[ISN] Keeping sensitive info secure is a major concern with PDAs

[InfoSec News]

http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=57610

By Lynn Greiner 
12/8/2004 

The most secure company probably has a gaping hole in its corporate
pocket, which allows crucial data to slip out.

Yes, the network is protected by a firewall, intrusion detection
system and virus scanner. The PCs on that network are locked down. The
wireless network is encrypted and secured.  Data is properly backed
up. All is mellow.

Then the senior vice-president tucks his personal digital assistant
(PDA) into his jacket pocket and heads out to the fitness club, where
that jacket will be left unattended while he works out. Or the
marketing manager grabs his cell phone and runs to a meeting, where he
will leave the phone on the conference room table while he visits the
washroom.

What's protecting the data in those devices?

In a study conducted earlier this year by the Graziadio School of
Business and Management at Pepperdine University in Los Angeles, 81
per cent of respondents said they carry "somewhat valuable" or
"extremely valuable" information on their PDAs. Sixty per cent of
executive-level respondents said their business would be "somewhat" or
"extremely" affected if the data on company-issued PDAs were lost. And
24 per cent have experienced loss or theft of at least one PDA.


Devices become life repositories

Despite this, half of the respondents did not have any security on
their PDAs, beyond (perhaps) a power-on password.

That blood-curdling scream you just heard is your security officer,
who until now thought he had a handle on vulnerabilities.

With any personal device, be it company-issued or employee owned,
management is a major headache. It's as much a social problem as a
technological one. Users treat their PDAs and cell phones as life
repositories, storing business and non-business data cheek by jowl,
and consider attempts to manage the devices as affronts to their
privacy.

Yet as long as there's a scrap of business data on the device . a
phone number, a password, even a meeting reminder . the "private"  
device is very much the company's concern.

Managing it, however, is easier said than done.

It's easy to back up data on a PDA if it synchs to a company computer
- just back up the files on the computer. The trick is in protecting
it while it's out and about in the handheld. That mainly entails
preventing the user from turning off any security on the unit.

That's not all there is to management of mobile devices, however.  
There's asset management: controlling who has which device, operating
system and so forth. There's configuration management: making sure
that all applications are installed that should be, in their correct
versions. There's encryption. If the machine has communications
capabilities (802.11b, for example, or if it's a smart phone), there's
network and virtual private network (VPN) configuration and security
to worry about.

Fortunately, there are both standalone products and modules for
enterprise management suites that can handle the job. They can even
program the handheld to erase all of its data after a predefined
number of bad login attempts; a thief may get a free PDA, but company
information will be protected.

Unfortunately, these products can cost several hundred dollars per
protected unit (for small license counts).

Despite this heavy hit on the corporate wallet, IDC says that the
market for mobile management products is expected to achieve a
compound annual growth rate of 44.9 per cent through 2008, when it
will be a whopping $US911.4 million.


Tell the boss what's at risk

Before you manage mobile devices, though, you have to find them. And
if users have local administrator privileges on their PCs (generally a
bad thing, by the way), it may be easier said than done. In that case,
when users acquire their new mobile toys, they can just quietly
install the synchronization software and merrily start pulling
corporate financial spreadsheets onto their devices without anyone's
knowledge. The first IT will hear about it is when the handheld
hiccups and its owner comes for help, or a PC acts up and the
responding tech notices the new software.

Then, of course, the user will howl when told that he or she shouldn't
be loading company information onto a personal device. It, after all,
increases their productivity. And they're probably right, but
convincing them that it also increases risk to the company is usually
a losing battle.

You might have better luck persuading them to enable power-on
passwords, insisting they use encryption software for business
information (for which the company will pay), and insisting that the
device be locked when idle. You also need to make sure that the edict
comes from the top. Chances are, the boss is one of the culprits.  
Convince him or her of the ri$k to the company, and guilt will do the
rest.