In today's mobile-first world, ensuring the security of managed mobile endpoints is crucial. The Remote Locate control enables organizations to track the geographical location of their mobile devices, providing an additional layer of protection against loss or theft. By implementing this control, companies can swiftly respond to security incidents and minimize potential data breaches.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. This control is part of the Universal Endpoint Management domain, which focuses on securing and managing various types of endpoints, including mobile devices. For more information on mobile device management, refer to the AWS Mobile Device Management documentation.

Who should care?

• IT administrators with the responsibility of managing and securing mobile devices
• Security officers with the need to protect sensitive data on mobile endpoints
• Compliance managers with the obligation to adhere to industry regulations and standards

What is the risk?

The primary risks associated with not implementing the Remote Locate control are:

1. Unauthorized access to sensitive data if a device is lost or stolen
2. Inability to track and recover missing devices, leading to financial losses
3. Non-compliance with data protection regulations, resulting in hefty fines

The Remote Locate control can significantly help mitigate these risks by providing real-time location information, enabling quick response to security incidents. However, it's essential to note that this control alone cannot prevent all risks associated with mobile devices.

What's the care factor?

The target audience should prioritize the implementation of the Remote Locate control based on the sensitivity of the data stored on mobile devices and the potential impact of a security breach. For organizations dealing with highly confidential information or operating in heavily regulated industries, the care factor should be high. In contrast, companies with less sensitive data may assign a lower priority to this control.

When is it relevant?

The Remote Locate control is relevant in the following situations:

• When an organization provides mobile devices to its employees
• When employees use their personal devices for work purposes (BYOD)
• When the company handles sensitive data that could be accessed from mobile devices

However, this control may not be necessary for organizations that do not allow mobile devices to access corporate data or have implemented strict device management policies that prohibit the storage of sensitive information on mobile endpoints.

What are the trade-offs?

Implementing the Remote Locate control comes with certain costs and considerations:

• Employee privacy concerns, as the control allows the company to track device location
• Increased administrative overhead for IT teams to manage and monitor the control
• Potential performance impact on mobile devices due to the continuous tracking of location data
• Additional costs associated with mobile device management software and infrastructure

How to make it happen?

1. Choose a suitable mobile device management (MDM) solution that supports remote location tracking, such as Microsoft Intune or VMware Workspace ONE.
2. Configure the MDM solution to enable remote location tracking for all managed mobile devices.
3. Create a policy that outlines the circumstances under which the Remote Locate feature will be used and communicate this policy to employees.
4. Train IT administrators on how to use the Remote Locate feature effectively and responsibly.
5. Regularly test the Remote Locate functionality to ensure it works as expected and address any issues promptly.

What are some gotchas?

• Ensure that the MDM solution has the necessary permissions to access location data on the managed devices. For example, on Android devices, the android.permission.ACCESS_FINE_LOCATION permission is required. Refer to the Android location permissions documentation for more information.
• Be aware of any legal or regulatory requirements related to employee privacy and data protection when implementing the Remote Locate control.
• Consider the potential impact on device battery life and performance when enabling continuous location tracking.

What are the alternatives?

While the Remote Locate control is an effective way to track mobile devices, there are alternative approaches to mitigate the risks associated with lost or stolen devices:

• Implementing strong device encryption to protect sensitive data
• Enforcing strict password policies and device lockout mechanisms
• Regularly backing up data from mobile devices to minimize the impact of data loss
• Utilizing remote wipe capabilities to erase corporate data from lost or stolen devices

Explore further

• CIS Control 8: Audit Log Management - Ensures that remote location tracking events are properly logged and monitored
• CIS Control 16: Account Monitoring and Control - Helps detect and respond to unauthorized access attempts on mobile devices
• NIST Special Publication 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise - Provides comprehensive guidance on securing mobile devices in corporate environments

‍