In view of the proliferation of mobile computing devices, it is surprising how few are appropriately secured against the financial, legal and regulatory risks associated with the potential exposure of sensitive data. Probably fewer than 10 percent of the mobile devices used by major organizations have any serious protection for stored data. This vulnerability persists despite annual CSI/FBI studies that document substantial financial losses associated with theft and exposure of confidential data, as well as stringent federal regulations governing the security of private data collected by a broad range of financial and healthcare organizations. States are also enacting tough new laws, such as California SB1386, that requires companies to notify residents of any actual or potential incident that threatens the “security, confidentiality or integrity” of private data. It is little wonder that security tops the list of concerns IT managers expressed about mobile devices; 91 percent worried about protecting data on mobile devices and 72 percent were worried about the theft of mobile devices.
Reassess riskSince mobile computing is a permanent feature of an enterprise, every organization needs to reassess its risk. One benchmark concept for securing mobile devices is to create “virtual physical security,” which means security equivalent to that of a PC in a locked office. Further, as many devices are now being directly connected to the Internet, end users must also consider the measures necessary to prevent unauthorized electronic access by remote hackers. It is also imperative to understand the enterprise infrastructure necessary to deploy and maintain physical and electronic access controls on large numbers of devices.
To begin, it is useful to think of mobile devices as self-contained networks, needing essentially the same types of security measures as enterprise networks, specifically access control, user authentication, data encryption, a firewall, intrusion prevention and protection from malicious code.
Access Control: The fundamental security problem inherent in mobile devices is the lack of physical access control. Mobile devices are designed for use outside the physical confines of the office or factory. Consequently, PDAs and smart phones are often used precisely where they are most vulnerable – public places, lobbies, taxis, airplanes – where risks include loss, probing or downloading of data by unauthorized persons and, frequently, theft of the device itself. The damage can be personal as well as corporate; many users store information such as credit card, bank account and Social Security numbers, for themselves as well as that of family members, on notebook PCs and PDAs. Consequently, all mobile devices must have a protective mechanism that restricts access to authorized persons only. This in turn requires the ability to authenticate the identity of users.
User Authentication: A system doesn’t have to be able to identify everybody, only those persons (presumably no more than a few) who have access privileges to the data stored on the device. In this context, PINs are generally an acceptable means of authentication because they reside on the device only and are never transmitted. In addition, security systems for notebook PCs often utilize USB tokens or smart cards to prove user identity. Nevertheless, even with proper access control and user authentication in place, sensitive data is at risk because an attacker might chose to simply remove the hard drive or memory card for use in an unprotected device. Consequently a third element, data encryption, is an indispensable element of security.
Data Encryption: With fast processors and large memory, portable computers carry current and critical data that may lead to serious financial loss if compromised. Fortunately, the last line of defense, data encryption, is very hard to defeat by any but the most experienced thief. The objective is to make decryption economically unrewarding instead of theoretically impossible, so even moderately strong systems accomplish much. The most important consideration is to make sure that the encryption process is automatic, transparent to the user, and protects all stored data; systems that require user involvement to encrypt specific files in specific places cannot provide the provable security regime needed by organizations. Of course, encryption is effective only if authorized people control the decryption key, so there is necessarily a tight connection between encryption and user authentication. Together, access control coupled with user authentication and encryption, are the three elements that comprise virtual physical security.
Firewall, intrusion preventionMobile devices are increasingly Internet-connected as salespeople log on from hotel rooms and officers carry PDAs with wireless networking. Of course, Internet activity exposes mobile devices to all the risks faced by an enterprise network, including penetration and theft of important secrets. But the problem doesn’t end there – these same devices generally also contain logon scripts, passwords and user credentials that can be used to compromise the company network itself. In short, a personal firewall is an essential security requirement. As blended security threats proliferate, the addition of an intrusion prevention feature to the firewall will become increasingly attractive.
The proliferation of mobile devices has spawned a new generation of viruses specifically designed to infest PDAs and smart phones. Until now, these have been more of a nuisance than a major threat, mainly causing concerns about propagating viruses or Trojan horses when synching between PDAs and desktop machines. But the increasing dependence on portable devices coupled with frequent connections to the company network makes this a concern that must be addressed with appropriate anti-virus protection.
Between virtual physical security requirements intrusion prevention/ant-virus software, security mobile devices requires a lot of technology for a single device. Thus, security administration becomes a huge issue when thousands of mobile devices are deployed. Policy enforcement, deployment, updates, helpdesk, key recovery and system logging are all vital components of an enterprise system that provides provable security to comply with data privacy regulations and repel litigation.