Mobile Security Definition and Solutions

By Galen Gruman

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

Mobile Security

Laptops have become so inexpensive that they’re standard equipment at many enterprises. BlackBerrys are all the rage among traveling execs. Cell phones and PDAs are merging into smart phones that allow mobile e-mail, Internet and even corporate network access, as well as the ability in some models to work on spreadsheets. Copying company data onto USB thumb drives and other removable media has never been easier. Critical enterprise information is leaking onto mobile devices whose risk of loss or theft is much higher than it is for PCs at the office.

The risk is not theoretical. According to the Privacy Rights Clearinghouse, 56 potential breaches of clients’ personal information involving laptops and other mobile devices—typically stolen or lost—have been disclosed publicly from Jan. 1 to Oct. 24, 2006, involving the personal information of at least 31.68 million people. And that doesn’t count breaches of corporate data not covered by various state breach-disclosure laws.

Fortunately, security methods aren’t theoretical, either. There are concrete steps an enterprise can take to secure the data on its mobile devices.

Where do I start when securing mobile devices?

The best way to secure company data is not to store it on client devices in the first place, advises Eric Maiwald, a senior analyst at the Burton Group research firm. If data resides on servers and within the data center, with access permitted only over the network, there is no local copy to lose if a laptop or PDA is stolen or lost. This strategy also protects PCs in the office; after all, they can be stolen as well. While it can be more convenient for an employee to work from a local copy of data—on a laptop transported home or on a thumb drive—the high availability of broadband access and the maturity of remote-access technologies, such as laptops and smart phones, is rarely much less convenient. This approach also provides better security while still letting people work in multiple locations and with multiple devices.

Unfortunately, many companies have issued laptops as the standard PC, a strategy that undercuts security. Only employees who need to work while traveling should be issued laptops; examples include senior executives, salespeople, auditors, field technicians, some marketing staff and telecommuters. The rest can use PCs or computers at home or at satellite offices.

Enterprises that limit the use of mobile devices and discourage the use of locally stored data will still find exceptions that require local data storage on mobile devices, but these exceptions will be few and their small numbers will make them easier to manage.

RELATED LINKS

Secrets of Offshoring Success

Managing Mobile Devices

Wireless – Mastering Mobile Madness

Remote Control: Tracking Mobile Devices in the Enterprise

How to Minimize the Impact of Laptop Theft

The CIO’s Guide to Mobile Applications by Research in Motion

NEWSLETTERS

Mobile

Information Security  

Who is responsible for device security?

Ultimately, the CEO is responsible for the loss of secret information, such as competitive data, trade secrets or customer information. In practice, the buck stops with the CSO or CIO, depending on your organizational chart. Meanwhile, network administrators, client management leads, department heads and individual users share implementation responsibility. The CSO or CIO should set the policies as to what data may be stored on mobile devices, what level of protection is required for different types of data, and what access to internal systems various mobile devices may have. Often, these policies are part of the overall data management and access management policies that cover desktop users and remote users.

The network administrator and IT chief responsible for client management typically choose the tools to ensure that password, VPN, access control and malware-protection requirements are met. They may also determine which types of mobile devices are authorized for use with company data and services, based on the level of security they can enforce on the various devices. Business managers and users are responsible for following these policies, and for not trying to work around the policies by using personal devices with forbidden company data and services—an easy temptation when you already have a PDA, iPod, smart phone or USB drive and see no harm in using it for work purposes.

ABCs of Mobile Security (Page 2)

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

What security do mobile devices need?

Some mobile devices—particularly laptops—have a clear set of risks, since they are portable computers that can store valuable data and include applications that access your network and enterprise resources. A stolen laptop can be a treasure trove of critical data as well as an easy conduit into your enterprise’s systems. But other devices—PDAs, smart phones, iPods and USB “thumb drives,” for example—that seem innocuous can also expose your company’s data or provide outsiders access to your systems if not properly secured.

Some of these security threats are handled at the network level—such as requiring the use of authentication and VPNs for remote access into corporate systems—for PCs, laptops and handhelds alike. Some of these security threats are part of your client management tools, such as password policy enforcement and malware detection. But mobile devices typically need extra protection of the data they store, in the form of encryption, so a lost or stolen device can’t become a treasure trove for data thieves. (And most states require that companies report any loss of unencrypted data involving consumers’ private information, a disclosure that is not only costly to execute but even more expensive in terms of lost trust.) In some cases, mobile devices may need extra protection such as the use of hardware-based authentication tokens so a thief can’t access your enterprise network even if he discovers the user’s password.

For the mobile devices I do need, isn’t password protection sufficient?

Enforced password protection is a great first step, so if the devices are lost or stolen, they can’t easily be used. Be sure that all log-in settings require the user to type in a password—if the laptop or PDA logs itself in to your network, you’ll now have a significant breach potential. Be sure that the password is complex enough (at least eight characters, including a mix of numbers and letters) to resist hacking but not so difficult that users tape them to their devices. Also pay attention to how long a device may be idle before a password is required to use it again, suggests Paul Kocher, chief scientist for cryptography at technology consultant Cryptography Research. A long idle time will let someone walk away with a laptop at an airport or café and still have access to its contents, while a very short time-out period will require users to constantly enter their passwords, making them accessible to shoulder-surfers. A good rule of thumb is that two to five minutes of inactivity should trigger a password request.

If the data is particularly sensitive, you may want to use a second form of authorization—such as a smart card reader, fingerprint reader, SecurID token or challenge/response system—so that a thief needs more than a password to access the device. Note that this second-authentication strategy is more plausible on a laptop than on handheld devices such as PDAs, for which there are typically no such hardware tokens available.

