PDA and wireless security hot topic at RSA
Companies offering products to secure content stored on wireless devices were out in force at this year's RSA Conference in San Francisco, underscoring the increased urgency with which companies are addressing the security threats posed by mobile workers.
Security technology for mobile devices ran the gamut from hardware appliances that lock down wireless networks to secure PINs (personal identification numbers) and VPN (virtual private network) software targeted at cellular phones and handheld PDAs (personal digital assistants).
These are among the products on display at the conference, which runs through Thursday at the Moscone Center:
-- Pointesec Mobile Technologies Inc. announced Pointsec for Pocket PC 2.0, a software application that encrypts data stored on Microsoft Corp.'s Pocket PC 2002 PDA.
Pointsec for Pocket PC 2.0 can encrypt data stored on the PDA device, including files used by Microsoft's Outlook or Pocket Word applications. The software can also protect PDA data stored in removable media such as microdrives, multimedia Cards (MMCs), and secure digital cards, according to Pointsec, which is part of Protect Data AB of Stockholm.
-- Aventail Corp. of Seattle displayed a new version of its OnDemand VPN agent for the PocketPC platform. Customers using Aventail's Anywhere Secure Access Policy (ASAP) platform will be able to use the company's SSL (secure sockets layer) VPN technology to authenticate and encrypt communications sent from applications running on a PocketPC, including Microsoft's Pocket Outlook e-mail software, Aventail said.
-- Renesas Technology America Inc. offered a different option for securing data on mobile devices. The San Jose, California, company's PIN Secure MultiMediaCard is a standard seven-pin MMC card outfitted with PKI (Public Key Infrastructure) encryption and DRM (digital rights management) as well as a tamper resistant module for data storage.
The SecureMMC card can be used to secure file-level data on PDAs and cellular phones that accept the MMC cards. Files are stored on the PDA in encrypted form. License keys and a PIN to access those keys are stored in the SecureMMC card's tamper resistant module, Renesas said.
-- On the WLAN (wireless LAN) front, Funk Software Inc. demonstrated its Odyssey Server v1.1 and Steel-Belted Radius v4.0 servers. The latest versions of those products from Cambridge, Massachusetts-based Funk now feature WLAN security management and integration features.
Odyssey v1.1 is intended for smaller offices or autonomous wireless networks within larger organizations. The latest version of the product adds the ability to authenticate WLAN users against a non-Windows authentication database, such as one based on SQL/LDAP (Lightweight Directory Access Protocol), or a token authentication system such as RSA Security Inc.'s ACE Server.
The Odyssey v1.1 server costs US $2,500, a price that includes Odyssey Server and 25 Odyssey Client licenses.
Steel-Belted Radius v4.0 is for enterprises that use non-Windows authentication schemes or that need user management and support for remote access. Version 4.0 adds support for two protocols that enable the product to authenticate wireless LAN users against existing authentication databases and communicate within wireless networks that have deployed a PKI infrastructure.
Steel-Belted Radius for enterprises costs $4,000. The Steel-Belted Radius/Global Enterprise Edition, for organizations with larger and more complex networks, costs $10,000.
-- Taking an appliance approach to WLAN security, Fortress Technologies Inc. displayed its AirFortress hardware products for securing wireless networks. The Oldsmar, Florida, company makes two security gateways for wireless networks: the AF1100, for remote offices, and the enterprise-class AF6500.
When coupled with a software client, both products can secure communications between a company's wired LAN and mobile devices such as PDAs and laptops connected to wireless access points.
The AirFortress gateways act as a bridge, decrypting and passing on wireless communications from devices connected to the wireless LAN to resources on the wired LAN. Both devices support wireless LANs using the 802.11 and 802.16 standards and are FIPS (Federal Information Processing Standards) certified, Fortress said.
Interest in wireless security products is being driven by increased attention to domestic security within government, as well as a host of regulatory changes that affect companies in financial services and health-care where use of such devices is common, said Ken Evans, vice president of marketing at Fortress.
The federal government accounts for a good deal of Fortress's customers, he said.
In the private sector, the federal Health Information Portability and Accountability Act (HIPAA) of 1996 and the Sarbanes-Oxley Act of 2002, which affects corporate governance and financial disclosure, are forcing companies to look for ways to better encrypt and protect the data that is stored on and passed from PDAs and wireless devices, Evans said.
"You can't stop wireless even if you think you can," said Pete Lindstrom, research director at Spire Security LLC in Malvern, Pennsylvania.
For example, inexpensive hardware and demand within organizations has made the spread of WLANs within the corporate environment similar to the adoption of file server technology on networks in the 1980s, Lindstrom said.
Rogue wireless access points that provide attackers points of entry to corporate LANs behind the firewall are a chief concern among IT administrators, Lindstrom said.
In time, the increased use of portable devices and WLAN technology will make such devices just another part of a company's IT security profile, rather than a special case, Lindstrom said.
"Wireless is going to go away as a specific concern and become integrated into the computing environment," Lindstrom said.
Despite the relative newness of mobile and wireless technology within the corporate sphere, IT administrators should apply the same techniques that help secure wired devices to portable and wireless technology, including encryption to protect data and threat monitoring to spot attacks, Lindstrom said.