The notion of having a completely secure environment while providing
remote or mobile access to corporate data is almost laughable,
security experts say. But some measure of mobile security can be
accomplished, if there's a will and a purse with which to do it.
With mobile devices, especially laptops, the most important factor
for determining the level of security is the nature of the data on
it. How compromised would the company be if the data were lost or
stolen? Not all data is equal on this score. One person may store
sensitive customer information on his mobile device -- while another
may use his phone for nothing but contact data that could be replicated from public sources.
"It's often pretty clear when and why you need to care" about mobile
security, says Pete Lindstrom, research director at Spire Security,
an independent consultancy in Malvern, Pa. "And then you need to
evaluate these risks within the scope of all the risks in the
enterprise."
When you do, though, keep in mind that mobile devices are insecure on
many levels. The first is physical theft -- someone making off with a
corporate laptop. The second is the security of the information on
that laptop's hard drive, and the third is the security of
information being transmitted between the laptop and the corporate
network. The fourth level is the security of the corporate network
itself because, as Lindstrom points out, "even if the data on the
mobile device is secure, the device itself can still give you access
to bigger and better things."
Products and services exist to help at each of these levels, even for
physical security of the mobile device. Within the last couple of
years, products have become available to help track down a stolen
laptop; they work much like LoJack works for a car. There are
differences in features and functions, but most function like this:
After a system is stolen, when it's plugged into a network connection
again it sends an e-mail to the vendor's server with its network
location. The vendor then works with local network staff or Internet
service providers and police to help track down the laptop.
Product names in this niche include ComputracePlus from Absolute
Software Corp., in Vancouver, British Columbia, and PC Tracker from
British firm PAL Solutions Ltd.
For the second level, experts say that data encryption and
protection, with the use of strong passwords, will work wonders to
help safeguard the contents of a laptop's hard drive. (A strong
password is one that includes both numbers and letters and which is
not easily guessed.) There are dozens of vendors that play here, but
major encryption names include RSA Security Inc., based in Bedford,
Mass., and VeriSign Inc., based in Mountain View, Calif.
At the third level -- security for sending and receiving information
on remote devices -- encryption is key, too. Another way to help
secure mobile data is to send and receive it via a virtual private
network (VPN) from the corporate side, and to protect it via Secure
Sockets Layer (SSL), or some other means. Authentication software, on
the server side, is necessary to make sure the person using the
laptop is indeed the person that's supposed to be using it.
Of particular concern are wireless LANs, which are well known for
security breaches, says Richard Dean, an analyst at International
Data Corp. in Framingham, Mass. Most of the problems, though, are due
to wireless LANs that are poorly configured or implemented, he says.
"People often do it themselves, and they don't always recognize or
understand the issues related to wireless," particularly the 802.11
protocol, he says. "So much of wireless security is related to the
proper authentication and identification procedures."
One answer to this may be to trust your mobile information to a
national carrier, like Verizon, AT&T or Cingular -- providers that
make their living at this. "Mobile communications operators
understand the nature of the network, and there's a commitment to
security from the beginning," Dean says. "You haven't yet heard about
a wireless mobile network where there's been a security breach."
Another key area, especially these days, is virus protection. Most of
the traditional antivirus vendors sell their software for mobile
devices, including PDAs, the Pocket PC, and even mobile phones. There
are versions of Symantec AntiVirus and Network Associates' McAfee
antivirus software that run on many of these platforms. A smaller
player here, with an impressive client list that includes Sprint,
Shell, the BASF chemicals concern and others, is F-Secure Inc., which
has U.S. headquarters in San Jose, Calif.
Buying and installing antivirus software are just the first steps,
however. The most important thing, and the piece that's the most
difficult, is ensuring that the mobile devices keep their antivirus
definitions updated on a regular basis -- at least weekly. "It's a
major issue to keep those devices updated," says Phebe Waterfield, an
analyst at the Yankee Group in Boston. This is where the policy piece
of security comes into play -- road warriers and other types of
mobile users need to be reminded regularly (by IT folk at the mother
ship) to plug into the Internet and, before they do anything else, to
update their virus definitions.
Like many aspects of security, protecting one's mobile assets "comes
down to how paranoid you are and what it costs," Lindstrom says.
"Everything about security is a slippery slope."
