ABCs of Mobile Security (Page 4)

By Galen Gruman

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?

The available technology for devices other than laptops is often insufficient to assure security. One reason is that PDAs and smart phones typically don’t have the horsepower or memory to run whole-disk encryption. Another is lack of attention to mechanisms such as enforced password protection in PDAs, smart phones and other handhelds. Even when the devices have the hardware and operating support for enterprise-class security, the large variety of devices and operating systems has made it hard for vendors to cost-justify developing security tools for any specific hardware/operating system combination.

Therefore, many devices simply cannot be secured. In those cases, you should ban them from your network or restrict them to the same information you would make publicly available, such as in a lobby wireless LAN for visitors.

Are there other risks I should watch out for?

A new generation of data storage devices has created new security risks. USB “thumb” drives, iPods, recordable CDs and DVDs, and the iPod (with iTunes’ Enable Disk Mode feature) all make it easy for employees to copy data from a secured device to an unsecured medium that’s easily hidden, lost or stolen. Vendors are only starting to extend protection such as encryption and password protection to these inexpensive media, leaving a big hole in your protection.

Until your software vendors have appropriate tools to cover these risks, you may need to set policies banning their use, and discouraging their use by, for example, configuring your computers not to support USB storage devices and not supporting writable media. An easy step is not to buy computers with writable CD or DVD drives. Blocking the use of USB storage devices is harder, typically requiring adjustments to the Windows XP registry. (The forthcoming Windows Vista Server is expected to let you set such USB usage permissions as policies that can be enforced across all Vista clients.) One sure way to block their use is to pour glue in the USB ports, but that also means your users can’t connect other external USB components such as mice or keyboards.

What does mobile security cost to implement?

Costs vary based on what you’re protecting and on the number of seats being protected, but you can expect to spend between $50 and $100 per device to bring in encryption, password management and other security management features onto laptops—assuming you have a management platform already in place for your PCs. You’ll also pay more for antimalware licenses if you’re not already deploying them on your laptops. For example, the Lincoln Health System Network of hospitals estimates that encryption costs about $60 per laptop, while the Pacific Northwest National Laboratory spends about $75 each. (The lab spends an additional $100 per laptop using hardware-based second-factor authentication tokens.) Maintenance and ongoing licensing costs typically are about 25 percent of the license cost. Services such as the Computrace tracking service that can lock down or wipe the contents of missing laptops cost about $100 per year per laptop.

Costs of managing handhelds vary considerably. While the software typically runs $20 to $50 per device, many handhelds cannot be remotely managed, so you have to account for the hands-on IT installation and update costs, which depend on how you provision such help-desk and support services and how diligently you update your mobile devices. For handheld devices that can be managed with your existing management tools, the costs typically match those for your PCs.