What are the best security practices for securing sensitive data on PDAs?
As with laptops, the first thing to consider with PDAs is physical security. Make sure to store them safely in your briefcase and keep track of them at all times. PDAs get left in cabs, hotel rooms and offices more often than laptops. Since they're a lot smaller, and rarely come in carrying cases, they're a lot easier to forget somewhere.
A lost PDA is an invitation to a thief, and if it holds confidential company information or sensitive customer data, it's even more valuable to a malicious user.
Also, like laptops, PDAs should be used out of sight of "shoulder surfers" and wandering eyes in places like airport lounges, hotel lobbies or coffee shops. PDA cases shouldn't have company logos, identifying marks or personal information to further entice potential thieves. If possible, the device should have as little company data or information as possible, which makes them less valuable if lost or stolen.
One PDA, the BlackBerry, has additional security features that can be turned on via the BlackBerry Enterprise Server. The system administrator can send signals to the device to change passwords or even lock out the device if it's stolen. BlackBerry also offers integration with RSA's one-time password tokens (OTPs) and smart cards for two-factor authentication.
Palm devices have a number of products available for providing secure logins and locking the device in case of theft. There are also specially designed cables and locks available for physically securing the device. All of these products are third-party add-ons to the Palm.
Here are some other tips for PDA security:
Make sure to have a written policy that outlines acceptable use of devices. This should include that they only be used for business -- not personal -- purposes and only be loaded with approved software.
All company-owned devices and their serial numbers should be registered in a centralized location.
Never leave a device unattended when hooked up to a computer, and all hookups should be through known and established network connections.
The device should always be password protected and data should be encrypted whenever possible.
Devices should be centrally managed and have the ability to be locked out by system administrators.
Antivirus software, specially developed for PDAs, should be installed on all devices. The first PDA virus appeared in 2000 and the potential still exists for PDAs to be a backdoor for malware into a corporate network.
Allow the PDA to have access to only a restricted portion of the network, or only allow it to use VPN connections to enter the network.
PDA security is still evolving; in some ways it resembles laptop security with encryption and lock-out capabilities. If PDAs become more of an attack vector, strategies for securing them will have to change.
For more information:
In this SearchSecurity.com tip, Lisa Phifer outlines the essential aspects of an information security policy for PDAs and mobile devices.
Visit SearchSecurity.com's Messaging Security School to read about the essential polices and practices for securing mobile devices.
This was first published in June 2007