Wireless devices have evolved from personal organizers and schedulers into powerful computing tools worthy of enterprise-class applications.
For corporations, realizing the potential return-on-investment of mobile technology is easy. The challenge is managing the impact of mobility on the security of their corporate information. Yet, whether authorized or not, employees are increasingly using PDAs and smartphones for both personal and business needs and the potential vulnerabilities these devices present to the corporate enterprise can no longer be ignored.
In the mobile enterprise, corporate data is carried on multiple devices, over various communication protocols including 802.11, IP, CDMA and GPRS, through LANs, WANs and Hot Spots, to destinations unknown. To protect this information, security professionals must have a keen understanding of the threats and vulnerabilities of a mobile environment and a solid security strategy for protecting handheld devices that connect to the enterprise.
Implementing a proactive mobile security strategy can not only protect a corporation from potential security problems, but it will also provide an impetus for broader planning of mobile device use, thereby maximizing resources. By centrally monitoring what these devices can access, store and process, an organization can safely and effectively manage its mobile workforce.
Step 1: Recognize Mobile Threats and Vulnerabilities
In order to reap the benefits of mobile technology, an organization must fully recognize both its capabilities and vulnerabilities. This is the first step in the development of an effective mobile security policy. Once this is accomplished, the critical balance between maximum use and maximum protection can be achieved.
Today's mobile devices - regardless of the model or platform - share several common vulnerabilities. Handhelds are shipped from the factory with open operating systems, multiple communication ports (i.e., infrared, Bluetooth, 802.11 and GPRS) and virtually no peer-to-peer security. Installation of a device onto a desktop or laptop is fast and easy. Within minutes, a user can create an uncontrolled computing platform that can access an organization's proprietary information, opening a backdoor to the enterprise that unauthorized users can exploit. Additionally, since the device connects directly to the corporate network, it can be just as easily compromised as any server or workstation that connects to the Internet. What's more, because mobile devices are small and portable, they are easy to lose, which could potentially put sensitive corporate data into the wrong hands.
Mobile devices can also threaten the corporate infrastructure by serving as a transport for malicious code. For example, an employee attending a tradeshow swaps virtual business cards (vCard) with a client using the infrared ports on their handheld devices. The employee accepts a vCard that includes a Microsoft Excel document as part of the exchange. Upon returning to the office, the employee drops his/her device into the cradle to sync the contact information and document. Unknown to the employee, the file contains the Blaster worm. Unfortunately, since this synchronization has occurred behind the corporate firewall and anti-virus scanner, there is no way to stop the virus from polluting the enterprise.
Step 2: Identify Supported Technologies and Sensitive Corporate Information
The next step to implementing an effective wireless security strategy is to fully assess how an organization will approach mobile device use. Representatives from management and the user population should be consulted, as incorporating their feedback will allow for a stronger understanding of how the devices will be used and ultimately, a more effective security policy. Additionally, agreement should be reached on the level of risk the organization can tolerate. With those goals in mind, the questions outlined below provide a good starting point for the discussion and each should be addressed before the policy is written:
- Which members of the organization will use the devices?
- What mobile devices will be used?
- What wireless network technology will be employed?
- Will the company provide technical support for the devices?
- Will the company allow users to purchase their own devices and use them to access corporate resources?
- Will the devices be used in a public Internet place, such as on a carrier network or a public access point (i.e., "Hot Spot")?
- Which corporate resources will users be allowed to access via handhelds?
- What information is critical and needs to be protected?
- What security technologies should be used to protect critical information?
For most organizations, the last two questions are the most challenging to answer. One common mistake is to assume that if corporate applications do not run on the devices, sensitive information is not at risk. Yet, a critical assessment of business and information assets available on devices reveals that most organizations deal with confidential information everyday. For instance, e-mails synchronized to handhelds frequently contain private information such as customer contact names, contract amounts, salary and benefit details and company rumors. It is critical that the assessment of corporate information that must be protected reflect the actual, everyday use of the devices or the security strategy will not be effective.
Depending on an organization's appetite for risk and mobile usage goals, a number of technologies are designed to address mobile vulnerabilities and threats. For instance, if users will be able to access the Internet from public places such as a Hot Spot, a device-level firewall should be used to protect the handheld. If users are able to access both the Internet and corporate resources remotely, then a firewall and virtual private network (VPN) are needed. By using a mobile usage strategy as the basis for choosing various combinations of security solutions, organizations can ensure that corporate information remains safe in the wireless environment. Figure 1 is a simple decision matrix that can help an organization determine how a device will be used, and what type of protection should be implemented.
Step 3: Use Best Practices and Corporate Goals to Develop a Policy
After coming to an understanding of both the security vulnerabilities presented by wireless devices and an organization's mobility needs and restrictions, a comprehensive mobile security policy can be developed.
While each organization's mobile use guidelines will be uniquely customized to its particular needs, best practices dictate that the following key points should be addressed to optimize a policy's effectiveness:
- Corporate-owned technologies: This should include mobile device hardware, networking equipment (access points) and wireless applications.
- Privately owned hardware: Supporting mobile devices in the corporate environment will require policies that outline how to handle privately owned hardware versus corporate-owned hardware.
- Internet access: Using mobile devices to access the Internet and connect to the corporate infrastructure are key areas of concern. This includes allowing users to connect to the corporate infrastructure from a public access point (i.e., a hotel's Hot Spot) or connect from within the corporate infrastructure to the rest of the world. Since this is a remote connection, the same standard that would apply to any other type of user connecting remotely should apply to mobile devices.
- Information storage: This should include an analysis of what information is confidential and what data can and cannot be stored on a mobile device.
- Device safeguards: Mobile devices are vulnerable to outside attacks, theft, damage or loss. Accordingly, an organization should implement the same type of security strategy that it would for any other type of computing platform on the network: strong passwords, protection from outside attacks, and security for file attributes and directory-level settings and encryption. A good information security process is implemented in layers, affording the maximum level of protection while still supporting the needs of the mobile work force.
It is clear that mobile technology is simply not going to go away. Mobility has arrived and security professionals can no longer ignore its impact on their corporate infrastructures. But, mobility does not need to be feared or limited by security concerns. Organizations can ensure the safety of their information in the wireless world by developing and enforcing a comprehensive mobile security policy. And with today's rapid adoption of mobile devices, the sooner a corporation addresses this issue, the safer it will be.
Tom Goodman is vice president of operations for Bluefire Security Technologies, a provider of mobile and wireless security software that protects handheld devices and data (www.bluefiresecurity.com).