Problem solve Get help with specific problems with your technologies, process and projects.

Mobile security: An oxymoron?

Having access to corporate information from anywhere, at any time, puts the notion of a tightly secured infrastructure at risk.

The notion of having a completely secure environment while providing remote or mobile access to corporate data is almost laughable, security experts say. But some measure of mobile security can be accomplished, if there's a will and a purse with which to do it.

With mobile devices, especially laptops, the most important factor for determining the level of security is the nature of the data on it. How compromised would the company be if the data were lost or stolen? Not all data is equal on this score. One person may store sensitive customer information on his mobile device -- while another may use his phone for nothing but contact data that could be replicated from public sources.

"It's often pretty clear when and why you need to care" about mobile security, says Pete Lindstrom, research director at Spire Security, an independent consultancy in Malvern, Pa. "And then you need to evaluate these risks within the scope of all the risks in the enterprise."

When you do, though, keep in mind that mobile devices are insecure on many levels. The first is physical theft -- someone making off with a corporate laptop. The second is the security of the information on that laptop's hard drive, and the third is the security of information being transmitted between the laptop and the corporate network. The fourth level is the security of the corporate network itself because, as Lindstrom points out, "even if the data on the mobile device is secure, the device itself can still give you access to bigger and better things."

Products and services exist to help at each of these levels, even for physical security of the mobile device. Within the last couple of years, products have become available to help track down a stolen laptop; they work much like LoJack works for a car. There are differences in features and functions, but most function like this: After a system is stolen, when it's plugged into a network connection again it sends an e-mail to the vendor's server with its network location. The vendor then works with local network staff or Internet service providers and police to help track down the laptop.

Product names in this niche include ComputracePlus from Absolute Software Corp., in Vancouver, British Columbia, and PC Tracker from British firm PAL Solutions Ltd.

For the second level, experts say that data encryption and protection, with the use of strong passwords, will work wonders to help safeguard the contents of a laptop's hard drive. (A strong password is one that includes both numbers and letters and which is not easily guessed.) There are dozens of vendors that play here, but major encryption names include RSA Security Inc., based in Bedford, Mass., and VeriSign Inc., based in Mountain View, Calif.

At the third level -- security for sending and receiving information on remote devices -- encryption is key, too. Another way to help secure mobile data is to send and receive it via a virtual private network (VPN) from the corporate side, and to protect it via Secure Sockets Layer (SSL), or some other means. Authentication software, on the server side, is necessary to make sure the person using the laptop is indeed the person that's supposed to be using it.

Of particular concern are wireless LANs, which are well known for security breaches, says Richard Dean, an analyst at International Data Corp. in Framingham, Mass. Most of the problems, though, are due to wireless LANs that are poorly configured or implemented, he says. "People often do it themselves, and they don't always recognize or understand the issues related to wireless," particularly the 802.11 protocol, he says. "So much of wireless security is related to the proper authentication and identification procedures."

One answer to this may be to trust your mobile information to a national carrier, like Verizon, AT&T or Cingular -- providers that make their living at this. "Mobile communications operators understand the nature of the network, and there's a commitment to security from the beginning," Dean says. "You haven't yet heard about a wireless mobile network where there's been a security breach."

Another key area, especially these days, is virus protection. Most of the traditional antivirus vendors sell their software for mobile devices, including PDAs, the Pocket PC, and even mobile phones. There are versions of Symantec AntiVirus and Network Associates' McAfee antivirus software that run on many of these platforms. A smaller player here, with an impressive client list that includes Sprint, Shell, the BASF chemicals concern and others, is F-Secure Inc., which has U.S. headquarters in San Jose, Calif.

Buying and installing antivirus software are just the first steps, however. The most important thing, and the piece that's the most difficult, is ensuring that the mobile devices keep their antivirus definitions updated on a regular basis -- at least weekly. "It's a major issue to keep those devices updated," says Phebe Waterfield, an analyst at the Yankee Group in Boston. This is where the policy piece of security comes into play -- road warriers and other types of mobile users need to be reminded regularly (by IT folk at the mother ship) to plug into the Internet and, before they do anything else, to update their virus definitions.

Like many aspects of security, protecting one's mobile assets "comes down to how paranoid you are and what it costs," Lindstrom says. "Everything about security is a slippery slope."

This was last published in October 2003

Dig Deeper on Secure remote access

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.