Your day might start out something like this: You drive to the airport, passing through several tollbooths equipped with video cameras and an E-ZPass billing system. When you get to the airport, you show your ID at the check-in counter and hand your bags over to the attendant. You then shuffle-through a security checkpoint with x-ray machines and metal detectors before boarding your plane.
When you finally arrive at Chicago's Midway airport, you retrieve your bags and catch a cab into town. But once you get to your hotel, you realize that you left your PDA in the cab—and it has your to-do list for the week and all key account information. (You shouldn't be too embarrassed, though. Security software specialist Pointsec Mobile Technologies says that 85,000 cell phones and 21,000 handheld computers were left in Chicago taxis during a six-month period last year.)
After settling in your room, you head out through the lobby for your first appointment. That's when the hotel's video surveillance network begins assembling a detailed profile of you via a system of facial-recognition algorithms.
And all of this before lunch.
IS ALL OF THIS NECESSARY?
Most people seem willing to accept any technology designed to protect them from terrorism.But the industry falls short of protecting what's become a growing reliance on mobile devices.
Market research by Frost & Sullivan suggests that corporate IT departments realize the problem, noting that "security is the biggest roadblock to adopting wireless technologies." But adding consumers into the mix seriously complicates the issue. A survey by Pointsec reveals that more than one-third of mobile products aren't protected by a password or any type of lock.
So who's stealing data from your non-secure smartphones and PDAs? The problem ranges from neighbors " piggybacking" onto an unsecured Internet wireless network to much more sophisticated and malicious security threats (Fig. 1).
A recent FBI/Computer Security Institute study revealed that insiders—company employees—commit 70% of the computer intrusions and system hacks that damage businesses, lifting data from a company's database using a handheld device like a BlackBerry. Employees easily can drag-and-drop information from a company's network onto a handheld device. However, employees also can inadvertently introduce viruses from a device to just about any unencrypted home PC, according to SecureWave, an international provider of endpoint security software.
Part of the problem in protecting valuable information stored on a company's database is controlling the influx of USB devices on home-based PCs and networks. Market analysts estimate that nearly 15 million home wireless networks exist in the U.S., and they expect this number to more than triple by 2010.
The Feds have their own problems. A new study by the Center for Democracy & Technology (CDT), "Digital Search & Seizure: Updating Privacy Protections to Keep Pace with Technology," reveals that technology is making government surveillance easier, not harder. The study also says that stronger protectionsare needed in order for people to retain their privacy.
"The government complains that new technology makes its job more difficult, but the fact is that digital technology has vastly augmented the government's powers, even without legal changes like those in the U.S. Patriot Act," says Jim Dempsey, CDT policy director and the principal author of the report (see "It's The Law... Maybe" at Drill Deeper 12377 at www.electronicdesign.com). Dempsey says Internet technology's capacity to collect and store data increases every day, as does the volume of personal information people willingly surrender to take advantage of new services.
The CDT report suggests that two popular technologies—Web-based email and location awareness— inadvertently give the government unprecedented access to personal data. But few laws on the books to protect personal business data that's sent from corporations to the wireless handhelds of executives and other employees.
There's a patchwork of proposed legislation, yet little is being done at the legislative level to control or manage these technologies. In fact, Dempsey says the gap between the law and technology widens every day. "What makes even more troubling," he says, "is most users of these new technologies don't realize they are putting their privacy in jeopardy."
Employers aren't much help, even as they attempt to enhance their security. SafeNet, a global information security firm, found in a survey that more organizations require longer or more complicated passwords and a higher frequency of password changes. Also, nearly half (47%) of the survey's total respondents have between five and 10 passwords to access business applications. Thus, the likelihood of employees writing down or forgetting a password because of its length, complexity, or frequent changes increases sharply. SafeNet also found that about a third of the employees it surveyed share their passwords.
SHARPEN THOSE BUSINESS TOOLS
"People need to put data into their portable devices," says Bill Anderson, SafeNet's vice president of marketing, who holds a PhD in cryptography. "A lot of sales reps are expensing their cell phones because if they're going to use it as a sales tool, they want to be reimbursed for it. As soon as that cell phone gets expensed, that puts it into the realm of enterprise control."
Anderson says this has created a major opportunity for mobile asset management specialists, some of whom are just emerging as major players in the mobile security market.
"There are a number of asset management solutions that will police what software is installed on mobile devices," he says. "But this is still a very nascent industry. We just don't see those tools being deployed broadly yet, partly because there are so many \[wireless\] platforms that it's hard for an IT department to make a buying decision."
To better manage this variety of platforms and wireless operators, several organizations took on the task of defining security-management standards for a wide variety of devices through the Open Mobile Alliance (OMA), an organization that promotes mobile data services and interoperability.
