Security Advisor

Going Mobile

Data security becomes an even bigger concern when users go mobile. Here are some ways to keep your mobile data safe.

As you find your users storing enterprise data in more and more places, including cell phones and Pocket PCs, you need to come up with ways to secure this data. Fortunately, there are several strategies and technologies you can use to help keep your mobile data from falling into the wrong hands.

BlackBerry devices, Windows Mobile-based smartphones and Pocket PCs and other mobile computing devices give your users constant access to e-mail and other data. This is a productivity boost and convenience for them and a management and security nightmare for you.

Even if you try to keep your users tethered to their PCs for simplicity's and security's sake, you'll invariably have enterprising co-workers who can't live without access to their work. They'll use their own mobile devices to get at their data. They may end up storing confidential e-mail and other sensitive documents on a number of devices of which you may or may not be aware.

Know What You've Got
Before you can develop and execute a plan for securing this data, you need an accurate and up-to-date inventory of all devices that have even occasional access to your network. Letting your users decide where and how they store corporate data is really not a good idea, so after the inventory process, follow up by taking steps to prevent any unmanaged devices from connecting to your network or mail servers.

Offering a carrot is almost always more effective than threatening with a stick, so you should consider helping to transition users who have created their own data access solutions over to a centrally managed platform. Once you know what devices are being used, how they're being used and have a plan for controlling those devices, only then can you effectively secure the data on those devices.

When It's Gone, It's Gone
Most of the security risk associated with mobile devices arises when a device is lost or stolen. Sure, replacing a smartphone or Pocket PC can be expensive, but the cost of the hardware is nothing compared to the potential cost of the disclosure of data on the device or having to replace that data. Highly publicized cases of data theft, like the massive theft of customer data from retailer TJX, can severely erode customer confidence and lead to loss of business.

Even if a lost smartphone, for example, didn't have any confidential documents or corporate secrets, there might be other sensitive data stored on the device. Any saved e-mail messages frequently contain contact information or other bits of data that neither the sender nor the recipient would want to become public knowledge.

There's always the possibility that a lost device will be returned by an honest finder. You could even tape a notice on any mobile device offering a reward for its safe return, but relying on this alone for data security is foolish.

Once a device is lost or stolen, someone with malicious intent will most likely try to access any data. Your primary focus should be on the value of the data and not on the value of the device. Once a device is gone, you should operate on the assumption that someone will attempt to access the data. It's a good idea to have policies and utilities that wipe a mobile device clean after a certain number of unauthorized access attempts.

Passwords and Encryption
It should go without saying that you should protect any mobile device with a password. Depending on the implementation, a password can either prevent access to the device and its data altogether or at least prevent someone from getting to the data before you have a chance to take other actions.

As with any other password protection you have to balance password strength and usability. This can be challenging with some mobile devices. Typing a long complex password on a telephone keypad may simply not be possible. Also, not all password protection is created equal. Unless there's an effective lockout mechanism that kicks in after a number of unsuccessful password entries or the password is combined with encryption, this type of protection will only slow down a determined attacker.

Encryption is the most effective method for making data useless in the event of unauthorized access. If you're using a centrally managed BlackBerry, you already have the ability to encrypt e-mail and contact information. Unfortunately, Windows Mobile does not yet have this feature built in.

There are third-party solutions available for this, however, like the offerings from Bluefire Mobile Security. No matter what encryption technology or tool you use, make sure that it automatically encrypts all data on the device, including files stored on memory cards.

Reach Out and Wipe It
If you can't sufficiently encrypt data on your mobile devices, you should have processes in place to have all data wiped clean from a lost or stolen device. Even if you do have an encryption strategy, a data-wiping option is an excellent additional layer of protection against data theft or misuse.

While it's unlikely that you'll be able to connect over the Internet to do this, you can take advantage of the fact that many of these devices automatically connect to your mail server to synchronize data. Recent versions of Exchange Server let you send a command to the device that instructs it to delete any data instead of downloading the latest changes.

At the next synchronization interval, the device will receive this command and erase the data before someone has a chance to read it. Even better, with Exchange 2007 you can let your users perform this action themselves using Outlook Web Access (see Figure 1). This self-service option can help ensure speedy data erasure, even without IT intervention.

Figure 1
[Click on image for larger view.]
Figure 1. Outlook Web Access lets you directly manage your mobile devices.

The Windows Mobile method of erasing data from the device does have some limitations, though. First, it does not erase all data. While Outlook data is deleted, some files copied to the device -- including files on storage cards -- may remain intact. Also, the data is only erased if the device initiates synchronization.

Viruses Are Mobile, Too
It's difficult to find a personal computer in a corporate environment that doesn't have some sort of anti-virus software installed. However, many administrators forget that Pocket PCs and smartphones can also contract and spread viruses.

Viruses written for these platforms are still relatively rare, but that's no excuse to ignore the threat. When allowing any of these devices to connect to your network, make sure that they're running anti-virus software. Many vendors of anti-virus software offer versions developed specifically for mobile platforms.

Keep It Manageable
The biggest challenge in keeping your mobile devices secure is managing the various security settings. This becomes more difficult when you have to manage multiple platforms, such as Windows Mobile, Symbian and BlackBerry. There are vendors that promise to help you enforce policies across all of them using a single administration tool, but in reality, central management of more than one platform ends up being tedious. This alone is a compelling reason to standardize on a single mobile platform.

If your platform is Windows Mobile, keep your eyes open for news about Microsoft's System Center Mobile Device Manager (MDM) 2008, which is currently in beta. MDM promises to ease the burdens of central management, security enforcement and access to corporate data. It's currently in the early beta stage, with an expected release in the second quarter of 2008. To take full advantage of it, you'll need devices running the next version of Windows Mobile. It's too early to say whether MDM will deliver on its promises, but if you need to manage devices running Windows Mobile you should definitely take a look.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus