Enterprise Mobile Device Backups
Regular backups of mobile device contents are just as important as backing up the contents of desktop computers. To the user’s regular backups are extremely useful when a device is lost or stolen because the lost device’s contents can be restored to a new device. From a corporate perspective, regular backups provide checkpoints that provide insight into the data and contents of devices.
Several devices available today have a large amount of space on their hard disks, often in tens of gigabytes. For example, 16GB and 32GB configurations are common for most devices. If it’s difficult to back up that volume of data for thousands of devices, it might be useful to back up only the critical data that resides on them.
From a compliance perspective, here are the types of data that should be backed up from mobile devices:
Photos and files (if needed)
This particular policy may also differ for corporate-owned devices, in comparison to personal devices. Depending on your organization’s particular tolerance for risk, you can choose to back up any or all of the data we just listed.
When you devise a device backup policy, be sure to think through the following aspects as well:
Where is all that data stored? You can choose from several cloud-based solutions, which back up all the device data to a central system in the vendor’s cloud. If this isn’t acceptable for your company, insist on a solution that stores all the backed-up data on a server within your corporate network.
Who is authorized to see that data? A typical backup solution for devices must involve the users to invoke a backup operation manually whenever needed, or schedule backups at periodic intervals determined by the IT administrator.
Typically, the user can restore the contents to the device (or a replacement) manually without needing a third party (an IT administrator) to intervene. The user’s backups should be protected by a user-configured passphrase.
In addition, you may also want to give administrators access privileges to that backed-up data. In case users forget their passphrases, it should be possible to reset the passphrase, just like resetting Active Directory passwords.
Depending on where the user’s information is stored, it is important for the software vendor to assign permission to appropriate parties to see that sensitive information. It is important to check whether the vendor’s software can assign granular privileges to various groups of users to see sensitive information that belongs to mobile end users.
It’s important to identify the list of people who are authorized access to all the backed-up data stored either within your corporate network or in the cloud of your vendor’s network.
Are communications encrypted during backups and restorations? You should explore your vendor’s solution to check how the backup is done. The data must be encrypted back and forth from the device to the central backup server. If that communication isn’t encrypted, it’s possible for hackers to snoop in on that traffic and access the data being backed up (or restored).
|Compliance Policy||Personal Devices||Corporate-Owned Devices|
|Regular backups of smartphone contents||Some, maybe not all, of the data that is backed up from
corporate-owned devices. At a minimum, include the following:
contacts, calendar, and call log.
|Contacts Calendar Call log SMS messagesPhotos and files
|Regular backup policies||All policies applicable to corporate-owned devices||Location of backed-up data
Access control to backed-up data Encryption of backed-up data