Are all those handheld devices your users keep dragging into the office the Next Big Security Threat? Or are they...
just smaller, less-capable versions of notebook computers that you can afford to pretty much ignore?
Gartner Inc.'s Vice President of Mobile Computing Ken Dulaney argues that Palms, BlackBerry mobile e-mail devices and Web-enabled mobile phones are opening dangerous back doors into your corporate networks -- and now is the time to start combating the threat. SearchSecurity columnist Robert L. Scheier asked Dulaney to outline the threat of personal digital assistants (PDAs) and Gartner's recommended response.
Q: Who buys and controls these devices -- the company or the users?
A: We don't believe any employer has control over these devices. They're too cheap; they're too accessible. If they [the employer] think they've been able to control it, they just don't know what's going on. People see them in the store or get them as Christmas gifts.
Q: Why is this a security threat?
A: When the firewall industry appeared, it was an attempt to put a line of delineation between the enterprise and what it needs to control, and unknown parties who wanted access to that data. Today we have a hole -- just as significant if not bigger -- at the back of the company, with all these PDAs, which are a combination of business and personal devices.
Q: How do these devices get to corporate data?
A: If you buy a Palm Pilot today, you get, with the device, enough software to be able to link to Lotus Notes, or Outlook Express . . . within a day. These are synched through the [user's] desktop PC. It's often a dual-step process: You sync to your PC from your server, and/or at least have an online connection, and then sync to your PDA. Once a user puts software from the [PDA] box on their PC, they basically create an open hole into the enterprise.
Q: Why is this a big threat, if the user is only sending data to their PDA, which is already on their notebook or desktop?
A: Notebook computers, because of their price, have traditionally been bought by the enterprise and would therefore be considered part of the network domain. PDAs are generally owned by consumers and used in business. The real issue here is one of discipline. Because the notebook is owned by the company, they can demand [the enforcement of] security standards. But once it's personally owned, they lose those rights.
Q: Still, the user could just as easily copy the data to their notebook and walk out of the building with it.
A: The company would know that has occurred. The information is on a machine (the notebook), which is controlled by management utilities. But [on a PDA] the software that permits the information to flow out has been put there . . . by the individual. There's no management control.
Q: Just like there's no management control over what I download to a floppy?
A: Sure. These are also challenges that need to be met. But the PDA . . . can so quickly upload its information to the Internet and make it public. If you carry around a floppy, it's not the same thing as being able to connect yourself to a lot of other PDAs via infrared links. It's the electronic definition of a sexually transmitted disease. The key thing we're talking about is the separation of church and state -- what's personal and what's enterprise -- is now fuzzier. The definition of ownership -- that's the big issue -- and the degree of exposure.
Q: How can an IT manager begin to control this?
A: The next step above this is for IT . . . to install software behind the firewall, which sits in front of Exchange or Notes, and provides [users] a tool to synchronize to the server repository. By standardizing on synchronization products at the server and the desktop and controlling that software, which obviously controls the flow of content, companies are able to rebuild that line of delineation.
Q: But there aren't any tools that do all you need -- support both wired and wireless synchronization, and provide very granular security across any handheld devices and wireless protocol.
A: That's the dilemma. Synchrologic Inc. and Puma Technology Inc. do a good job of providing you server and desktop-based synchronization of your personal information manager (PIM) data. Wireless Knowledge (through its Workstyle Server) does a great job of server-based delivery of e-mail over wireless. What I'd like to have is a product at the server and the desktop that works over wired or wireless connections, moves PIM data and e-mail, and any kind of content, and completely logs all the information flowing into and out of the enterprise.
Q: And until products like that ship, what can a security manager do?
A: To do nothing today would allow the users to get control of that area . . . and when you take [their synchronization software] away they go nuts. And often times, these are the executives who the IT people work for. Given this industry is immature, I would say, first and foremost, IT has to [deploy one of the existing synchronization tools] to get control of the basic synchronization process. Put something in to serve as a placeholder, than start to investigate the products, and wait for the market to mature.About the author
Robert L. Scheier is a contributing columnist for searchSecurity. He can be reached at firstname.lastname@example.org.