Mobile security requires an action plan

Security is one of the biggest management challenges that agencies face with mobile wireless devices. Chief among managers’ worries is the risks associated with employees using their own smart phones and personal digital assistants for official work.“If you don’t own the device, you can’t secure it,” said Michael King, a research director at Gartner.By provisioning devices for employees rather than allowing them to connect to agency networks using personal gear, managers can ensure that the right security software is running on each device and that hardware is up-to-date with software patches and other upgrades, said Ira Winkler, author of “Zen and the Art of Information Security,” a book that examines digital security threats.  Organizations that provision wireless devices also have better control of sensitive information if an employee leaves the agency, said Doug Landoll, general manager of En Pointe Technologies, a systems integrator. “If it’s my PDA, and I leave the organization, how do you know that I’ve deleted the data?” Retaining the phone number is also important. “When someone has been representing your agency, that number is a kind of advertising,” Landoll said.He recommends that agencies include representatives from organizations outside the information technology department when writing wireless management policies. “There are questions for the legal department, and having the device returned when someone is terminated is a [human resources] issue,” Landoll said. “When you’re writing policies, you need to integrate all those various departments.”Security policies should clearly spell out who receives reports of lost or stolen devices. Policies should also include procedures for decommissioning a missing unit to prevent someone from downloading or sending sensitive information, Landoll said.The Commerce Department uses a combination of strong passwords and encryption to keep unauthorized users from accessing data and wireless services.“If someone gets access to my [e-mail account], he can send messages as though they came from me,” said John McManus, Commerce’s deputy chief information officer and chief technology officer. “Things like phishing become easy to do when you’ve got access to a legitimate user’s account.” Commerce uses the standard security tools for the Research in Motion BlackBerry to protect devices and scramble data when its traveling through the wireless network, McManus said.The BlackBerry platform gets high marks from technology analysts for its security capabilities. Its closed-loop architecture connects agency e-mail servers to a BlackBerry Enterprise Server, which communicates via a secure channel to a network operations center and to BlackBerry devices. “It’s one of the few wireless end-to-end systems that the [Defense Department] has said is okay,” King said. “But because it’s a closed loop, it’s hard to expand that functionality beyond just e-mail. What you gain in security and manageability you sacrifice in flexibility and extensibility.” Platforms based on the Microsoft, Palm or Symbian mobile operating systems are easier to customize, King said, but they require more upfront work and third-party security tools, such as Sybase’s Afaria mobile security suite and encryption software from Bluefire Security Technologies, Certicom and VeriSign. “I’m not suggesting that you can’t secure mobile devices on those platforms. I’m just saying security is not as built-in as on the BlackBerry side,” he said.To ensure that mobile wireless devices are secure, agencies also must take steps to securely configure the devices. Commerce technicians disable any default features on mobile devices that employees don’t require to do their jobs. That includes a sync feature that allows devices using Bluetooth technology to discover other compatible wireless hardware in the area. “The default configuration would allow someone to come into the room with a Bluetooth device that says, ‘Tell me all the other Bluetooth devices in here.’ And your device would actually say, ‘Hi, I’m here, and here’s my status,’” McManus said. “You can also turn off things like file transfer, because you don’t usually expect people to be doing a file transfer from their BlackBerry to another BlackBerry. If I’m a consumer, I may not care if anybody can use the Bluetooth capabilities. But if I’m a senior executive in the federal government, [that’s] a whole new threat.”Agencies also need to control the amount and type of data their employees download onto their wireless hardware. “They are going to put more data that you would never think of on the devices,” Winkler said, “which means there’s going to be more data than you ever thought possible at risk.”