Diverse mobile devices changing security paradigm


This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."

Download it now to read this article plus other related content.

Controlling data flow on multiple mobile devices is one of the biggest challenges facing Rob Marti. As the information security officer at Integris Health, an Oklahoma nonprofit health organization, Marti must secure roughly 400 BlackBerries and 300 Microsoft PDAs used to support approved clinical and administrative processes.

"There are very few people here not impacted by electronic-protected health care information (EPHI). Because of how fluidly that information flows through our organization, it's next to impossible for us to create different classes of users," says Marti. "Any mobile device that accesses email has the possibility of containing EPHI. In that respect, a PDA is no different than a laptop or a desktop."

Integris secures data on BlackBerry devices with native BlackBerry OS authentication and encryption and protects Microsoft PDAs with Credant Mobile Guardian, a centrally managed enterprise encryption platform that installs an agent on each device. While the organization cannot realistically stop physicians from using personal smartphones, it can limit user privileges on all workstations and control ActiveSync and BlackBerry Enterprise Server (BES) access to prevent Integris data from being synchronized onto user-owned devices.

But doctors are eager to use iPhones for

    Requires Free Membership to View

email. "They say, 'Oh, it's just email,' but I have to secure for the possibility that EPHI will live there," says Marti.

"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."

Given that many new handhelds are not capable of protecting EPHI from day one, Marti believes that users must become more aware of information assets and their value. "People need to accept that protecting the information on mobile devices is part of patient care," he says. "More than anything, it comes down to creating a keen awareness of how powerful these devices can be: When you have a laptop in the palm of your hand, that presents a risk to your organization."

Analyst Gold finds that user education makes security policies far more effective. "Work with users to explain why certain things aren't allowed and they're more apt to accept limitations. It's not hard, but most IT staff doesn't think about [education as strategy]," he says. "Let users know why you don't consider that device up-to-snuff and the compromise you can offer. Most people are willing to move forward with what you offer, but if you just say no, they're going to try to get around you."

Managed Diversity
Separating mobile devices into categories can help enforce security policy.

There are many good reasons to understand where and how data is used, including compliance with privacy regulations and security audits. However, data flow can also be instrumental for mobile device classification. Gartner analyst Ken Dulaney recommends a "managed diversity" strategy that deals with mobile device proliferation by separating them into three distinct classes (listed below) that strike a balance between levels of support, access and risk exposure.

"Managed diversity attempts to replace the single standard approach of many organizations with a framework of choices," says Dulaney. "The key to this strategy is level two--permitting only limited access for some individually purchased [tolerated] devices."

For example, many users can be satisfied with a combination of email, thin client Web access and telephony--applications supported on nearly any unmanaged smartphone. In fact, this frequently occurs without explicit IT approval or oversight. Some employers could benefit by acknowledging this usage and wrapping some type of "tolerated device" security policy around it. After all, employees cannot comply with unwritten rules, nor can IT audit or enforce them.


This was first published in November 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: