Securing Handhelds: Familiar Problems, New Challenges

Ever since the first PCs with 5-1/4 inch floppy drives made their way into corporations, IT and security managers have been dealing with the possible corruption and theft of company data.

And the security worry level has only increased in the past year with the introduction of a slew of varied handheld computers and devices such as the iPod, servers on a data stick, Blackberries, Web-access cell phones, and wireless PDAs and pocket PCs. Not only do all these new devices boast large storage capacities, they also can sustain high data transfer rates thanks to USB, Firewire, Bluetooth, or WiFi connectivity.

That means the risk ante has been upped quite a bit since an unscrupulous employee can easily take something like a corporation’s entire customer database or a complete archive of corporate e-mails out the door in his or her pocket.

But loss of data is just one issue to worry about. What happens to the data on handhelds is also important in today’s regulated corporate world.

“As soon as [someone] moves data onto an iPod, cell phone, or PDA, the company has lost control of the records,” says Dennis Szerszen, vice president of marketing and development at SecureWave.Even if malice is not a focus, employees copying data to handhelds might unintentionally violate a government or industry-specific (e.g., HIPAA in the healthcare industry) data safeguarding regulation. This could open the company up to fines or liability if confidential information is involved.

And thanks to the applications (e.g., e-mail, Web browsing, instant messaging) that make handhelds so useful, these devices are increasingly susceptible to malicious software such as viruses, Trojans, worms, key loggers, and exploits.

“You have several very distinct threats,” says Rich Bentley, market segment manager, client and mobile, at Altiris Inc. “Data going outside the firewall is vulnerable to loss. And if these devices are not well managed, you have the threat of viruses coming into the corporation.”

Even if a handheld device does not connect directly to a company network, most do connect to a desktop computer. So a virus in an e-mail attachment on a Blackberry or a worm from an instant messaging session on a PDA could easily be passed along to a company network once a device is synched.

Dealing With The Threat
To deal with all or some of these security issues, organizations are taking a brute force approach to try control handheld devices access to data. For instance, over the last few years, trade publications reported that some government agencies and companies had started gluing shut the USB ports on desktop computers to prevent users from copying data. In many situations, this is, at best, a stop-gap measure as it prevents the legitimate use of a USB port.Why would a company resort to this drastic measure? The reason is that securing handheld devices is a very complicated task.

First, there is the variety and newness of the devices. A company that wants to protect these systems with traditional security tools such as anti-virus software or data encryption might find that there are no solutions for a particular device.

Second, and more important than the first, is the fact that most handhelds are out of the control of IT. Many people simply buy their own handheld device and use it for personal and business reasons.

A “Best Practices” paper published last year by the market research and consultancy company Forrester Research Inc. confirmed this fact, finding that users often bring their own devices into a company without IT oversight. Specifically, in the paper, titled “Managing and Securing Mobile Devices,” Forrester reported only about 9 percent of the 112 North American companies it surveyed were using client management tools to track or manage PDAs. Just as frightening is that 68 percent of the companies had no plans to do so.

Anecdotally, since that study was conducted, IT departments appear to be paying more attention to securing handheld devices, and it helps that the security software vendor community is jumping on the bandwagon.To that end, many of the traditional desktop security companies are targeting the handheld security market. For example, this summer, McAfee, which offers a mobile client version of its VirusScan, acquired the WiFi security company Wireless Security Corp. and partnered with the mobile phone security company Bitfone Corp.

Systems management vendors are adding security management in general, and mobile device security management, in particular, to their portfolios.

“When managing handhelds, [companies] need to know what’s on their networks,” says Altiris’ Bentley. “And they want to use the same tools that they have been using to manage their desktops and laptops.”

In Altiris’ case, the company offers an add-on client suite that helps inventory and discover handheld devices. The software also allows patches and security software to be remotely delivered and installed to help safeguard handheld devices.

As vendors add more tools, the real issue becomes the definition, articulation, and enforcement of policies about handheld device usage.A good place to start is to consider the methods companies have used to reign in instant messaging use over the last few years. Similar to today’s situation, where employees are bringing in their own handhelds, IM hit the enterprise mostly unauthorized with many users simply downloading a free AOL or MSN IM clients onto their company computers. As companies became aware of the IM security vulnerabilities and liability issues (e.g., lack of archiving of messages) associated with the use of such unmanaged software, many organizations adopted usage policies and put secure IM systems into place.

Enforcement Is The Key
Yet having a bevy of tools in place to manage and secure handheld devices is only as effective as getting user cooperation. Like many IT-related issues, securing handhelds requires a combination of technology, policies, and user education.

The poster child for this is the case of a former Morgan Stanley executive who sold an old Blackberry on eBay. Published reports noted that Morgan Stanley had a policy that all mobile devices had to be returned to the company for “cleansing” when an employee left the company. In this case, no one followed up. The result was that the eBay buyer found that the device had a great deal of company information and hundreds of confidential email messages.

So while tools that make handhelds safer to use are essential, companies need to set policies and make sure the policies are enforced. One good, vendor-neutral source of information about securing handheld devices is a report put together by the National Institute of Standards and Technology (NIST).

The report, titled “Wireless Network Security: 802.11, Bluetooth, and Handheld Devices,” was published in November 2002, but its wireless handheld device security checklist (starting on page 100) contains numerous best practices and points to consider that are applicable to all devices on the market today.For instance, the report suggests a combination of security technologies be used including anti-virus software on the device itself, strong authentication to ensure only appropriate users can access corporate resource and the data on the device, and virtual private networks to safeguard data sent wirelessly to and from a handheld.

And it recommends that common sense policies be put into place. For example, one suggestion is to turn off access and communication ports in inactive periods such as weekends or nights. And NIST recommends that the data stored on handhelds be encrypted so even if the device ends up in someone else’s hands, that person will not have access to the data.