REDMOND, Wash., Sept. 6, 2002 — As the flexibility and mobility of technology increase, so do concerns around an age-old issue: security. The desk-bound PC is giving way to laptops and an assortment of mobile devices and gadgets that would have been confined to the realm of the fantastic just a few years ago. The problem? As with cellular telephones, what if complete strangers can
“listen in”
as mobile devices carrying often-sensitive corporate data are communicating across wireless networks?
Doug Dedo , enterprise audience marketing manager with Microsofts Mobile Devices Division, recently spoke with PressPass about the concerns of enterprise customers about security and mobile computing.
PressPass: Security seems to be an issue of growing significance, especially as computing becomes increasingly mobile. What is Microsofts strategy for providing secure mobile products and solutions to its customers?
Dedo: Were fully committed to offering technology that offers the most secure environment possible for mobile computing. At the same time, I think its important to point out that the security issue is not just about technology. Its also a process. We encourage companies to have policies in place that are clearly articulated to employees. There should be company standards, and in lots of cases that can be communicated through technology but it can also be shared by simply communicating whats expected. Security is something that goes beyond the device. Lots of times organizations dont look at this until theyve been burned or read something horrible in the press. With the Pocket PC, Microsoft is providing a secure platform and encouraging organizations to be proactive around security.
PressPass: In terms of security, how does Microsofts Pocket PC compare to other personal digital assistants (PDAs) on the market?
Dedo: The Pocket PC is considered to have the most secure capabilities of any mobile device on the market today with the exception of the laptop. Weve designed security features into our technology from day one, which is one of the primary reasons were in a leadership position in enterprises today. There are also several reports out linking Microsofts success in the enterprise to our security features.
PressPass: Can you give us an idea of the range of solutions currently available for Pocket PC?
Dedo: Pocket PC users have an increasingly broad range of solutions available, and a lot of the core elements are actually provided out of the box. A couple of examples are power-on passwords and authentication technologies for connecting to the Internet and corporate networks including virtual private networking for a secure connection to corporate networks via the Internet. Also, data encryption interfaces with crypto application programming interface (API) and encrypted data with SQL Server for mobile devices. These are some of the things you can get from Microsoft.
Third parties bring additional protection. Digital signature technology takes the signature as signed on the screen and converts it into unique biometric footprint that, once registered, identifies users when they sign in. Someone I know tried to help a user enter the network as someone else by copying the users signature. It didnt happen. Secure ID cards, or smart cards, have special functionality with a code, an additional card that can be used for authentication and fingerprint authentications.
PressPass: How is the amount of information required to enter a network determined? Is it different for different industries?
Dedo: The parlance in the security industry is that users are identified and screened by something they know, something they have or something they are. Sometimes a user only needs to provide one piece of information, but sometimes they need two or three. In the medical industry, for example, healthcare information is highly sensitive, so theres a higher standard. Authenticating yourself with technology that can identify the user by things like fingerprints and signatures is definitely moving to the forefront, and is currently available through third-party solutions.
PressPass: With the integration of wireless capabilities, how does a company secure data sent to and from the Pocket PC over wireless networks?
Dedo: I cannot over-emphasize the importance of encrypted data. Its also important to use the appropriate mechanisms for encrypting data, and to fully utilize technology such as virtual private networks and digitally signing files, so its easy to tell where theyre from. With wireless networks, some of the older technology is now easily broken, something thats well-documented on the Web. There are new options for authenticating data, such as the 802.1x standard, and its something we really encourage companies to take a look at.
PressPass: What are some of the main things that enterprises need to look out for when it comes to locking down access to devices?
Dedo: There are four main things enterprises should take into consideration. First, public key infrastructure, or PKI, which provides a digital signature on a file or a piece of software that indicates where it came from, which can dramatically cut down on viruses by limiting whats accepted. Then there is virus-scanning software from companies such as F-Secure, McAfee, SOFTWIN and Computer Associates. We encourage having data encrypted on the device, using both the devices memory and external storage cards offered by F-Secure, Pointsec, and Trust Digital. Finally, we encourage our enterprise customers to maintain a personal firewall for users. They prevent snooping or accessing whats taking place on the device when the user is connecting to the Internet.
PressPass: What are the top considerations on the minds of enterprise customers when evaluating the deployment of handheld computers?
Dedo: Basically, enterprise customers want to protect the information that runs the company while keeping management costs as low as possible. Also, they want to make sure that the devices are easy to use and dont require an inordinate amount of training. They want to find good security options to protect one of their key assets, which is their data. They want to prevent unauthorized access to their network and business systems. Theyre looking for good systems management solutions to manage mobile devices.
PressPass: What are some steps that companies can take to ensure the security of data on the Pocket PC?
Dedo: We encourage our enterprise customers to require their employees to enter passwords for access rather than having their passwords maintained on the device. It shouldnt be easy to connect to the Internet and then get into corporate data masquerading as the employee. We recommend providing anti-virus protection at the device level. We encourage people to look at devices that can be upgraded and those that have flashable read-only memory (ROM) which is an important component in the ability to upgrade on the fly. This allows for putting the security system where previously you could have only put the operating system. Like I said before, we encourage encryption of data and devices, which means users cant see anything thats stored on it without breaking through a password.
Finally, I encourage companies to consider granting access on a need-to-know basis and then just put the data thats relevant to the employee on the device. A sales representative and a vice president, for example, are going to draw on very different sets of data. And there are lots of technology tools available to partition out information on the basis of relevance. We have posted extensive information in a Pocket PC Security white paper .
