September 26, 2008, 10:35 AM — If you've ever let a stranger borrow your corporate smartphone, you may have just given him a gift of your company's data. The reason: he might have palmed a small USB device called the CSI Stick, and surreptitiously plugged it into your phone. The device can drain every bit of data from a cell phone in seconds, says Patrick Salmon, a mobility architect for Enterprise Mobile, a technology services company that specializes in Windows Mobile deployments.
Increasingly, companies want to give mobile or field-based employees direct, instant access to critical corporate applications previously accessible only from a desktop. To do so, existing security, authentication and management infrastructures have to be extended and adapted so that mobile devices, along with their data and wireless connectivity (cellular or Wi-Fi), are managed as surely and fully as desktop PCs.
But that's not the case in many mobile deployments today, according to consultants who, like Salmon, specialize in working with enterprise customers. "What we see is an ill-defined policy regarding devices," says Dan Croft, president and CEO of Mission Critical Wireless, a technology services company that specializes in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft says. Companies don't plan beforehand about how to handle lost, stolen or broken devices, or the data on them. "IT needs to get control of wireless [mobility] within their company," he says.
Taking control falls into four broad areas, says Jack Gold, principle of J. Gold Associates, a mobile consulting company: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.
Securing and managing every device
Mobile devices, whether bought by the company or by the individuals, are accessing company networks and company data. Device security and management are closely intertwined, because you have to be able to monitor the devices in order to enforce policies.
In most cases, practitioners recommend standardizing on two or three mobile device models, minimizing the support, security and management challenges. "Other smartphones [brought in by users] might not be capable of supporting your specific security and administration polices," Enterprise Mobile's Salmon says.
Using mobile device passwords or PINs is advised. "If your enterprise doesn't enforce a password policy on those devices, you might as well stop with all your [other] security measures," Croft says. Salmon favors PINs, coupled with a limit on the number of access attempts. After that number, the next attempt triggers an automatic lock or wipe of the handheld.
Enforcing effective passwords is one of the essentials at Florida Hospital, in Orlando, where wireless notebooks are widely used by staff and nurses, along with BlackBerry devices for e-mail. The hospital also is exploring what's involved in granting access to clinical systems from physicians' smartphones.
The hospital enforces regularly changed passwords (a function of its enterprisewide identity management infrastructure), up-to-date antivirus software and some ability to remotely wipe data from mobile clients, says Todd Franz, associate CTO. "We see the need to protect the data on these mobile devices just as much as we do on a desktop PC," he says.
On selected notebooks, the hospital also uses the CompuTrace service from Absolute Software, a kind of "LoJack for laptops." A stolen computer can be traced and tracked down. Franz won't say how often hospital laptops have been stolen, but the recovery rate for laptops protected in this way is 100%. According to some accounts, 10% to 15% of all mobile devices go missing.
Consider using comprehensive device management applications such as Sybase's Afaria, Credant's Mobile Guardian, Nokia's Intellisync, Microsoft's System Center Mobile Device Manager, and others from the likes of Checkpoint and Trust Digital, to name just a few. These policy-driven suites blend monitoring and enforcement capabilities focus on mobile clients, and typically work with back-end authentication and other servers.
It's also important to have the ability to wipe, lock or kill any mobile device that's stolen, lost or unaccounted for on a moment's notice, including its SD card if it has one. A network manager should be able to issue a command that locks a device until the right password is used, wipes or deletes some or all of the corporate data on it, or shuts it down entirely, Croft says.
Managing every connection
"These connections are a pretty significant exposure if they're not done right," Gold says. "Don't leave it up to the end users."
These practitioners favor enforcing VPN connections with IPSec for mobile deployments. "SSL, which uses TCP port 443, is the path of least resistance," Enterprise Mobile's Salmon says. "I consider this the weaker of the two options." That's chiefly because while the target server has a certificate and is trusted, the SSL client is not. IPSec requires that ports have to be specifically opened, but both ends of the connection have certificates, he says.
A related issue is allowing mobile devices to connect only if they pass muster. Is the antivirus software up-to-date? Is the VPN active? Is the Wi-Fi connection from a public hotspot?
Protecting every piece of data
Selective data encryption should be an essential item in any mobile deployment.
With a managed mobile device, you can distribute and enforce encryption policies for specific data. "Document folders, your e-mail in-box, user data, contacts, certificates, and so on as the kinds of things that should be encrypted," consultant Gold says. Also consider encrypted or encryptable removable storage devices, such as high-capacity SD cards, he says.
"Unless you're in a 'James Bond environment,' most encryption levels will give you far more security than sending an unencrypted e-mail over the Internet, which happens all the time," Croft says.
Educating every user
"Few companies educate end users on the proper procedures and policies to safeguard [mobile] corporate assets," Gold says. "Get the users on your side."
"The greatest vulnerability is human," Enterprise Mobile's Salmon says. "If a stranger asked to borrow your laptop for five minutes to check his stock portfolio, you'd say "No!" because you've been educated about the risks. There's no way you're going to let a stranger use your laptop. The same thinking has to apply to your mobile phone."
To school its nurses in mobile technology, Florida Hospital relies on trainers who also have been, or are, nurses. "They speak the same language as the users," Associate CTO Franz says. "We try to keep IT people out of the way of this training, because they do not speak the same language."
Franz makes a key point about nurses and mobile technology that's relevant to all such deployments. "People don't go to nursing school to become a clerk-typist," he says. "They go because they want to help people. Technology can assist them in doing that."
Acceptable use policies should be short and to the point, otherwise they won't get read. Training should cover all the elements (explaining the device, applications and intended usage), says Alphons Evers, global solutions manager with the mobility practice of Getronics, a global IT services company.
Educating users means willing to be educated yourself. Franz says Florida Hospital discovered that one major problem facing nurses with wireless laptops was finding enough convenient surface space with electrical power so they could be recharged, and finding a lockable locker or drawer to store the laptops when not in use. That was one aspect of mobility that hadn't been anticipated.