But password protection (even when augmented with a second form of authentication) by itself won’t help secure the locally stored data. If a data thief removes the hard drive from a laptop, the data is easily opened from another computer.

ABCs of Mobile Security (Page 3)

By Galen Gruman

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

So how do I secure the data itself?

For data that must be stored on a mobile device, use whole-disk encryption secured by a password so that if the devices are lost or stolen, the data on their drives can’t be used. (Do the same for PCs in publicly accessible locations—they can be stolen, too.)

Although the current versions of Windows, Mac OS X and Linux include folder-based encryption, all it takes is a user not storing files in the protected folders for them to become accessible to a data thief. By contrast, whole-disk encryption protects everything on the drive, so you don’t have to worry whether users are putting company data in the right folder or if they have turned on file-by-file.

And there’s a bonus: Encryption provides you an automatic pass from having to publicly disclose the loss of devices that contain consumer information in the 33 states that require such disclosure (as of this writing).

Keep in mind that while modern laptops can run whole-disk encryption with minimal impact on performance, most handheld devices don’t have the horsepower to effectively run encryption. (The BlackBerry is an exception.) Some phone-based devices let you lock them out or zap their contents if they are lost or stolen, using their cellular connections to transmit a lockdown or kill. For other devices, a strong password may be your only real protection. Therefore, you may need to limit these devices to storing data you can afford to lose. But that decision can be tricky: Is an executive’s address book or schedule business-critical information that shouldn’t be risked, or is the convenience of mobile access worth the risk of loss or theft?

How do I manage passwords and encryption across the devices?

Usually you can manage laptops using the same network, asset and client management tools that you should already be using to manage and secure your PCs. The key is to ensure these tools support disconnected users, keeping the last set of protections and policies in place on the device when it is not connected to the network, then updating any policies, malware signatures and required password updates before a mobile user can connect to enterprise systems such as e-mail and file servers.

It’s harder to manage other mobile devices, since their wide variety has made it difficult for security and management vendors to cover all the possible bases. Some management products come with add-ons for select mobile devices, while in other cases you will need to have separate management tools in place. It’s best to see if you can extend your current management suite to cover your mobile devices, perhaps through custom extensions, rather than introduce new management tools that increase training, support and management complexity.

Research in Motion’s BlackBerry offers a complete set of handheld security features: full-disk encryption, e-mail encryption, and remote management features such as the ability for IT to wipe out the contents of a stolen or lost device. Devices using Microsoft’s Windows Mobile operating system have an array of products available to enforce passwords and synchronization control from vendors such as Bluefire Security Technologies, Hewlett-Packard and Symbol Technologies. Note that Windows-based smart phones sometimes can’t run these tools because they don’t have sufficient hardware resources. Newer Palm devices, such as the Tungsten C, support whole-disk encryption and strong passwords, but older models typically have little to no security. Credant Systems, Palm and Trust Digital are among the providers of Palm-oriented device security tools.

ABCs of Mobile Security (Page 4)

By Galen Gruman

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?

The available technology for devices other than laptops is often insufficient to assure security. One reason is that PDAs and smart phones typically don’t have the horsepower or memory to run whole-disk encryption. Another is lack of attention to mechanisms such as enforced password protection in PDAs, smart phones and other handhelds. Even when the devices have the hardware and operating support for enterprise-class security, the large variety of devices and operating systems has made it hard for vendors to cost-justify developing security tools for any specific hardware/operating system combination.

Therefore, many devices simply cannot be secured. In those cases, you should ban them from your network or restrict them to the same information you would make publicly available, such as in a lobby wireless LAN for visitors.

Are there other risks I should watch out for?

A new generation of data storage devices has created new security risks. USB “thumb” drives, iPods, recordable CDs and DVDs, and the iPod (with iTunes’ Enable Disk Mode feature) all make it easy for employees to copy data from a secured device to an unsecured medium that’s easily hidden, lost or stolen. Vendors are only starting to extend protection such as encryption and password protection to these inexpensive media, leaving a big hole in your protection.

Until your software vendors have appropriate tools to cover these risks, you may need to set policies banning their use, and discouraging their use by, for example, configuring your computers not to support USB storage devices and not supporting writable media. An easy step is not to buy computers with writable CD or DVD drives. Blocking the use of USB storage devices is harder, typically requiring adjustments to the Windows XP registry. (The forthcoming Windows Vista Server is expected to let you set such USB usage permissions as policies that can be enforced across all Vista clients.) One sure way to block their use is to pour glue in the USB ports, but that also means your users can’t connect other external USB components such as mice or keyboards.

What does mobile security cost to implement?

Costs vary based on what you’re protecting and on the number of seats being protected, but you can expect to spend between $50 and $100 per device to bring in encryption, password management and other security management features onto laptops—assuming you have a management platform already in place for your PCs. You’ll also pay more for antimalware licenses if you’re not already deploying them on your laptops. For example, the Lincoln Health System Network of hospitals estimates that encryption costs about $60 per laptop, while the Pacific Northwest National Laboratory spends about $75 each. (The lab spends an additional $100 per laptop using hardware-based second-factor authentication tokens.) Maintenance and ongoing licensing costs typically are about 25 percent of the license cost. Services such as the Computrace tracking service that can lock down or wipe the contents of missing laptops cost about $100 per year per laptop.

Costs of managing handhelds vary considerably. While the software typically runs $20 to $50 per device, many handhelds cannot be remotely managed, so you have to account for the hands-on IT installation and update costs, which depend on how you provision such help-desk and support services and how diligently you update your mobile devices. For handheld devices that can be managed with your existing management tools, the costs typically match those for your PCs.