Managing to be secure in a mobile environment

Pat Brans, Sybase iAnywhere

Photo of Pat Brans It's all over the news these days: an employee's laptop goes missing and sensitive information is compromised. This isn’t necessarily limited to information on that employee's company - in many cases it involves confidential information entrusted to the company by clients. Pat Brans, manager for Strategic Alliances at Sybase iAnywhere, discusses the problems of mobile computing and offers a few solutions.

The damage resulting from a lost or stolen computer comes in many forms. Consider these:

  • Exposure of sensitive information: Criminals might get information such as credit card numbers, phone numbers and addresses. Competitors might get information on your company and products that gives them a competitive advantage.
  • Disruption of business: At a minimum, the employee cannot be up and running until they get a new laptop with the data and applications in the same state as the old laptop. In many cases it is also necessary to spend a lot of time tracking down just what information was compromised and taking measures to control the damage.
  • Violation of applicable regulations: In many countries steep fines are imposed on companies that reveal information private to their clients or partners.
  • Loss of goodwill in the market: When a company exposes information confidential to its clients, customer confidence is undermined.

Making the news

Anybody who has kept up with the business press recently will have heard that the following two companies made the news this year: Ernst & Young and Fidelity Investments. In each case the loss or theft of laptops resulted in a lot of embarrassment - not to mention all the monetary cost of damage control.

In the Ernst & Young case, several laptops were lost or stolen.These laptops contained social security numbers, tax identifiers and other personal information on the employees of Ernst & Young's clients, including IBM, BP, Nokia, Cisco Systems and Sun Microsystems.

The Fidelity Investments case involved the theft of a single laptop containing information on the retirement plans and compensation of almost 200,000 HP employees. Fidelity Investment had to control the damage by advising those exposed on how to protect themselves, and offering them a free credit-monitoring service.

These problems are not limited to laptops - PDAs and smartphones are also exposed, with contact lists and email being stored on these small computers. Frequently there is other sensitive data on these devices, such as patient records (in the case where a doctor or nurse is using the devices) or price lists (when a salesperson is the user of the device).

Still another risk to be concerned with is that mobile computers are also exposed to viruses. We are all pretty familiar with the viruses threatening laptops, but it is also important to keep in mind the growing number of viruses targeting PDAs and smartphones.

Assessing your company's vulnerability

Life in the IT department was much simpler when all corporate computing was carried out within the walls of the company. In such a situation breaches could only occur when somebody physically made their way into the building and then gained access to hardware. Because technology has evolved so nicely, a lot of mobile workers now move about with much of the same information that used to sit securely within the company's premises.

The risks associated with mobile computing exist in most industries. In financial services, employees may have client data on their laptops. This data might include account numbers, account balances, tax information, credit ratings and even credit card information.

In the health care industry, mobile computers are likely to contain patient records, including medical history, current illnesses and medication. In government, workers' laptops might have information on companies that do not conform to regulations. Police officers might have mobile computers containing criminal records, suspect information and personal information on victims.

Crossing industry boundaries, think of any field salesperson who has customer lists, pricing information, product roadmaps, purchase history of clients and even the current funnel. Competitors would certainly like to get a hold of that funnel. Field service workers would have customer contact information and confidential product information.

This list goes on and on. The important point is that in almost all industries as soon as you equip your workforce with computers and applications that they carry with them outside of company walls, watch out.

Keeping your company out of the news

Fortunately there are a variety of countermeasures to apply against these risks. Proactive companies avoid both embarrassment and the monetary costs of damage control by applying countermeasures including these:

  • authentication: making sure the right person is using the device;
  • encryption: making sure only the right people can use the information;
  • virus protection: preventing against intrusion by pernicious software;
  • device lockdown and device wipe: shutting the computer down - or removing all data - when there is reason to believe it is in the wrong hands.

Authentication

Perhaps the first thing you want to do to minimize risk is to make sure the right person is using the computer. This is accomplished through procedures to identify and authenticate the user. In most cases this amounts to the use of a login name and a password, although more and more we are seeing the use of biometrics to both identify and authenticate the user.

The best time to identify and authenticate is just after the computer is powered on, before the operating system boots. This pre-boot authentication has two big advantages. First, password check cannot be switched off, as is done frequently by PDA and smartphone users. Second, the entire disk - including the operating system - can be kept encrypted and only made available if the user is authenticated.

