OPINION
Mobile Security: Are We Speaking the Same Language?

Mobile security. It's an idea whose time has finally come, judging by the amount of interest at the recent RSA security conference in San Francisco. The show floor was abuzz with talk about securing both mobile devices, and securing the increasingly mobile enterprise.

But if you asked ten people to define mobile security, you received ten different answers: Integrity checks when connecting to the corporate network, password protection for devices, data encryption on devices, firewalls, VPN's, anti-virus and anti-spyware.

Everyone has a different view of the issues and solutions. Even defining mobile devices can be problematic, including laptops, PDAs, smartphones, "convergent devices" and more.

Losing Hardware

Today, we rely more and more on smaller, portable computing devices to stretch the workday and manage the myriad demands on our time. Technological advances have brought these devices to a point where they can mimic, access or sometimes even replace the corporate infrastructure. And, the smaller the devices get, the more likely they are to be lost or stolen.

Studies point out just how big this problem has become. London taxicab drivers reported in 2001 that some 2,900 laptops and 1,300 PDAs had been left in cabs over the previous six months. Fast forward to late 2004 and the figures are staggering: 71 percent more laptops and 350 percent more PDA's were left behind, according to an annual study. Keep in mind that these numbers reflect just one city and devices left only in cabs; it does not include the total number of devices stolen, misplaced or lost in other locations.

Is this a problem? Do people really keep important data on mobile devices? According to security guru Bill Malik of Malik Consulting, laptops and notebooks today may very well contain some of the most sensitive data in the enterprise.

How many of us work on laptops on long flights, poring over new product ideas, marketing campaigns and sales approaches drafted on the road, in hotels, airport lounges and the train? "This is truly sensitive data," commented Malik, "and it's unlikely to be backed up on corporate servers immediately, if ever."

What's the Risk?

For the mobile enterprise, there are really three things that need to be protected: data on the device, the device itself and the corporate network (along with its data and users).

Data on laptops and notebooks can be stolen through a variety of means: theft of the device, siphoning of the data onto a USB thumb drive or CD, viewing shared drives through a wireless connection, or even interception of traffic through wireless or personal area network (e.g. Bluetooth) communication.

Further, since it could be used as a conduit to the corporate network or a source of attack, the device itself needs to be protected. A user in a wireless hotspot with a VPN into the corporate network may inadvertently be creating a secure tunnel into the managed network, and highly sensitive data could be in jeopardy. We need to prevent the device from being hijacked and used for a denial of service attack, spam attack or even a direct hit on the corporate network. This is why we employ personal firewalls on the laptops.

Knowing What's Valuable

Now let's take a look at PDAs, smartphones and so-called convergent devices. What's to protect? Just an address book? A calendar? It appears at first blush that the most important thing to protect is the device itself -- if lost or stolen, surely no one cares about the data! But here's a wake-up call: That PDA or phone is a lot more, and it's going to be necessary to protect it as well as you (should) protect your laptops and mobile computers, desktops, and network in general.

These devices are getting smarter, and more powerful, than most people ever anticipated. Not only can you use them to store your address book and calendar, you can surf the Web, read e-mail, and access your corporate databases, your CRM system, your corporate travel and expense system.

You can buy a 1 GB memory card for under a hundred dollars and slip it into your smart phone. That same card can easily slot into your laptop or desktop system. How are you going to ensure that your employees don't use that card to store the customer base, your new product design or company financials?

What To Protect - And How

Take a look around your organization, and prioritize your efforts. Clearly, laptops need to be protected. Build your corporate policies with a clear understanding of the threats posed by wireless access, mobility and small, powerful storage devices. Ensure that anti-virus and anti-spyware software is running on the devices all the time, and is kept up to date.

Make sure your users can't turn off or disable these protections. Mandate use of a VPN when accessing the corporate network. Implement wireless access policies and make sure your users only connect to known, safe access points. Above all, try to balance productivity and security, by taking security decisions out of the hands of the end-users wherever possible.

But don't ignore other mobile devices. If you don't yet have a corporate security policy to govern them, begin to formulate one that addresses key issues such as who owns the devices, and who will manage them if they are not corporately-owned. Policies should govern the extent to which they may contain or access sensitive corporate information.

Ensure that adequate protections, such as access control, authentication and encryption, are in place to protect critical data if the device is lost or stolen. And again try to balance productivity with security, by ensuring that the end-user does not need to make complex security decisions.

"It's never too early to start assessing risk and preparing for the future," says Malik. "There may well come a time when corporate data is everywhere but inside the managed network."

Mobility. It's no longer a simple term.