Securing Handhelds: Familiar Problems, New Challenges - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:58 AM

Securing Handhelds: Familiar Problems, New Challenges

The proliferation of mobile and handheld devices today requires IT to take charge of securing data and network access, and putting polices and processes in place to thwart malicous activity and unintended user malice.

Ever since the first PCs with 5-1/4 inch floppy drives made their way into corporations, IT and security managers have been dealing with the possible corruption and theft of company data.

And the security worry level has only increased in the past year with the introduction of a slew of varied handheld computers and devices such as the iPod, servers on a data stick, Blackberries, Web-access cell phones, and wireless PDAs and pocket PCs. Not only do all these new devices boast large storage capacities, they also can sustain high data transfer rates thanks to USB, Firewire, Bluetooth, or WiFi connectivity.

That means the risk ante has been upped quite a bit since an unscrupulous employee can easily take something like a corporation’s entire customer database or a complete archive of corporate e-mails out the door in his or her pocket.

But loss of data is just one issue to worry about. What happens to the data on handhelds is also important in today’s regulated corporate world.

“As soon as [someone] moves data onto an iPod, cell phone, or PDA, the company has lost control of the records,” says Dennis Szerszen, vice president of marketing and development at SecureWave.

Even if malice is not a focus, employees copying data to handhelds might unintentionally violate a government or industry-specific (e.g., HIPAA in the healthcare industry) data safeguarding regulation. This could open the company up to fines or liability if confidential information is involved.

And thanks to the applications (e.g., e-mail, Web browsing, instant messaging) that make handhelds so useful, these devices are increasingly susceptible to malicious software such as viruses, Trojans, worms, key loggers, and exploits.

“You have several very distinct threats,” says Rich Bentley, market segment manager, client and mobile, at Altiris Inc. “Data going outside the firewall is vulnerable to loss. And if these devices are not well managed, you have the threat of viruses coming into the corporation.”

Even if a handheld device does not connect directly to a company network, most do connect to a desktop computer. So a virus in an e-mail attachment on a Blackberry or a worm from an instant messaging session on a PDA could easily be passed along to a company network once a device is synched.

Dealing With The Threat
To deal with all or some of these security issues, organizations are taking a brute force approach to try control handheld devices access to data. For instance, over the last few years, trade publications reported that some government agencies and companies had started gluing shut the USB ports on desktop computers to prevent users from copying data. In many situations, this is, at best, a stop-gap measure as it prevents the legitimate use of a USB port.

Why would a company resort to this drastic measure? The reason is that securing handheld devices is a very complicated task.

First, there is the variety and newness of the devices. A company that wants to protect these systems with traditional security tools such as anti-virus software or data encryption might find that there are no solutions for a particular device.

Second, and more important than the first, is the fact that most handhelds are out of the control of IT. Many people simply buy their own handheld device and use it for personal and business reasons.

A “Best Practices” paper published last year by the market research and consultancy company Forrester Research Inc. confirmed this fact, finding that users often bring their own devices into a company without IT oversight. Specifically, in the paper, titled “Managing and Securing Mobile Devices,” Forrester reported only about 9 percent of the 112 North American companies it surveyed were using client management tools to track or manage PDAs. Just as frightening is that 68 percent of the companies had no plans to do so.

Anecdotally, since that study was conducted, IT departments appear to be paying more attention to securing handheld devices, and it helps that the security software vendor community is jumping on the bandwagon.

To that end, many of the traditional desktop security companies are targeting the handheld security market. For example, this summer, McAfee, which offers a mobile client version of its VirusScan, acquired the WiFi security company Wireless Security Corp. and partnered with the mobile phone security company Bitfone Corp.

Systems management vendors are adding security management in general, and mobile device security management, in particular, to their portfolios.

“When managing handhelds, [companies] need to know what’s on their networks,” says Altiris’ Bentley. “And they want to use the same tools that they have been using to manage their desktops and laptops.”

In Altiris’ case, the company offers an add-on client suite that helps inventory and discover handheld devices. The software also allows patches and security software to be remotely delivered and installed to help safeguard handheld devices.

As vendors add more tools, the real issue becomes the definition, articulation, and enforcement of policies about handheld device usage.

A good place to start is to consider the methods companies have used to reign in instant messaging use over the last few years. Similar to today’s situation, where employees are bringing in their own handhelds, IM hit the enterprise mostly unauthorized with many users simply downloading a free AOL or MSN IM clients onto their company computers. As companies became aware of the IM security vulnerabilities and liability issues (e.g., lack of archiving of messages) associated with the use of such unmanaged software, many organizations adopted usage policies and put secure IM systems into place.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll