Not all traditional security concepts known from workstations today apply equally to mobile devices. Besides technological topics, some organizational issues also need to be addressed when preparing for security concepts in the mobile working world.
Anytime, Anywhere on Any Device
Marketing tells us that a new era of mobility has just begun. Millions of so-called PDAs have been sold over the past few years. Together with other mobility technologies like notebooks, mobile phones, wireless LAN, Bluetooth, etc., they definitely increase the possibilities for locations and situations where we can access computing power and digital information.
PDAs started to become successful by being privately owned and controlled devices used by managers and early adopters to manage their personal information. Applications like calendar, address book, notes, calculator, were already built in. Others, like restaurant guides, dictionaries, MP3 players, etc., followed and made the devices more successful.
PDAs can now have storage capacities of several hundred megabytes, and may offer full-fledged network access to the Internet or a local company LAN. This causes some IT managers a headache. Current IT security concepts often address only 'traditional' systems like servers, workstations and the network. Furthermore, controlling privately owned computational devices may be a difficult organizational and political issue - but one that still needs to be addressed.
Why Protect my Calendar?
Even if a PDA is (currently) only used for personal information management, and independent of whether it is privately owned or not, it requires proper protection similar to its 'big' brothers, workstations and notebooks.
A PDA is so small that it can (and should) always be carried around with its owner. Yet this makes it also more susceptible to loss and theft. Besides the loss of the hardware, imagine the damage caused if the calendar and meeting notes of a higher rank manager (say, containing information about a planned merger with another company) fell into the wrong hands. The damage could range from just being embarrassing to substantial financial damage, e.g. if the information is made public too soon. Also legal constraints may apply to certain classes of data stored in electronic form. This therefore adds a reason to implement proper PDA security.
Security Threats on Mobile Devices
The threats you need to deal with are quite similar to those of 'traditional' computing systems, although the means of addressing them may differ for PDAs and similar devices.
Security issues include:
- The rightful user of the device should be authenticated: e.g. by asking for a password. But to really prevent an attacker from getting to the data once he has the device in his possession, it is necessary to have the stored data also encrypted. Otherwise any attacker could circumvent the authentication by physically breaking the device and reading out the storage directly with some special hardware equipment.
- Malicious code needs to be prevented at best from being executed but at least from causing damage. This is achieved similarly to the 'big' computer world, by using anti-virus and personal firewall software.
- Data needs not only to be secured on the device itself but also while being transferred to other computers via email or other network connections. Here special applications come in handy.
- Management of security policies and software is an issue that needs special attention in the PDA environment. In every respect one should pay attention to the fact that a security product or concept provides the most benefit if it covers both PDA and 'traditional' computing devices. Only this ensures interoperability of transferred encrypted data and leaves no leaks in the security chain of the whole company network.
In general the built-in security functionality of PDAs is very poor. Although they offer some sort of password authentication to the operating system, and usually an SSL function for the Internet browser, they are far away from having implemented at the least a basic security model like Windows NT or UNIX. No file system access control or application restrictions are implemented as a default on PDAs. Getting hold of such a PDA containing, maybe, network access credentials of a user to the company network, would give an attacker an easy way of retrieving confidential company information.
A Colorful World
When talking about mobile computing devices such as PDAs, the world is currently very heterogeneous. Several operating systems based on various hardware platforms make it hard for an IT administrator (or software vendor) to find (or create) proper software that addresses all existing systems. The two most popular systems today are Palm OS and Windows CE (PocketPC). Due to the similar programming model of Windows CE to the common Windows platforms and the often higher computational power of Pocket PCs, this system might become more widely adopted in corporate environments. However, all PDAs have some common special properties that need to be considered:
PDAs typically only boot when a so-called 'soft reset' is performed. Normally they are only in standby mode, resuming at power-on immediately in the same state and place where they were when they were turned off. What is typically a big advantage requires some special treatment when trying to authenticate the rightful user.
Contrary to a workstation, where the user authenticates maybe only twice a day (in the morning and after lunch), a PDA is very frequently turned on and off by the user, maybe 30 times a day. For the workstation the use of a hardware token like a smartcard together with a user PIN may be acceptable to increase trust in the user authentication; this would in practical terms be very clumsy on a PDA. First, you need special additional hardware like a smartcard reader to access the token. Although this is technically available, it increases the size, weight and cost of the PDA. Furthermore, if done frequently, it would be too clumsy for the user always to get the token and authenticate before being able to enter possibly just a new note in the calendar. Other means of authentication need to be found which are a good compromise between security and convenience.
Since complex passwords are clumsy to enter on PDAs, vendors have looked for new ways of handling authentication of users. Besides alternatives where you have to tap on a sequence of symbols or areas of a picture to authenticate, there is a biometric method, which is ideal for this class of devices. The touch screen display of a PDA can act as a signature pad where the user enters a handwritten password. A potential attacker would now not only have to find out the password but also need to replicate the user's way (form and speed) of writing it. This implements a fast and convenient way of authenticating a user.
Don't Focus on the PDA Only
When looking for security solutions for PDAs in a corporate environment, make sure that the solution covers both PDAs and normal workstations, since data should typically be exchanged between these platforms in a secure way. This is true for file encryption systems as well as email and VPN systems and the related key/user management. Since PDAs have no hard disk and are currently not a manageable object in the Windows 2000 active directory, some traditional software distribution and management systems (like e.g. disk imaging) are no longer applicable. Look for general management solutions that also (but not only) cover PDAs and for products that integrate there instead of providing their own management server just for this product.
PDAs are definitely a significant step towards the 'anytime, anywhere' vision which will bring us a whole class of new, innovative applications in the future, but only proper security in the background will ensure that the new possibilities can really be enjoyed.
Richard Aufreiter focuses on mobile device security and biometrics with Utimaco Safeware AG (www.utimaco.com). He will be exploring the subject further at ISSE 2002, between 2nd and 4th October at Disneyland Paris (www.isse.org).