Mobile device usage — smartphones and tablets — is rapidly growing on the Stanford campus and throughout the world. Mobile devices are expected to outsell traditional personal computers this year. As these devices become ubiquitous on campus, their inherent risks become more apparent.
Security features common on desktop and laptop computers are inconsistently applied across mobile device platforms. On a laptop, we rely on anti-virus software to safeguard our system, but few mobile devices have such software. While most personal computers on campus are password-protected, few of us configure our mobile phones with a password or PIN to protect it against unauthorized use. And the potential for unauthorized use increases because mobile devices are easily (and frequently) misplaced. While most of us pay attention to system updates and security patches for our computers, mobile device owners focus more on the latest app or features.
The Mobile Device Security project seeks to set a new policy (or set of policies) for mobile device security. These will be implemented as procedural guidelines with corresponding technical solutions to provide security to users accessing Prohibited, Restricted, or Confidential data at Stanford University. This project seeks to:
- create awareness and change user behavior;
- provide the ability to monitor, audit, and enforce compliance of users of high-risk data;
- create the option to remotely wipe lost or stolen devices; and
- provide a support model for specified devices in the Stanford University environment.
In the first phase of the project, IT Services plans to build a Mobile Device Management (MDM) application for iOS devices. The MDM will grant the device owner remote, web-based access to reset the passcode, lock the device, wipe Stanford data, or wipe all data from the device if it's lost or stolen. The MDM also will monitor the set of applications on the device and notify the owner if there are any apps that may harm the device or divulge personal information. Additionally, the MDM will ensure that data on the phone is encrypted and that a passcode is in use. The MDM application will be available in late summer 2011.
Later phases of the project will explore the availability of commercial MDM products for use at Stanford. (Currently, commercial MDMs are not well suited to Stanford’s needs, but they are likely to improve and evolve over time.) Tools for Android and Blackberrys that don’t use a BES service will be considered as well.
At the end of phase one of the project, Stanford University will be able to provide more secure access to Prohibited, Restricted, and Confidential data over mobile devices such as iPhones, Blackberrys, and iPads. The university will have access to audit information regarding what devices are being used so that risk can be reduced.
Client impact will vary based on the type of data the client wants to access via a mobile device. For most mobile users, annual review and acknowledgement of the mobile device security policy will be the extent of the requirements. This is similar to the requirements for the computer usage policy today. (See Admin Guide, Chapter 6.)
Clients who access Prohibited, Restricted, or Confidential data via an iOS device (iPhone, iPad, or iPod Touch) are required to install the MDM application. This enforces sufficient security to allow access to the information required to do their job. Because this solution requires installation of an application on devices that may or may not be university-owned, there is likely to be a mix of positive and negative reactions. The project team is focusing on educating users on the vulnerabilities and risks unique to the use of their mobile devices and the need for compliance with the new policy governing mobile device use.
|University Business Owner||Tina Darmohray|
|Project Sponsor||Kim Seidler|
|Project Manager||Larry Ebert|
|Campus Readiness||Ammy Hill|
Stanford Mobile Steering Committee
A cross-departmental team to provide advice to the project on design approach and impact to the business units.
- Edie Filice Barry, Alumni Association
- Tom Black, University Registrar
- Kevin Blue, Athletics
- Tina Darmohray, Chief Information Security Officer
- TJ Fletcher, Student Services
- Tim Flood, Registrar's Office
- Michael Halaas, Med School CTO
- Larry N. Horton, Govt. / Community Relations
- Lisa Ann Lapin, University Communications
- Lily Lee, RDE
- Tanya Luhrmann, Academic Council, Professor of Anthropology
- Mark K. Mellis, Information Security Office
- Therese Pimentel, RDE
- Linden B. Press, Registrar's Office
- Jeremy Rosenblatt, Alumni Association and Office of Development CTO
- Bob Schwarzwalder, University Librarian's Office
- Stephen Arod Shirreffs, Registrar's Office
- Scott B. Stocker, University Communications
- Ward Thomas, Transportation
- Bruce Vincent, IT Services
- Susan Weinstein, Business Development, Privacy Officer