As is the case for computers operating on company grounds, password rules should be enforced on mobile computers. Passwords should conform to a certain format. For example they must be of a certain minimum length and they must include at least one digit, one letter or both.

A mechanism should be in place to require users to change passwords every so often. Users should not be allowed to reuse previous passwords. And users should be locked out after a configurable number of failed password attempts.

When connecting to the corporate network the device can be authenticated using digital certificates. In this way only authorized machines can connect and access company data and applications.

Encryption

Remember that once somebody makes off with a mobile device they have unlimited physical access to the device, and a lot of time to work on decrypting the data. This means special care must be taken to protect that data. Not only must it be encrypted on the hard drive but also on flash memory devices. Strong encryption should be employed. Today this means using a 128-bit key.

Why are 128 bits necessary? That's because the key length determines the number of possible key values - for example, a 32-bit key allows for 232 (just over 4 billion) possible values. The fewer possible values, the easier it is to crack by simply trying each one. Most individual users have enough computing power to crack a 32-bit key in under a week. A large corporation could get it in a matter of minutes.

With a 128-bit key there are 2128 (or around 4 billion raised to the power of 4) possible values. Cracking such a key would require tens of thousands of years using thousands of the best of today's computers working in parallel under the best conditions. I think I am safe in saying the average user does not have access to such computing power - and they certainly do not have tens of thousands of years to wait.

An additional measure to protect information is a two-factor approach, whereby the device and the password have to both be present in order to decrypt. In other words data can only be decrypted on the device on which it was encrypted - and that can only occur after the user enters the correct password.

Virus protection

Virus protection software is available for all mobile device types including laptops, tablets, PDAs and smartphones. In order to protect your workers from the most recent viruses you need to put in place a mechanism for updating the antivirus databases on each device.

Keeping in mind that the weakest link in any security system is the user, this mechanism should require little or no user intervention. Virus scans should occur on a regular basis without requiring the user to initiate the scan.

Device lockout, lockdown, and wipe

In the event a mobile computer is lost or stolen there needs to be a way of rendering it unusable and/or removing all information. This can be accomplished by configuring the maximum number of failed password attempts and an action to take once that maximum is reached.

The action might be to lock the device so it can no longer be used. Or it might be something more drastic, such as deleting all data on the device. In the event the user does not connect to the company network for some pre-configured period, you might lock the device out, so it can no longer connect.

Managing to be secure

The correct set of countermeasures exists, but they only work when one takes care of the weakest link in any security system - the human being. Making users responsible for securing their own data often leads to that data going unprotected. Most users just want to go about doing their work without the hassle of conforming to complicated computer security procedures. From the user's perspective, security has to remain in the background or, better still, be invisible.

In a mobile environment security is best implemented in conjunction with a device management platform. A typical platform for device management uses an administrative console to manage the hundreds or thousands of mobile computers in the field. Functions include things such as application update, file update, automatic backup, restore, automatic device configuration and patch management.

Integrating security features with such a platform you can do things like push antivirus updates to all devices, enforce security policies, lock a device out of the network (in case the wrong password is used a pre-configured number of times) or wipe all the data off the device. Add to that features such as strong encryption on the device (and over the air) and pre-boot authentication and you can keep your company out of the news.

In cases where the device is lost or stolen, the employee can be brought back to the desirable level of productivity relatively quickly because a new device can be assigned and provisioned with the most recently backed up data from the old device.

Conclusion

Mobile computing entails new security risks. This is true for most companies no matter what industry they are in. Company data can be compromised relatively easily, and much worse, so can information private to clients.

There are several kinds of tools that can be applied to counter the various dangers. These include authentication, encryption, virus protection and device lockdown and wipe. However no tool can keep your company safe if your security system relies on user intervention. Therefore, to reduce the impact of the weakest link (i.e. the user), consider using a platform that integrates device management and security.

It is best to act sooner rather than later. After all, who wants to be the next company in the news?

Pat Brans is manager for Strategic Alliances at Sybase iAnywhere, a provider of integrated security and device management platforms. For further information please contact him on email: Pat.Brans@Sybase.com