How To Secure Your Enterprise Mobile Devices
By Pat Brans
To send orders to the far reaches of the empire, Roman generals used variations of a cryptographic system known as the Caesar cipher. Each letter of the alphabet would be shifted by a fixed number of places, so that for example, an “A” would become a “C,” a “B” would become a “D,” and so on. This is not exactly a secure system by modern standards. Most third graders regularly crack this kind of code to uncover secrets passed around in class. Yet in its time, the Caesar cipher was safe enough for many Roman officers to trust it with their lives.
Today’s road warriors require much more sophistication. Hackers are a good bit smarter than they were in the times of the Roman empire. Nowadays we have to secure computers and networks. For the mobile enterprise this means ensuring one or more of the following:
- Legitimate use: that only those people we want using the system can use it. Virtual private network (VPN) software provides authentication. Access control methods ensure each user can get only the data he or she is allowed to see.
- Confidentiality: that we have control over who is able to read information. This is most often achieved through encryption over the air as part of a VPN, through encryption on the device, or through device wipe
- Service availability: that nobody can bring the system down or otherwise hamper the level of service. This usually amounts to protection against viruses.
A general principle of securing computers and networks says you should aim to provide just the right amount of protection for your needs. If you go overboard, you’ll end up frustrating your users and they’ll probably find a workaround, thereby leaving systems vulnerable. For example, if you give users passwords that are difficult to remember, they’ll wind up writing them down, and that might be somewhere conspicuous.
Against this backdrop, let’s see what today’s mobile enterprise needs to consider when evaluating security solutions:
In a desktop environment, each time data is needed, information is exchanged between the server and the terminal. In a mobile environment, this constant back and forth between the device and enterprise servers would slow things down so much it would bring the application to its knees.
To overcome this problem, data-intensive mobile applications require data to be downloaded to the device in advance. This means information has to be partitioned beforehand, so that during synchronization, only subsets viewable by the user are put on his or her device. For example, you wouldn’t want home healthcare workers to have access to information on patients not in their care.
Partitioning is usually application-specific. It requires an understanding of the information and a lot of careful planning to get it right. You have to give the user what he or she needs without compromising sensitive data.
In a mobile environment, a VPN works as follows: the user identifies and authenticates himself or herself to the device through normal login to the handheld. The user must then sign in to the VPN. Identification and authentication methods vary from system to system, but in most cases a two-factor approach is used. This means two elements must prove you are who you claim to be—for example, the two factors might be possession of a physical token (a card) and knowledge of a secret (a password).
While the connection is active, underlying software encrypts data transmitted over the air. Furthermore, as you move around switching cells towers, network providers, and even network protocols (for example, between 3G and Wi-Fi), you maintain a secure connection.
Just as for fixed-line VPNs, the mobile VPN stays connected for several hours, so the user doesn’t have to keep signing on.
Make sure you get a solution that works on all operating systems you use. Many VPN solutions send “keep alive” messages to maintain the secure connection during periods of inactivity. This extra processing might cause a noticeable drain on the battery, and the extra data traffic might increase your telecom bill.
Look for a VPN solution that is transparent to applications and to users. The user will certainly know it’s there, because he or she has to participate in sign-in procedures, and the device will probably run more slowly. But avoid solutions that bother your users with a lot of extra procedures.
2. MOBILE DEVICES
One of the biggest threats to the mobile enterprise is that small devices tend to get lost or stolen. Software solutions provide a mechanism to delete all—or some subset—of the data from the device when the handset is lost or stolen. The most vigilant companies might set up device wipe to occur after three failed password attempts. Others might prefer to wait for a verbal indication from the user after which they initiate a remote device wipe.
It’s best to set up automatic backup procedures, so that you can get the user up and running again on a new handset. This is especially important for cases where you accidentally wipe a device that actually was not lost or stolen—and that device belongs to somebody higher up in the organization.
Viruses might be transmitted to a handset through e-mail, Web downloads, SMS messages, MMS messages, or Bluetooth exchanges. The companies that make virus protection software for desktops also provide extensions for mobile devices. Other packages are written specifically for mobile handsets.
Virus protection is operating-system dependent. Each OS has a different set of vulnerabilities. If you have a lot of different device types in your mobile enterprise, you’ll probably have to use more than one anti-virus package.
Encryption of data
We’ve come a long way since Romans put the empire on the line with third-grade cryptography. Depending on your needs, you can encrypt different subsets of data on your handhelds. For example, you might protect all e-mail, an entire database, or just certain files.
Software-based cryptography will have a noticeable effect on the performance of your mobile device.
Pat Brans is a mobile technology and productivity consultant and author of the
book Master The Moment: Fifty CEOs Teach You the Secrets of Time Management.