December 22, 2008, 2:20 PM — They're highly portable, inexpensive, very popular -- and a potential security nightmare. Running against the trend of mobile computers featuring progressively larger processors, memory, storage, screens and price tags, ultraportable laptops promise to streamline and simplify their users' lives. Easy to carry , capable of running only a handful of modest applications and affordably priced, ultraportables have emerged over the past year or so to become one of the hottest mobile computing trends .
Pioneered by Taiwanese PC maker Asustek Computer Inc. with its Eee PC and now also available from vendors such as Dell , Hewlett-Packard and Fujitsu, ultraportables are designed to appeal to users who need portable systems with more power and functionality than a smart phone but don't want to lug a conventional laptop through offices, hotels and airports.
"It's a technology with great appeal to many people," observes Gabriel Vitus, IT director at the Certified General Accountants' Association of Canada, a trade organization in Vancouver, British Columbia.
That small package comes with built-in compromises, however. Ultraportables typically feature a processor that lags at least a generation or two behind the CPUs included in traditional laptops, a few gigabytes of solid-state memory and storage, a squeezed-down display and a cramped keyboard. But another characteristic of the new portable pipsqueaks is striking fear into the hearts of a growing number of IT managers: security weaknesses that are directly attributable to the machines' diminished technology.
"This is a threat that IT managers are just beginning to recognize," says Brian Wolfe, a security analyst at Lazarus Technologies Inc., an IT consulting service in Itasca, Ill.
Minimized hardware resources force ultraportables -- and their users -- to cope with weakened system software. Most models ship with a stripped-down Linux operating system or, in some cases, Microsoft Corp.'s previous-generation operating system, Windows XP. Newer and more capable operating systems, which also tend to have the latest internal security safeguards, demand processing and storage power that ultraportables typically lack, Wolfe notes.
Ultraportables' reduced resources also limit their ability to run add-on security software, such as data encryption and anti-malware tools. With processing power, internal memory and storage space all at a premium, it can be difficult -- sometimes impossible -- to squeeze security software onto an ultraportable. "As a result, the machines are often sent out into the world with little or no protection," Wolfe says.
Vendors' use of dated software can also make ultraportables more susceptible to various malware. Earlier this year, for example, Brazilian security firm Rise Security released an alert that showed that old, unpatched Samba code found on the Eee PC allowed the machine to be subverted ("rooted") right out of the box. Such vulnerabilities allow hackers to remotely gain complete control over the systems.
Other key security features are often absent on ultraportables. "Many, if not most, [ultraportables] are sold without Trusted Platform Modules because they are targeted at the consumer market," says Rob Enderle , an analyst at Enderle Group in San Jose. "This means they either don't have encryption solutions or the solutions aren't that robust."
Enderle also notes that most ultraportables aren't designed to be managed centrally and therefore can't have their solid-state drives remotely wiped clean of data in the event of loss or theft.
The number of ultraportables acquired by enterprises remains small, at least compared with conventional laptops, notes Wolfe. Still, many IT managers are discovering that some employees are starting to take their machines into the office and along on business trips. This trend is raising security concerns, he says.
Ultraportables' built-in Wi-Fi and USB connectivity makes moving data from enterprise systems onto the machines relatively simple, says Christopher Ciabarra, founder and president of Los Angeles-based security software firm Network Intercept LLC.
Ultraportables' wireless capabilities also make it easy for them to disgorge stored data to unauthorized parties. Ciabarra believes that Wi-Fi vulnerabilities are a potentially big problem. "Everywhere an ultraportable goes, it can be logging into networks and exposing its data," he says. "The user often isn't even aware this is happening."
To protect against this kind of exposure, he recommends that IT secure Wi-Fi networks and enforce password access to the devices.
Christine Leja, CIO at Southwestern Illinois College in Belleville, Ill., says her school's students are always experimenting with new gadgets, including ultraportables, forcing her to keep a step ahead of potential threats. "Every year brings something new, it seems," she says.
Students don't have access to enterprise data, so the biggest perils Leja faces are from Wi-Fi intruders and malware, which ultraportable users can inadvertently introduce into the university's system. "We protect against this by operating a secure, closed network that students and employees have to log into," she says.
The network is also compartmentalized into virtual LANs that serve various classroom, business and general-purpose applications, helping to limit any breaches. Furthermore, employees transmitting sensitive data are required to use cellular 3G networks, which Leja says are more secure than Wi-Fi connections. "We think that's a smart move when dealing with all types of mobile devices," she says.
Ultraportables' toylike appearance and size may cause some users, at least on a subliminal level, to let down their guard when it comes to security. "In some ways, the machines don't look like a 'real' computer, so it may lead to people being less protective of them," Ciabarra says.
Moreover, a smaller laptop may be easier to misplace than a full-scale laptop. "Look at the number of people who leave their cell phones in taxis and airport lounges," Vitus says. "An ultraportable isn't all that much larger."
The systems' compact size may also appeal to thieves, Enderle says. "This class of product is particularly easy to steal because it is very easy to conceal," he says. "It is also very desirable, which suggests it will be easy to sell as well."
Building a Strategy
Although ultraportables pose a variety of unique security challenges, the risks can be contained and managed by extending and expanding existing laptop security practices. On the wireless front, conventional Wi-Fi security protocols and access controls should be adequate to deal with threats to enterprise data from ultraportables and other emerging wireless-enabled devices, Vitus says. "It doesn't matter what device they're using; they can't get into our network unless we want them to," he says.
When ultraportables are used off-premises as an extension of a company's technology, however, the challenge grows more serious. If storage encryption can't be used, an alternate data-protection technique should be adopted. Enderle says that critical data should never be stored inside an ultraportable. Instead, any data should be accessed from a secure remote repository to avoid the possibility of infecting enterprise systems.
Another option for protecting sensitive documents, Enderle says, is to use a secure flash drive, such as IronKey, that is itself protected and stays with the employee. That way, if the laptop is stolen, the sensitive data doesn't go with it -- the data always remains on the secured flash drive.
But the best protection of all, Enderle notes, is prevention. "Most [enterprise] data should not be on a device in this class anyway," he says.
Employee education in acceptable-usage practices is a must, regardless of the IT security systems used, Enderle says.
Leja agrees. "You have to count on continual security awareness," she says. "Make sure that [students or employees are] being conscientious, and then use the few tools that do exist to help."
The worst approach any IT manager can take is to ignore the threat ultraportables pose. "Even if you haven't yet encountered any of these machines," Wolfe says, "you probably eventually will."