Re: Securing Photos on Mobile phones

GinGa · ‎02-04-2020

Hi All,

We have users that visit a lot of external locations and take photos of sensitive data, this is against the policy but makes their lives a million times easier so hard to enforce
Instead I would like to find a solution that ensures the photos are properly encrypted and not uploaded to the cloud and ideally a corporate solution

Does anyone have any recommendations?

CraginS · ‎02-04-2020

@GinGa wrote:
Hi All,

We have users that visit a lot of external locations and take photos of sensitive data, this is against the policy but makes their lives a million times easier so hard to enforce
Instead I would like to find a solution that ensures the photos are properly encrypted and not uploaded to the cloud and ideally a corporate solution

Does anyone have any recommendations?

Alexander, as long as an enterprise "saves" money by using BYOD (Bring Your Own Device) policies to have employees use their personally owned mobile phones for work purposes, you are out of luck. If you belly up to the bar and provide enterprise-owned phones to those employees, and implement a full enterprise control system on those devices, you can reduce greatly (but probably not eliminate) these breaches of security policy.

SO, how about examining the current policy, and modify it, with meaningful and easy-to-use procedures, to help the employees work "a million times easier." Policies that interfere with a worker's primary duties guarantee work-arounds and subversion.

I addressed this reality a few years ago in Maybe it's the Boss's Fault!

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

CISOScott · ‎02-04-2020

We ran into a similar issue with Office 365. We were having users showing up with dual concurrent successful logins on both sides of the USA, 1 East Coast city and one West Coast city. Impossible to be in 2 places at once. We wondered if their account had been compromised. Upon investigation we discovered that they had installed the O365 app on their personal phone and accessing their corporate account and were using a VPN obfuscation service (Hide my IP) on their personal phone. Where did this IP obfuscation service reside? On the West Coast. Problem identified. Now we realized we had to fix our BYOD and Appropriate use policies.

My stance has always been, if the company wants you to access the company's IT stuff on a phone, we will give you a phone (or other mobile device) (or should be providing it). Just because you are able to do something does not always mean it is approved. We had to politely ask people not to access their corporate accounts on their personal devices, to include home computers.

Caute_cautim · ‎02-04-2020

@GinGa Does you organisation have a corporate security policy which extends to allowing personal mobile phones on site, as long as you apply the corporate Mobile Device Management (MDM), if not in our case, you would not be permitted on the corporate network or even the guest internet via WiFi. By default the corporate MDM encrypts all data including photographs on the mobile phone and of course, if you loose it, it will by instruction locate and remove everything from the system entirely - albeit it still has power.

In terms of not loading up to the cloud, it really depends on whether the users are using your organisational infrastructure, if so, then a Cloud Access Security Broker (CASB), will do a great job of enforcing the corporate policy and detecting illicit attempts to send the photographs unauthorised places.

NATO examples are shown below:

https://communications.sectra.com/news-press-releases/news-item/70A469AC6C3BAD76/

https://tutus.se/en/products/secure-smartphone

I think, all employees will have had to sign up to the Corporate Security Policies, and be part of the Mobile Device Management scheme or they would not be permitted to use their own devices unless they then apply the corporate MDM to those devices.

https://smartphones.gadgethacks.com/how-to/5-best-phones-for-privacy-security-0176106/

Otherwise, you will simply not be able to manage the BYOD into the corporate environment. You could of course invoke the Mobile phone blocking technology, adopted in many education establishments and prisons.

An interesting discussion.

Regards

Caute_cautim

rslade · ‎02-04-2020

> GinGa (Viewer) posted a new topic in Privacy on 02-04-2020 04:48 AM in the

> Does anyone have any recommendations?

Be realistic and specific in writing policy? If your policy has a stupid provision,
and people have to do things to get around it, they will get used to circumventing
policy as a matter of course.

(I recall going in to one venue to teach. The security guard was a fussy little twit
with all kinds of requirements. He was sitting beside a sign that said "No cameras
or recording devices of any kind!" I did *not* point out that I was carrying two
laptops, both equipped with Webcams, and (for some reason that I can't recall)
also two smartphones, all of which I needed for the seminar ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Just because I have a short attention span doesn't mean I
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

GinGa · ‎02-05-2020

Thanks all for your replies

I fully agree that if a policy is to strict that people will stop following it and do their own thing but I also cannot just change the policy so that everything the users want or need to do is allowed

In this case I was looking for a technical solution where the users can work efficiently while our data is safeguarded

I am looking into a MDM solution in combination with a scanner type of app for now

Caute_cautim · ‎02-06-2020

Remember People, Processes and Technology at all times - everything involves all three.

Regards

Caute_cautim

CraginS · ‎02-06-2020

@Caute_cautim wrote:
Remember People, Processes and Technology at all times - everything involves all three.

John,

You are spot-on with reminding of the three components of a system.

I generally use People, Processes, and Tools, because many tools are not what some would think of as Technology: paper records, pencil and notebook, Post-It notes, Hammer, wrench, etc.

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

denbesten · ‎02-06-2020

@Caute_cautim writes:
You could of course invoke the Mobile phone blocking technology, adopted in many education establishments and prisons.

Jamming is is illegal in many parts of the world.

Caute_cautim · ‎02-06-2020

@denbestenAbsolutely, correct, but given the majority of education establishments are Government funded or linked directly to Government entities - definitely when it comes to examination time - they do certainly put in place mobile blocking technology or in places of correction. This may include Bluetooth, wireless WiFi and other such technologies given the capabilities of modern students to work around the system. Given that IoT devices, have unregistered wireless protocols in proprietary devices.

The establishments would most certainly have authority to put such devices in place, and in recently I have seen even moves to even block Shadow IT via Cloud Access Security Brokers (CASBs), given the extent of the ingenuity of the potential perpetrators. Due to data leakage and the bypassing of controls, as we have witnessed via the cloud.

Regards

Caute_cautim