Technical Field
This disclosure relates generally to information security and, in particular, to a policy-based approach to enable mobile devices to enforce restricted area security.
Background of the Related Art
The recent past has seen an enormous growth in the usage and capabilities of mobile devices, such as smartphones, tablets, and the like. Such devices comprise fast processors, large amounts of memory, gesture-based multi-touch screens, and integrated multi-media and GPS hardware chips. Many such devices use open mobile operating systems, such as Android. The ubiquity, performance and low cost of mobile devices have opened the door for creation of a large variety of mobile applications.
Enterprises are now providing their workforce with mobile devices to enable them to work from anywhere. In addition, enterprise employees also are using their personal mobile devices to connect to enterprise networks to enable them to work from remote locations. Organizations are even allowing employees to use their own mobile devices to run enterprise applications. Under these various scenarios, enterprises need to consider the implications of mobile devices on enterprise security. Security risks presented by such scenarios include the impact to the enterprise of lost or stolen devices, the management of confidential information, and the capability for unauthorized access to the corporate network. The management of security risks in this type of environment is a complex problem.
The above-identified problem is exacerbated for mobile device usage within physical areas accessible by a user but that have other security restrictions associated therewith. Physically-restricted areas are of many types, from business offices, to government installations, and the like. Physically-restricted areas often do not allow mobile devices because such devices pose data loss threats. For example, when agents visit a business process outsourcing office, often they are not even allowed to carry their mobile devices into the work area to prevent any leakage of customer information. At other sensitive installations (e.g., laboratories, military bases, airport custom areas, and the like), employees and visitors alike may need to be prevented from certain actions, such as taking pictures and then sharing them with others, e.g., through social channels accessible via WiFi or other mobile device data collection techniques.
Current methods of restricting mobile devices in restricted areas generally are low-tech and highly-intrusive, for example, typically the agent is required to deposit his or her phone in a locker at an entry gate, and then collect it back when leaving the restricted area. As mobile devices become increasingly powerful, however, this loss of the physical control over the device has growing productivity impact to the employee. Ideally, it would be desirable to allow the user to retain possession of his or her device within the restricted access zone but, at the same time, to allow or deny specific features of the device while within that zone. For instance, from a security standpoint, it may be acceptable to allow the user to receive incoming telephone calls on the phone while at the same inhibiting the device from accessing WiFi or other mobile data access technologies that might otherwise provide a means for external transfer of sensitive data. What particular device features need to be allowed or blocked, and under what circumstances, is highly variable and depends on many factors, such as the user's identity, visit context, and the like.
While restricted areas typically include access control mechanisms, these mechanisms do not leverage mobile device capabilities and associated security technologies. In particular, these prior approaches do not provide for the capability to automate enforcing security policy on a mobile device, particularly in the context of entry and exit into a physical area having an associated restriction.