REDMOND, Wash. , Jan. 18, 2005 — PDAs, smartphones, laptops, tablet PCs — more and more, mobile devices are a part of the IT mixture for companies of all sizes as they look for ways to keep mobile professionals connected to their information while on the go. Yet many companies do not have policies or technologies in place to effectively address the specific needs, uses and risks posed by mobile technology.
As the use of mobile devices and technologies expands, and as more companies allow business-critical information to be transmitted by and stored on them, will these powerful mini-computers become the next target for hackers and viruses? What steps can companies and their mobile work forces take today to incorporate devices into their organization and ensure they are an integral part of its ability to compete?
These questions and more were addressed and dissected at this month’s Microsoft Security360 roundtable discussion, hosted via webcast by Microsoft’s Mike Nash, corporate vice president of the Security Technology Unit, and Amy Roberts, director of product management for the Security Technology Unit.
As with every month’s Security360, Nash and Roberts come together with industry experts to examine real-world security concerns and educate viewers about strategies and technologies that can help protect an organization’s security infrastructure. Every Security360 webcast features a checklist of recommendations and resources, a roundtable discussion with Roberts, in-studio interviews by Nash, as well as a live question-and-answer session with Nash and guests.
Guests for January’s show included Scott Shell, development lead for Microsoft’s Mobile Devices Product Group; David Shier, Microsoft MVP and wireless tech editor for Pocket PC-Smartphone Magazine; David Friedlander, a senior analyst with Forrester Research; Tommy Morris, director of mobile computing for the United States Army Medical Research and Material Command, Telemedicine and Advanced Technology Research Center; Tomas Vetrovsky, GPM of Global Client Hardware for Microsoft Corp.; Mike Grady, Messaging Services Portfolio Manager for Hewlett-Packard Co.; and John Bowden, CIO of Lifetime Products.
Challenge One: Keeping Up with a Company’s Mobile Devices
According to the panelists, one of the key challenges facing businesses today is that policy doesn’t always align with reality when it comes to mobile devices. This could be due to the rapidly evolving nature of the technology, which companies may not fully understand, or even the fact that smartphones and PDAs can enter the company’s technology mix unbeknownst to IT staffers.
“If the device came in as a Christmas present, for example, and the person is using it to synchronize their e-mail or their contacts, the organization may not even be aware of that,” Friedlander said. “They don’t tend to go out and talk to the users to find out what they’re actually doing.”
The goal, according to the panelists, is to ensure that the organization’s policies around mobile devices, and the ways that employees actually use the devices, tightly align with the overall policies that govern the business as a whole.
“Policy mandates alone are not enough to keep the total cost of ownership down on these devices,” said Bowden. “IT needs to listen to the business, and that means that the business direction and IT strategy are aligned, and that when you’re deploying and securing mobile devices, the company is really looking at the cost benefit analysis and making sure that the benefits of securing and deploying those devices are worth it.”
Mobile devices can catch organizations by surprise in other ways too, according to Morris. Another element to the mobile device picture that creates vulnerability for companies is the fact that the technology has evolved to the point where it is much more capable, and IT departments may have some catching up to do.
“It used to be looked at that PDAs were just address books, so companies really didn’t take notice of how they were being used,” he said. “But now with Windows Mobile-based devices we’re actually developing thin clients where they’re using this as part of the business. In our case it’s taking care of soldiers’ health care. For us, it’s extremely important to not only capture that information but to make sure it is secure – not only on the device but also in transit.”
Getting Ahead of the Mobile Curve
So what are some ways that companies can get ahead of the curve? According to experts at this month’s Security360, it may start with the IT department conducting an audit of what users are actually doing with their devices, and then finding ways to integrate mobile security policy in with the larger IT security picture.
“We can’t think of desktops as one silo and then PDAs and phones as another,” Friedlander said. “They have to be managed in context, ideally with one technology. But if that’s not possible, then with one consistent policy around how people deal with that. And of course that has to take into account what users are actually doing with the devices.”
All of the panelists agree that a big part of the solution lies in education, whether that’s a wireless carrier informing a customer of the security measures they can enable, or a company simply reaching out and informing users of security policies and technologies, and making those steps easily accessible and understandable.
“It starts with the three pillars: technology, policy and awareness,” said Grady. “There’s an awareness component in the user base that’s essential.”
The Human Factor
Even with a well-educated user base, however, mistakes are going to happen. According to Morris, the IT department should also take steps to cover the inevitable case of human error.
“We were proactive in looking at security applications, embedding them in devices, training the people on the importance of doing this, but also putting in place policies so if they decide they don’t want to use the security, it still exists,” he said. “So if a person loses the device, or if someone logs in inappropriately more than a certain number of times, it will erase the information that’s local.”
And according to Vetrovsky, whose group manages the global client hardware standards for Microsoft, user behavior is an important factor even after a mistake has been made.
“If you lose your mobile device you should treat it the same way as if you lost your credit card,” he said. “Inform the mobile operator, inform the corporate security department, and make sure all of the services are disabled. So again it’s up to creating the right centralized policies, and educating users about what are the right things to do when mobile devices get lost.”
Technology to Secure the Mobile Perimeter
In terms of technology, there are many things that organizations can look at to secure their mobile network perimeters. Vetrovsky went on to discuss Microsoft Mobile 5.0 and the related Messaging and Security Feature Pack (MSFP), which includes several helpful features such as the “remote wipe” capability that allows administrators to erase a portable device’s contents over the airwaves.
“There is also a policy that allows the administrator to set a number of passwords locally on the device, so every time the device is switched on or left for more than a certain period of time, it requires a password,” Vetrovsky said.
HP’s Grady also pointed out the helpful ability of MSFP to keep older devices in the loop as new security policies are implemented.
“From a deployment perspective, one the features that I like with MSFP is the ability to accommodate legacy devices,” he said. “So as we begin to roll this into our large enterprises, we don’t have to do a quantum leap in the mobile infrastructure. We can phase it in over time.”
Along with the security technologies currently available from Microsoft, there are others on the market that may help an organization secure its mobile work force, as long as IT departments are methodical in their implementation. Grady discussed the approach he employs in his work consulting for clients.
“A lot of industry research first, and then some experimentation, and it’s also important to experiment on the collateral effects. A lot of the things we put in place around security have impacts on the Exchange system or the firewall or other gateway components in the infrastructure,” he said. “You don’t want to put in a tool that’s going to become a bottleneck and choke your throughput. So we do a lot of up front testing, evaluating and experimenting, and then move forward with the solution of choice.”
Whatever steps an organization may take to cover the technology, policy and awareness pillars of mobile security, all agreed that it’s important to start thinking about it now, because while attacks have been limited thus far, more devices and more critical information on those devices means that the mobile user is becoming a more interesting target for hackers and others who would seek to misuse the airwaves.
“We need to be proactive and think about what’s coming down the pipe as we deploy mobile devices and develop policies,” Friedlander said. “But a lot of firms I’ve met with are just starting to think about this.”
To find out more about what Microsoft is doing to ensure the security of its mobile platform, log onto http://www.microsoft.com/windowsmobile/default.mspx
Next Up for Security360
Security pros and IT staffers can tune in to February’s special edition of the Security360 roundtable for a front row seat at Bill Gates’ keynote address at RSA 2006. Gates will discuss his vision for security as Microsoft works to shape a truly interconnected world.
Be sure to log on Feb. 14 at 9:00 a.m. Pacific time at http://www.microsoft.com/security360.