Ask the Expert How to: Secure your Mobile Devices

Small, powerful and connected to essential enterprise information, mobile devices have been embraced by professionals and are fast becoming a standard enterprise productivity tool. It is precisely this small size and enterprise connectivity, however, that make the mobile device a potential risk to the enterprise. While they may contain vital data similar to a desktop or laptop, mobile devices are far more vulnerable to loss, theft or malicious use.

If a device with confidential data is lost or stolen, the corporation is at risk from the loss or misuse of information stored on the device or its removable storage card. Often, basic security mechanisms such as a password requirement on power-up or data encryption are not utilized. As a result, the corporate data on lost or stolen devices, such as the 250,000 mobile devices that are left in US airports every year, is potentially exposed to unauthorized viewing.

If a mobile professional misplaces a device in an airport, critically important data could be at risk, such as user IDs and passwords to corporate applications and servers. According to a security survey commissioned by RSA, 22 percent of users keep a list of passwords on their devices.

As a result, enterprises are quickly responding to mobile security risks. Analyst firm IDC states that mobile device security software spending will grow from US$70 million in 2003 to an estimated US$993 million in 2008, a 70 percent year-on-year growth rate. During that same period, IDC expects an increase in both the number and sophistication of attacks targeted at mobile devices. With gigabytes of data stored on mobile devices and ActiveSync/HotSync, Wi-Fi, IrDA and Bluetooth communication capabilities, enterprise-wide mobile security policies and compliance are fundamental for data protection. The following are highly recommended handheld security standards and capabilities.

User authentication
The central establishment and enforcement of password policies on handhelds provides the greatest authentication security to the enterprise. When controlling password policies from a centralized console with wireless capability, administrators can quickly and easily control policies for a broad array of users, without ever having to handle the end-user’s device.

Ideally, policies could establish and enforce a variety of password parameters, including minimum length and alphabetical/numeric characters. Additionally, policies should:

• Require a new password after a designated length of time.
• Require a password distinct from passwords recently chosen by the user.
• Require password entry after a designated amount of idle time or device shut-off.
• Establish a maximum limit of failed password attempts before the handheld clears all application data or requires unlock only by an IT administrator.

On the administrative side, a password reset policy needs to be implemented so that an administrator can easily and wirelessly reset the device for users who have lost their passwords.

Armed with an automated inventory of all mobile professionals and their authorized devices, IT and security administrators can provide instantaneous response to security breaches or threats. Such a response could include:

• Changing the security policy files.
• Locking the device.
• Data erase of selective files, applications and databases.
• Data erase of the entire device.

Backup and recovery planning should include backing up confidential data stored on mobile devices to an enterprise server, since regulatory agencies require documents and correspondence to be provided upon request in the event of an investigation.

Data can be stored both in the device’s Random Access Memory (RAM) and in external storage cards, such as Secure Digital/Multimedia Cards (SD/MMC), CF cards and PC storage cards. Since these storage cards can save gigabytes of data, most security groups want the ability to secure them with data encryption. Ideally, encryption algorithms should be Federal Information Processing Standard (FIPS) certified.

In order to limit security risks, IT administrators want the ability to control a wide variety of mobile device features. For example, to prevent hackers from penetrating a mobile device using a man-in-the-middle attack, an organization may want to disable Wi-Fi capability. Typically, IT administrators would want control over the following device capability categories:

• Data transfer: HotSync, ActiveSync, IrDA or Bluetooth. Alternatively, when the device is locked, data synchronization mechanisms such as HotSync and IrDA could be disabled automatically.
• Data storage: SD cards.
• Multimedia: cameras, microphones and speakers.