[ISN] Security remains mobility's weakest link

From: InfoSec News (alerts@private)
Date: Tue Aug 21 2007 - 23:10:44 PDT


http://www.infoworld.com/article/07/08/21/34FEmobilesecurity_1.html

By Matt Hines
August 21, 2007

 From top-level execs to workers in the field, enterprise end-users are 
growing increasingly dependent on anywhere, anytime access to essential 
corporate data and apps. As such, the call for an effective, 
business-critical mobile initiative is fast becoming the norm for 
organizations of all sizes.

But with greater exposure to information technology assets comes greater 
information security risks. And just as enterprises replace conventional 
mobile phones with newer handhelds that offer datacentric tools and 
access to sensitive information, IT departments are increasingly being 
forced to retool their data defense requirements to account for 
smartphone and PDA use.

"Organizations are thinking about the BlackBerry or smartphone as an 
extension of the computing network, and as a terminal that's carrying a 
lot of sensitive enterprise data," says Scott Totzke, vice president of 
the global security group at Research in Motion, maker of the BlackBerry 
handheld device. "We're hearing more than ever from customers looking at 
protecting data on the device. They want tools to kill information or 
lock it down when a handheld is lost, they want to encrypt sensitive 
data in transit and at rest, and there are growing concerns around 
compliance."

Although Totzke denies that security concerns are slowing down 
enterprise uptake of RIM's BlackBerry devices, he admits the issue has 
made his company's sales process "more complex," as customers are going 
to greater lengths to ensure that data on handhelds is adequately 
protected before they buy.

One such customer, FOWGroup, supplies IT services to the U.S. Department 
of Defense, among other federal agencies.

In working with the Pentagon's IT leaders on mobile device adoption, 
including an ongoing project to replace 1,200 existing handhelds with 
new BlackBerries, executives at the consultancy say that security 
concerns have become a primary focus.

In May 2006, the highly publicized theft of a Department of Veterans 
Affairs laptop containing millions of servicemen's records led to a 
series of heated debates on Capitol Hill. Since then the emphasis on 
making information security a central part of the hardware procurement 
process has shifted to the fore, including for handhelds, says Will 
Alberts, chief executive of FOWGroup.

"No one wants to end up on the front page of the newspaper, and everyone 
recognizes that the additional capability of storing more data on the 
device opens new risks," says Alberts, who is also a member of the 
National Security Administration's Joint Wireless Working Group.

"Senior leaders can't get enough of these types of devices," Alberts 
adds. "And sometimes their concerns around security are less than you 
hear from IT, but there's no question that the information-protection 
issue has become a central consideration for everyone."


Encrypted mobility

In addition to the security features that RIM offers, including remote 
data-wiping tools and integration with two-factor authentication 
systems, Alberts says that government organizations are interested in 
utilizing encryption capabilities offered by the device maker and other 
third-party vendors to defend mobile data more aggressively.

And it's not just the Feds who have mobile security and encryption in 
mind. Private organizations in the health care, financial services, and 
manufacturing sectors also confront significant mobile information 
security issues, particularly those affected by data-handling 
regulations such as Sarbanes-Oxley and HIPAA. As these organizations 
distribute handhelds to senior executives and work through initial pilot 
programs, they gain a better understanding of related security 
implications.

"Mobility is bringing more functionality into enterprises as the devices 
expand, and there are great productivity gains, but on the flip side the 
costs of downtime and impact of potential data loss have increased 
significantly," says Kara Hayes, senior product marketing manager for 
the security and mobility connectivity group at Nokia. "As people look 
at ways to roll out these devices to a larger community base, they want 
to be able to manage security centrally and gauge the impact with their 
existing security operations."

Hayes says security concerns most commonly voiced by enterprise 
customers include issues related to lost devices, use of unsanctioned 
handhelds or mobile applications, and the potential for hackers to 
hijack the machines' wireless data transfer systems.

The technological solution that appears to be generating the most 
interest among enterprises of late, Hayes says, is encryption, with 
companies increasingly seeking ways to tailor the security feature to 
different sets of users.

"With encryption, companies are figuring out that they need to know who 
the users really are and what type of functions they are going to use; 
they understand that they need to have different types of policies and 
deploy different levels of encryption to the necessary users, and not 
necessarily everyone," Hayes says.

"If an individual is a hard-core user of e-mail, messaging, or mobile 
[CRM] tools, they are at higher risk and need this type of protection," 
Hayes says. "Having different policies in place makes it easier to 
manage deployment across an entire mobile user base."


