Decoding Mobile Device Security

Computerworld - In view of the proliferation of mobile devices, it's surprising how few are appropriately secured against the financial, legal and regulatory risks associated with the potential exposure of sensitive data.

Probably fewer than 10% of mobile devices used by major organizations have serious protection for stored data. This vulnerability persists despite the annual Computer Security Institute/FBI studies that document substantial financial losses associated with theft and exposure of confidential data and despite federal regulations governing the security of private data collected by financial and health care organizations.

States are also enacting tough new laws such as California SB 1386, which requires companies to notify residents of any actual or potential incident that threatens the "security, confidentiality or integrity" of private data. It's little wonder that security tops the list of concerns IT managers expressed about mobile devices; 91% worry about protecting the data on mobile devices, and 72% worry about the theft of mobile devices.

Since mobile computing is a permanent feature for business, every organization needs to reassess its risk. One benchmark concept for securing mobile devices is to create "virtual physical access control," which means security equivalent to that of a PC in a locked office.

Furthermore, as many devices are now being directly connected to the Internet, we must also consider the measures necessary to prevent unauthorized electronic access by remote hackers. Finally, organizations need to look at the infrastructure necessary to deploy and maintain physical and electronic access controls on large numbers of devices.

It's useful to think of mobile devices as self-contained networks, needing essentially the same types of security measures as enterprise networks -- access control, user authentication, data encryption, a firewall, intrusion prevention and protection from malicious code. Let's consider each of these security requirements:

• Access control: The fundamental security problem inherent in mobile devices is the lack of physical access control. Mobile devices are designed for use outside the physical confines of the office or factory. Consequently, handheld devices and smart phones are often used precisely where they're most vulnerable -- in public places, lobbies, taxis, airplanes -- where risks include loss; probing or downloading of data by unauthorized persons; and frequently, theft of the device itself. The damage can be personal as well as corporate: Many users store information such as credit card bank account and Social Security numbers and information on family members on notebook PCs and handhelds. Consequently, all mobile devices must have a protective mechanism that restricts access to authorized persons only. This in turn requires the ability to authenticate the identity of users.

  
  

• User authentication: We don't have to be able to identify everybody, only those people (presumably no more than a few) who have access privileges to the data stored on the device. In this context, personal identification numbers are generally an acceptable means of authentication because they reside on the device only and are never transmitted. In addition, security systems for notebook PCs often utilize Universal Serial Bus tokens or smart cards to prove users' identities. Nevertheless, even with proper access control and user authentication in place, sensitive data is at risk because an attacker might choose to simply remove the hard drive or memory card for use in an unprotected device. Consequently a third element -- data encryption -- is an indispensable element of security.

  
  

• Data encryption: The last line of defense, data encryption, is very hard to defeat by any but the most experienced thieves. The objective is to make decryption economically unrewarding instead of theoretically impossible, so even moderately strong systems accomplish much. The most important consideration is to make sure that the encryption process is automatic and transparent to the user and protects all stored data. Systems that require user involvement to encrypt specific files in specific places cannot provide the "provable" security regime needed by organizations. Of course, encryption is effective only if authorized people control the decryption key, so there is necessarily a tight connection between encryption and user authentication. Access control, user authentication and encryption are the three elements that comprise virtual physical-access control.

  
  

• Firewall and intrusion prevention: Mobile devices are increasingly Internet-connected as salespeople log on from hotel rooms and as field workers carry handheld devices with wireless networking. Of course, Internet activity exposes mobile devices to all the risks faced by an enterprise network including penetration and theft of important secrets. With fast processors and large memory, our portable computers carry current and critical data that may lead to financial loss if compromised. But the problem doesn't end there -- these same devices generally also contain log-on scripts, passwords and user credentials that can be used to compromise the company network itself. In short, a "personal" firewall is an essential security requirement. As "blended" security threats proliferate, the addition of an intrusion-prevention feature to the firewall will become increasingly attractive.

  
  

• Antivirus: The proliferation of mobile devices has spawned a new generation of viruses specifically designed to infest handhelds and smart phones. Until now, these have been more of a nuisance than a major threat, mainly causing concerns about propagating viruses or Trojan horses when synching between PDAs and desktop machines. But the increasing dependence on portable devices coupled with frequent connections to the company network must be addressed with appropriate antivirus protection.
  

  
  

• Administration infrastructure: Security administration becomes a huge issue when thousands of mobile devices are deployed. Policy enforcement, deployment, updates, help desk, key recovery and system logging are all vital components of an enterprise system that provides "provable" security to comply with data privacy regulations and to repel litigation.

Getting Started
The steps for protecting data on mobile devices are the same as for network security:

1. Assess the risk to your organization.
   
2. Create policies that manage the risk.
   
3. Implement a solution to enforce the policies.
   
4. Monitor to ensure that the system is working properly.

Obviously, your security solution must provide uniform protection on all the types and makes of portable devices you currently use or plan to acquire. At a minimum, look for systems that protect notebook PCs, as well as Palm and Pocket PC devices. Make sure that the three components of virtual physical access control (access control, user authentication, automatic and transparent encryption of all stored data) are tightly integrated to protect each device individually.

If your devices connect to the Internet, add firewalls and antivirus protection, and at least consider intrusion prevention. Finally, make sure the vendor provides the infrastructure to deploy, manage, support and monitor all these security services from a central console.

About the author: John Muir is a vice president of corporate development at Pointsec Mobile Technologies in Walnut Creek, Calif.