Mobile Security

Mobile computing is important. The proliferation of notebook computers has changed the way we work, and that change has been accelerated by mobile-connected PDAs. They are great business tools, but are they opening a gap in your security?

Wireless mobile computing found popularity in real-time data collection, often customer-facing (sales order taking, delivery confirmation, logistic tracking) and at the senior executive level, with mobile email as the driver. We are now seeing more applications, often from a Web interface, being available to mobile devices, with an example being CRM.

So back to my original question – are these devices creating a hole in your security? I must declare my hand here – I am a big fan of mobility. Making information and functionality available at the point where it is of most benefit, is a good thing. So, this isn’t about slowing mobility, its about making mobile computing as secure as possible (within the risk parameters of the organisation), and working to review and improve that security on a very regular basis.

To state the obvious, these devices are computers even though they sit in your hand. They run operating systems and applications, so they should be secured like other computers. In addition, they are using wireless connectivity, which itself requires more security focus.

For example, devices retrieving email are virtually connected (through the outbound connection) to the internal network and will remain in an always on, always connected state. This is not how other remote access devices would connect, and this could create a vulnerability if a rogue user, wirelessly connecting to the PDA, used the PDA’s connections to enter the Corporate LAN.

The good news is that there are some innovative tools available to help; they just need to be deployed and managed.

This is a quick checklist to get started;
• Anti-Virus – would you have a Notebook without AV? Do you have AV on your mobile computing fleet?
• Firewall – is the device protected from wireless attack?
• Lost or Stolen – what can you do to protect the data if the device is lost or stolen? What process do you have in place?
• Encryption – is the data encrypted in transmission? Is it encrypted on the device?
• Authentication - is the data/access important enough to be protected by two-factor authentication?
• Device change – what process do you have in place to securely remove data when the device is returned, or passed on to another user?