchange ActiveSync.

Centralized access. A VPN can ensure that mobile devices connect to Exchange and other platforms from a single access point. This centralization not only simplifies device management, it may also reduce the number of insecure devices in the network exposed to the internet.

Being Judicious with Access

Exchange ActiveSync is enabled by default in the latest version of Exchange, and gives all users with a mailbox the ability to sync their mobile device with the Exchange server. However, EAS gives you the final say over which devices have syncing capabilities. This means you can either approve or deny access to any user. You may decide not to allow Android devices due to all their known security concerns. Or perhaps after a few months of monitoring, you determine that the actions of a certain user deems them unworthy of access. Your people and their devices are arguably the biggest threats to security, so don’t hesitate to put this power to use.

Staying Current with Technology 

In most cases, old software is not only outdated in the functionality department, but insecure as well. You can avoid countless security issues by simply making sure you’re always running the most up to date version of the software in question. Even if you’re still running Exchange 2007, make sure you have all the patches and updates that have been released up to this point. The same should be true for mobile devices, their respective operating systems, and applications. Outdated software is vulnerable software, and vulnerable software is like a wide open door for cyber attackers lying in wait.

When it comes to mobile device integration, using Exchange safely largely depends on smarts. Administrators must be smart with things like access control and policy enforcement, while users have to be smart in holding on to their device and keeping sensitive data confidential. It’s beyond the time to give these mobile assets the same security considerations you give to other systems in your infrastructure.

Photo Credit: Yuri Samoilov via Flickr