The use of smartphones in business, whether they are provided by the company or provided by employees (phenomenon BYOD) necessarily induce increased risks of security and data leak.
Manufacturers and specialty publishers increasing solutions to control this trend with tools of protection or permitting separate sealed environment perso and pro in the same terminal (Good Technology, Blackberry Balance, Samsung Knox etc...).
But for ANSSI, the National Agency for the security of information systems, these solutions are insufficient. "Current security solutions are ineffective to ensure proper protection of professional data," can be read in a technical note that the Agency has released.
She therefore took the opportunity to deliver 21 recommendations for it managers.
BYOD: not a good idea
"When information systems deal with sensitive information, terminals to access must imperatively be dedicated and have been the subject of a security assessment, ideally be labeled by the ANSSI. This labelling can indeed attest to the robustness of the solution compared to the main threats a contrario those which simply consist of an application development (a "security application") which will bring, at best, partial protection of sensitive data. When the data are classified, marked as restricted or Special France, a specific regulation applies", warns the Agency.
Examples including the use of centralized management of mobile devices (RMD), the reduction of the lifetimes of passwords or the lock time of the terminal, the ban on access to the shops of applications, the functions of geolocation related applications, encryption of internet storage etc...
Finally, the ANSSI believes that the BYOD is far from being a good idea for businesses. "Because of the previous recommendations, the coexistence of private and business uses on the same terminal must be studied carefully. Compliance with the requirements of this document is wholly incompatible event of a BYOD policy within an organization. In most cases, professional terminal must be dedicated for this purpose (the user can
generally use its own terminal for personal use).
If the use of a single smartphone for both contexts cannot be avoided, depending on the sensitivity of the company data processed on the mobile, should implement solutions for effectively partitioning each environment (personal, professional) by being vigilant on various levels of security solutions of the market. A qualification by the ANSSI must be a criterion for the choice of such a solution,"said the Agency.
Aucun commentaire:
Enregistrer un commentaire