Secure by integration

One of the issues Nokia stresses with smartphone customers is the need 
for organizations to synchronize mobile device security with back-end 
network protection to ensure that administrators can isolate potential 
weak points in their overall infrastructure.

And consultants agree that a comprehensive security strategy is vital 
for preventing headaches down the line.

If mobile device security is handled without direct consideration of its 
impact on other IT operations, issues of interoperability and 
compromises in protection will be inevitable, says Mark Lobel, principal 
for advisory services at PricewaterhouseCoopers.

"The problem and the opportunity with these more powerful mobile devices 
is that the data is now everywhere users want to carry it, and people 
sometimes bring the technology onboard in consideration of the benefits 
without considering all the risks," Lobel says.

"The mature IT organizations that bring network security people to the 
table during the decision-making process are the ones who are doing the 
best job," Lobel says. "And people need to have these conversations 
about the risks and solutions in business terms so that everyone 
involved understands; it's hard to tell the CEO no when he wants 
something, so it's important to explain things in way that everyone 
grasps."


The mobile security ecosystem

Where there is cause for concern, there are market opportunities, and 
security software makers are moving quickly to cash in on the demand for 
more sophisticated mobile security.

One company, F-Secure, is sourcing its security applications through 
wireless carriers in an effort to stake a claim in the mobile device 
space. The Finland-based security vendor has signed deals with a range 
of leading European mobile operators, including Vodafone, T-Mobile, and 
Orange, to make its security tools -- which include anti-virus 
applications, firewalls, and encryption technologies -- available under 
the carriers' SLAs. F-Secure is looking to extend this practice in the 
United States in the near future.

According to F-Secure officials, bundling security into wireless 
contracts and allowing operators to offer additional device defense 
services will prevent enterprises from having to deal directly with a 
wide array of vendors, thereby securing mobile initiatives in a more 
cost-effective manner. Moreover, with security part of the package, 
end-users will also be more likely to use their smartphones in more 
interesting ways, says Curtis Cresta, general manager of F-Secure North 
America.

"The critical mass of smart device users is changing perceptions of 
adoption; much as with laptops, there has been a natural evolution with 
security, and a growing number of enterprises are now coming to us for 
advice," Cresta says. "For instance, there has previously been a bit of 
resistance to pushing business applications out to handhelds, and 
applications companies have even come to us looking for help selling 
their products, but the market appears to be coming around, and having 
better security available from the carriers is a significant part of 
that."

Wireless operators themselves are looking to benefit from the greater 
emphasis on mobile security, as some are already marketing what they 
describe as mobile lifecycle management services, which promise to offer 
end-to-end security capabilities.

Sprint Nextel, for example, offers Sprint Mobility Management. Available 
for roughly $8 per user, the portfolio includes compliance, data 
protection, and anti-virus services for handhelds, along with other 
nonsecurity capabilities.

Sprint executives contend that wireless operators, which have existing 
relationships with device makers, operating system providers, 
applications developers, and the like, are best positioned to pull 
together a comprehensive set of security features and to free user 
organizations from trying to manage them all on their own.

"Security concerns have slowed down adoption of smartphones in the past, 
especially with high-sensitivity organizations operating under 
regulations and compliance concerns," says Stephanie Burnham, product 
marketing manager at Sprint. "We're trying to recognize these concerns 
and help organizations get over the obstacles that prevented them from 
using all the mobile business applications they might otherwise adopt."


Learning from laptops

In addition to researching device capabilities, carrier services, and 
aftermarket technologies to help protect mobile devices, analysts advise 
enterprises to look at advanced handhelds in the same way they have come 
to view laptops and other technologies from a security perspective.

Sam Bhavnani, an analyst at Current Analysis, contends that 
organizations should take the best practices they have developed for 
laptops and port them directly into their smartphone adoption plans.

"This all goes back to the migration from desktops to laptops. There are 
a lot of common sense implications, and people need to be sensible about 
creating realistic policies that both protect the data on the device and 
allow users to tap into the potential of the smartphones," Bhavnani 
says. "Some people are still scared to go there. They know that adopting 
these devices will open another can of worms, but creating smart 
policies ahead of time and building on their laptop experience will be 
the best ways to foster strong mobile security."

In other words, your best bet for a mobile security framework may 
already be in place.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 21 2007 - 23:18:28 PDT