Nokia introduced an early version of an OMA-compatible smart phone for corporate use with its 9300 Communicator, which is based on the Symbian operating system (Fig. 2). It features Wi-Fi, a virtual private network (VPN) client, anti-virus software developed by Symantec, and encryption software from Pointsec. More recent versions include Nokia's e-series smartphones as well as Windows Mobile 5.0-based devices.
Sony Ericsson also recently extended its 2003 license with Certicom Corp. for the company's Security Builder IPSec, which builds a VPN client into Sony Ericsson's Symbian-based P990i smartphone. And like the Blackberry, the relatively new Palm Treo lets users shield business and personal data by installing a password through its Settings menu.
Companies are investing more to protect their data, too. Many now standardize on a single brand and model, controlling what data is stored on the devices. They also install software that monitors these mobile devices and are increasingly likely to require some level of remote security management.
Marc Camm, vice president and general manager for smart-phone solutions at CA Inc. (formerly Computer Associates),says, "IT managers have to secure and control these devices, and they're asking us to help manage the process."
More than ever before, IT departments "lock and wipe" data from lost or stolen smart phones and PDAs. This usually requires installing file-encryption agents within these devices. CA demonstrated its version of smartphone security management in November and expects to begin beta testing the technology later this year.
If you lose your cell phone, you can call your carrier, which is able to render it useless through your phone's unique electronic identity code. Unfortunately, that doesn't work with smartphones, because the data would continue to reside in the phone. Some custom encryption agents are already in use, but Camm says IT managers are looking for more standardized products they can control from their existing system.
New security solutions for smart mobile devices and enterprise data are emerging. Some of these systems can shut down a mobile device. The really good ones are even able to reset the device—that is, they can uninstall intrusive software.
One example is Good Technology's Good Mobile Defense. Designed to protect third-party applications, device data, and other features, it covers mobile platforms such as Windows, Palm OS, and Symbian. The system works on several standard cell phones, enabling enterprises to lock down handhelds. It also can disable datatransfer ports like Bluetooth, Wi-Fi, or HotSync. And, a "data erase" feature automatically erases all data after several failed password and authentication attempts, performing a "remote wipe" of all handheld applications.
Claude Fossati, worldwide voice telecom manager for Thomson Inc., endorses the Good Technology package: "The fact that I can manage security policies centrally and push updates over-the-air makes the system complete."
Another recent introduction is Credant Technologies' upgrade (Version 5.1) of its flagship product, the Credant Mobile Guardian Enterprise Edition. The new edition extends security management across enterprise-hosted systems, with encryption of removable media and an enhanced audit and reporting system. It also lets employees encrypt files for secure transfer via e-mail.
"Our customers tell us that just protecting mobile devices is no longer enough. They need to ensure that their data is protected regardless of who has the data or where it resides," says Bob Heard, Credant Technologies' CEO and founder.
Several new products introduced by Mobile Armor gives IT management control over what devices are connected to the network. These products also determine whether these devices comply with corporate specifications, as well as when they entered the enterprise—all integrated with a central policy server and controlled by a single console.
Networking manufacturer Trendnet now offers an Internet security suite developed by McAfee as part of its 802.11g wireless product line. The suite is designed to help protect broadband users from IP theft and other types of online attacks.
DON'T FORGET PRINTERS
Though not quite as big an issue as mobile devices, printers are turning into a security headache in business applications. That's why SafeNet's Anderson says his company now invests more heavily in developing solutions for encrypting these devices.
"The new networked printers have scanning engines in them and they handle most documents digitally," he says. "If someone could get a Trojan \[a program that pretends to be one thing, but is usually something else—something malicious\] into your printer, it's like posting documents on your windows for everyone to read."
Anderson feels that printers should be considered in the same category as trusted computers. "A CEO might walk up to one and, using it as a photocopier, run off copies of the details of an impending merger," he says. "He's probably using the copier to produce documents to hand or to send to someone because it's too hot to e-mail, only now there's a perfect digital image of it written on a copier."
HP and others now recognize the printer as a computer that—for privacy reasons and control of enterprise assets—must be locked down with antivirus software, VPNs, and policy controls. "I think that about 18 months from now, all printers will have some type of \[embedded\] security, or they're not going to sell," Anderson adds.
"You can't have privacy without data security, but it's also true in reverse," says Fossati. "If you don't protect your data, it doesn't matter how it got from one point to another."
How serious are IT departments taking mobile security? The proof is in the spending. Market research firm IDC expects the mobile security software sector to grow 70% annually to nearly $1 billion in 2008.
Security specialists also believe IC manufacturers must play a bigger role in securing mobile devices if they plan to successfully sell chips to handset manufacturers. From SafeNet's perspective, IC manufacturers need to embed advanced security functions, such as crypto, secure mode, and International Mobile Equipment Identifiers (used to identify a particular mobile device). They also must provide high-performance processors that enable security-specific, next-generation applications to meet the requirements of handset manufacturers and carriers.
NEED MORE INFORMATION?
American Civil Liberties Union