ABCs of Mobile Security (Page 2)

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

What security do mobile devices need?

Some mobile devices—particularly laptops—have a clear set of risks, since they are portable computers that can store valuable data and include applications that access your network and enterprise resources. A stolen laptop can be a treasure trove of critical data as well as an easy conduit into your enterprise’s systems. But other devices—PDAs, smart phones, iPods and USB “thumb drives,” for example—that seem innocuous can also expose your company’s data or provide outsiders access to your systems if not properly secured.

Some of these security threats are handled at the network level—such as requiring the use of authentication and VPNs for remote access into corporate systems—for PCs, laptops and handhelds alike. Some of these security threats are part of your client management tools, such as password policy enforcement and malware detection. But mobile devices typically need extra protection of the data they store, in the form of encryption, so a lost or stolen device can’t become a treasure trove for data thieves. (And most states require that companies report any loss of unencrypted data involving consumers’ private information, a disclosure that is not only costly to execute but even more expensive in terms of lost trust.) In some cases, mobile devices may need extra protection such as the use of hardware-based authentication tokens so a thief can’t access your enterprise network even if he discovers the user’s password.

For the mobile devices I do need, isn’t password protection sufficient?

Enforced password protection is a great first step, so if the devices are lost or stolen, they can’t easily be used. Be sure that all log-in settings require the user to type in a password—if the laptop or PDA logs itself in to your network, you’ll now have a significant breach potential. Be sure that the password is complex enough (at least eight characters, including a mix of numbers and letters) to resist hacking but not so difficult that users tape them to their devices. Also pay attention to how long a device may be idle before a password is required to use it again, suggests Paul Kocher, chief scientist for cryptography at technology consultant Cryptography Research. A long idle time will let someone walk away with a laptop at an airport or café and still have access to its contents, while a very short time-out period will require users to constantly enter their passwords, making them accessible to shoulder-surfers. A good rule of thumb is that two to five minutes of inactivity should trigger a password request.

If the data is particularly sensitive, you may want to use a second form of authorization—such as a smart card reader, fingerprint reader, SecurID token or challenge/response system—so that a thief needs more than a password to access the device. Note that this second-authentication strategy is more plausible on a laptop than on handheld devices such as PDAs, for which there are typically no such hardware tokens available.

But password protection (even when augmented with a second form of authentication) by itself won’t help secure the locally stored data. If a data thief removes the hard drive from a laptop, the data is easily opened from another computer.