We begin our smartphone security Rolling Review with a look at Trend Micro Mobile Security 5.0, a software suite that offers user-to-device authentication, antivirus (malware) protection, firewalling, spam protection for SMS messages, and intrusion detection. The Advanced package, which we tested, adds smartphone encryption to the list of controls for protecting local data and files.

Our tests showed TMMS can do a lot to help secure smartphones, but there are some caveats. Since the smartphones handle malware detection and leverage the TrendOffice antivirus engine, you need to buy into Trend Micro's antivirus system. This may steer away customers of other antivirus products. Also, as with any suite of this type, those who decide on TMMS should look closely at the list of supported phones before implementing.

MANAGEMENT VIEW
TMMS's tabbed management console gave us strong control of our secured devices. The Summary tab summarized the devices being managed, key alerts, and device update status.

The Update tab let us schedule updates of the code repository on the server. Virus definition files, scan engine versions, mobile client updates, and installer packages are all checked against the latest information available from Trend Micro. Sending updates to our managed smartphones was a snap.

The Administration tab includes settings to assist with both SMS and manual phone provisioning, as well as license management. One of the neater features is the remote assist for password resets. When a user selects the "Remote Unlock" option on the phone, he or she is presented with a challenge code that lets the help desk unlock the appropriate response code.

The Client Management tab simplifies creation, sorting, and management of smartphone policies, which can then be enforced on participating devices. We created Mobile Security domains (a.k.a. device/policy groupings) that contained distinct policy information. This let us control different phones in different ways depending on the group in which they're placed.

TMMS puts security controls into General, Encryption, and Firewall settings. General settings manage antivirus issues (quarantining versus deleting malware), how updates are handled, log settings, and whether users are allowed to modify their security settings. The granularity provided here is decent without having too many options to cause confusion.

Encryption settings allow configuration of very complex authentication passwords--up to 18 characters requiring lowercase, upper- case, special characters, and numbers. We also could set password expiration, inactivity lockouts, user password change requests, and even wipe devices after a selectable number of invalid login attempts. Administrators can clear all data from the device and memory card or set the device back to its default setting. Firewall customization options range from the general high, medium, and low levels that affect data flows all the way down to customizing a list of approved or denied protocol exceptions.

MINOR GRIPES
Our minor gripes had to do with the sometimes-kludgy UI and documentation that, while voluminous at times, never quite seemed to fully answer our questions.

A bigger annoyance is the password interface. When a character is typed into the password field, it shows up only as an asterisk, so a user has no idea what character was actually entered. Asterisk-only password cloaking isn't unique to TMMS, but it's frustrating for users trying to comply with a strong password policy.

These issues aren't deal-breakers, and organizations looking for comprehensive smartphone security should kick TMMS's tires.

Price varies depending on volume, discounts, and other considerations. A ballpark estimate for a 200-unit deployment would be around $45 per device for the Advanced suite or $25 per device for the Standard TMMS 5.0 package, with software maintenance costing extra.

Richard Dreger and Grant Moerschel are co-founders of WaveGard, a vendor-neutral security consulting firm. Contact them at [email protected].

Smartphone Security Rolling Review

The Invitation

This Rolling Review covers security controls spanning Apple's iPhone 3G, Microsoft Windows Mobile phones, RIM BlackBerry, and Symbian OS devices. We'll show how to build a set of security controls to protect and maintain a smartphone infrastructure by focusing on the major vulnerabilities facing IT and available software to help mitigate these risks. We'll look at access controls, such as passwords and biometrics; secure containers for password management; encrypted "at rest" data storage; network security controls; antivirus/anti-malware; and policy enforcement.

To help baseline pricing, the review will make a few assumptions: The cost of the smartphone isn't included. Infrastructure and voice and data plans are in place. For applications that run only on the phone, 200 licenses will be used. For apps that require back-end server support, only the licensing/software cost will be included. The cost of the hardware, operating system, and other operations will be excluded.

The Vendors

We're looking forward to reviewing smartphone security products from companies such as Check Point, Kaspersky, McAfee, PGP, Symantec, and Trend Micro, with more entrants to be named in the future.

Up Next

Credant Mobile Guardian suite

The Test Bed

We'll test applications and security controls in a range of settings, including an isolated enterprise-class testing environment and within the context of existing company operations, with a focus on usability.

The Premise

InformationWeek's Rolling Reviews present a comprehensive look at a hot technology category. This installment focuses on securing smartphones. For consideration, contact the authors.

FIND MORE ROLLING REVIEWS, PAST AND PRESENT:
informationweek.com/rollingreviews