High-profile security breaches may indicate that network executives are using trial and error to sort out the best ways to secure the brave new world of mobile computing.
In May, headlines blared that personal data on 26 million U.S. military personnel and veterans was at risk after a laptop was stolen from the home of a Department of Veteran Affairs employee.
Last month, the Federal Trade Commission contacted 110 people to tell them that two laptops containing their personal data were stolen from a locked vehicle. The group included defendants in current and past FTC cases.
These and a growing number of similar events show that secure mobile computing is a complex business. The physical devices themselves have to be protected, along with the data stored on them, the users and the network connections, especially wireless.
But network professionals walk a tight rope here. If security measures are unnecessarily strict, they're not cost effective for the enterprise. More importantly, users faced with needlessly complex or burdensome measures may ignore or bypass them.
A recent report by InfoTech, a unit of Telecom Intelligence Group, Parsippany, N.J., identified a variety of wireless security challenges:
Mobile client devices can be lost or stolen and then hacked;
Wireless networking creates an “open door” to the corporate net, and wireless data can be intercepted;
All of the elements — device, data, user, network — have to be secured to avoid a weak link;
Doing so adds costs and complexity, and may require changes to applications;
Tackling the complexity of securing mobile users is a work in progress, based on interviews with several network professionals.
Resurgens Orthopaedics, a leading U.S. orthopedic practice based in Atlanta, has more than 300 doctors and clinical staff using either Toshiba tablets or HP iPaq PDAs to gain access to a fully electronic patient medical records over a Cisco wireless LAN.
Initially, in mid-2005, the practice relied on a Cisco security protocol that included the Lightweight Extensible Authentication Protocol (LEAP) for user authentication. But LEAP proved cumbersome to IT staff and users. Physicians had to remember at least two logon combinations, and support staff constantly had to reset access points or user devices, says Vinnie Greaves, Resurgens’ CTO.
Resurgens chose Mobility XE, a mobile VPN from NetMotion Wireless, to create an encrypted tunnel between clients and the Mobility XE server over the WLAN. Because the software employs standard Microsoft Windows logon credentials, users have to remember only their standard Windows username and password combination. A management console gives net administrators graphical and statistical views of server and user status and settings.
Trial and error for mobile security is common practice. “Most organization start with a point solution to correct a specific, or perceived, problem . . . and only then discover [they] hadn’t adequately addressed security and management,’“ says Jack Gold, president of J. Gold Associates, a Northborough, Mass., consulting firm.
Instead, Gold says, the enterprise should be thinking early about a comprehensive security strategy for any mobile computing project.
Another healthcare provider, Integris Health in Oklahoma City, has about 2,000 mobile users in 10 hospitals and some clinics, which are blanketed with a Cisco WLAN. Randy Maib, a senior IT consultant, says the hospital group systematically tackled two main areas. The first was the WLAN itself, secured with several Cisco products that he declined to name. Second, was controlling the various brands of laptops, tablets, PDAs and BlackBerries.
To do this, Integris deployed Credant Mobile Guardian, from Credant Technologies, with software running on handhelds and PCs, working with a server program. Administrators can monitor all client devices on the net, and their activities, and enforce a range of security policies. The newest release can detect unauthorized applications running on the client or block attempts to install such software.
About all that data
How enterprises deal with data on mobile devices varies greatly.
At Resurgens, the clients are access tools only: All patient data remains secured on servers.
Some data and documents are allowed on laptops at the Philadelphia Stock Exchange, which spells out security including warnings about storing documents on the PCs. The Exchange uses two-factor authentication for laptop users. “So that any cached passwords or IDs become useless [if the laptop is lost or stolen],” says Gene Peters, director of information services.
Some organizations require that all or nearly all data be encrypted, at least on laptops.
“What we found was we had sensitive data left in temporary files or inadvertently saved to the hard drive somewhere,” says a desktop support technician with a Midwest health insurer who spoke on the condition of anonymity. “That’s what led us to think we had to go with a total hard-disk encryption solution.”
The insurer chose encryption software from Pointsec, which uses 256-bit keys based on the Advanced Encryption Standard. Tests showed that laptop users saw a 4% to 5% drop in application speed. “The hit was negligible for the user,” the technician said.
Encryption no cure-all
But encryption is not a substitute for comprehensive security.
“Some applications have their own encryption,” says Maib of Integris. “If you dual-encrypt [data], you can have problems.” The latest Credant release will let Integris users encrypt specific types of files, such as spreadsheets.
“Use encryption appropriately,” says Al Decker, executive director for security and privacy at EDS in Plano, Texas. “You need to classify your data and treat it differently based on the various classes.”
Decker points to an emerging technique called secure vaulting for handhelds: This is a reserved space on permanent or removable storage media that’s associated with all downloaded data for that specific device. “If you go through the normal process of signing off, this vault cleanses itself: a byte-by-byte delete of any data that’s been downloaded,” he says.
Portable mass storage devices, such as USB thumb drives and even Apple iPods, are coming under scrutiny as these become adjuncts to ever-more-powerful and capable handhelds. Naugatuck Savings Bank, a 12-bank chain based in Naugatuck, Conn., uses Centennial Software’s DeviceWall client/server software, running on desktop and notebook PCs to let administrators control USB devices and CD-ROM drives. Policies can be set to entirely block or selectively permit data transfers to and from these media based on a username or a group identity, says Roy Balkus, the bank’s CIO.
DeviceWall can also control the use of a device’s wireless interfaces. A similar product is Safend Protector, from Tel Aviv-based Safend.
“Wireless seems easier than it is,” says Vinnie Greaves or Resurgen. “If you look [closely] into wireless, it’s the scariest thing in the world.”
Learn more about this topic
Gold Associates whitepaper on "Compliance in the Mobile Enterprise" (request form)