Data security becomes an even bigger concern when users go mobile. Here are some ways to keep your mobile data safe.
- By Joern Wettern
As you find your users storing enterprise data in more and more places, including
cell phones and Pocket PCs, you need to come up with ways to secure this data.
Fortunately, there are several strategies and technologies you can use to help
keep your mobile data from falling into the wrong hands.
BlackBerry devices, Windows Mobile-based smartphones and Pocket PCs and other
mobile computing devices give your users constant access to e-mail and other
data. This is a productivity boost and convenience for them and a management
and security nightmare for you.
Even if you try to keep your users tethered to their PCs for simplicity's and
security's sake, you'll invariably have enterprising co-workers who can't live
without access to their work. They'll use their own mobile devices to get at
their data. They may end up storing confidential e-mail and other sensitive
documents on a number of devices of which you may or may not be aware.
Know What You've Got
Before you can develop and execute a plan for securing this data, you need an
accurate and up-to-date inventory of all devices that have even occasional access
to your network. Letting your users decide where and how they store corporate
data is really not a good idea, so after the inventory process, follow up by
taking steps to prevent any unmanaged devices from connecting to your network
or mail servers.
Offering a carrot is almost always more effective than threatening with a stick,
so you should consider helping to transition users who have created their own
data access solutions over to a centrally managed platform. Once you know what
devices are being used, how they're being used and have a plan for controlling
those devices, only then can you effectively secure the data on those devices.
When It's Gone, It's Gone
Most of the security risk associated with mobile devices arises when a device
is lost or stolen. Sure, replacing a smartphone or Pocket PC can be expensive,
but the cost of the hardware is nothing compared to the potential cost of the
disclosure of data on the device or having to replace that data. Highly publicized
cases of data theft, like the massive theft of customer data from retailer TJX,
can severely erode customer confidence and lead to loss of business.
Even if a lost smartphone, for example, didn't have any confidential documents
or corporate secrets, there might be other sensitive data stored on the device.
Any saved e-mail messages frequently contain contact information or other bits
of data that neither the sender nor the recipient would want to become public
There's always the possibility that a lost device will be returned by an honest
finder. You could even tape a notice on any mobile device offering a reward
for its safe return, but relying on this alone for data security is foolish.
Once a device is lost or stolen, someone with malicious intent will most likely
try to access any data. Your primary focus should be on the value of the data
and not on the value of the device. Once a device is gone, you should operate
on the assumption that someone will attempt to access the data. It's a good
idea to have policies and utilities that wipe a mobile device clean after a
certain number of unauthorized access attempts.
Passwords and Encryption
It should go without saying that you should protect any mobile device with a
password. Depending on the implementation, a password can either prevent access
to the device and its data altogether or at least prevent someone from getting
to the data before you have a chance to take other actions.
As with any other password protection you have to balance password strength
and usability. This can be challenging with some mobile devices. Typing a long
complex password on a telephone keypad may simply not be possible. Also, not
all password protection is created equal. Unless there's an effective lockout
mechanism that kicks in after a number of unsuccessful password entries or the
password is combined with encryption, this type of protection will only slow
down a determined attacker.
Encryption is the most effective method for making data useless in the event
of unauthorized access. If you're using a centrally managed BlackBerry, you
already have the ability to encrypt e-mail and contact information. Unfortunately,
Windows Mobile does not yet have this feature built in.
There are third-party solutions available for this, however, like the offerings
from Bluefire Mobile Security. No matter what encryption technology or tool
you use, make sure that it automatically encrypts all data on the device, including
files stored on memory cards.
Reach Out and Wipe It
If you can't sufficiently encrypt data on your mobile devices, you should have
processes in place to have all data wiped clean from a lost or stolen device.
Even if you do have an encryption strategy, a data-wiping option is an excellent
additional layer of protection against data theft or misuse.
While it's unlikely that you'll be able to connect over the Internet to do
this, you can take advantage of the fact that many of these devices automatically
connect to your mail server to synchronize data. Recent versions of Exchange
Server let you send a command to the device that instructs it to delete any
data instead of downloading the latest changes.
At the next synchronization interval, the device will receive this command
and erase the data before someone has a chance to read it. Even better, with
Exchange 2007 you can let your users perform this action themselves using Outlook
Web Access (see Figure 1). This self-service option can help ensure speedy data
erasure, even without IT intervention.
[Click on image for larger view.]
|Figure 1. Outlook
Web Access lets you directly manage your mobile devices.
The Windows Mobile method of erasing data from the device does have some limitations,
though. First, it does not erase all data. While Outlook data is deleted, some
files copied to the device -- including files on storage cards -- may remain
intact. Also, the data is only erased if the device initiates synchronization.
Viruses Are Mobile, Too
It's difficult to find a personal computer in a corporate environment that doesn't
have some sort of anti-virus software installed. However, many administrators
forget that Pocket PCs and smartphones can also contract and spread viruses.
Viruses written for these platforms are still relatively rare, but that's no
excuse to ignore the threat. When allowing any of these devices to connect to
your network, make sure that they're running anti-virus software. Many vendors
of anti-virus software offer versions developed specifically for mobile platforms.
Keep It Manageable
The biggest challenge in keeping your mobile devices secure is managing the
various security settings. This becomes more difficult when you have to manage
multiple platforms, such as Windows Mobile, Symbian and BlackBerry. There are
vendors that promise to help you enforce policies across all of them using a
single administration tool, but in reality, central management of more than
one platform ends up being tedious. This alone is a compelling reason to standardize
on a single mobile platform.
If your platform is Windows Mobile, keep your eyes open for news about Microsoft's
System Center Mobile Device Manager (MDM) 2008, which is currently in beta.
MDM promises to ease the burdens of central management, security enforcement
and access to corporate data. It's currently in the early beta stage, with an
expected release in the second quarter of 2008. To take full advantage of it,
you'll need devices running the next version of Windows Mobile. It's too early
to say whether MDM will deliver on its promises, but if you need to manage devices
running Windows Mobile you should definitely take a look.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.