Security remains mobility's weakest link

Enterprises face a new wave of information security implications as greater numbers of workers tap smartphones and PC-like handhelds

From top-level execs to workers in the field, enterprise end-users are growing increasingly dependent on anywhere, anytime access to essential corporate data and apps. As such, the call for an effective, business-critical mobile initiative is fast becoming the norm for organizations of all sizes.

[See related story: Mobile malware to pose significant threat]

But with greater exposure to information technology assets comes greater information security risks. And just as enterprises replace conventional mobile phones with newer handhelds that offer datacentric tools and access to sensitive information, IT departments are increasingly being forced to retool their data defense requirements to account for smartphone and PDA use.

"Organizations are thinking about the BlackBerry or smartphone as an extension of the computing network, and as a terminal that's carrying a lot of sensitive enterprise data," says Scott Totzke, vice president of the global security group at Research in Motion, maker of the BlackBerry handheld device. "We're hearing more than ever from customers looking at protecting data on the device. They want tools to kill information or lock it down when a handheld is lost, they want to encrypt sensitive data in transit and at rest, and there are growing concerns around compliance."

Although Totzke denies that security concerns are slowing down enterprise uptake of RIM's BlackBerry devices, he admits the issue has made his company's sales process "more complex," as customers are going to greater lengths to ensure that data on handhelds is adequately protected before they buy.

One such customer, FOWGroup, supplies IT services to the U.S. Department of Defense, among other federal agencies.

In working with the Pentagon's IT leaders on mobile device adoption, including an ongoing project to replace 1,200 existing handhelds with new BlackBerries, executives at the consultancy say that security concerns have become a primary focus.

In May 2006, the highly publicized theft of a Department of Veterans Affairs laptop containing millions of servicemen's records led to a series of heated debates on Capitol Hill. Since then the emphasis on making information security a central part of the hardware procurement process has shifted to the fore, including for handhelds, says Will Alberts, chief executive of FOWGroup.

"No one wants to end up on the front page of the newspaper, and everyone recognizes that the additional capability of storing more data on the device opens new risks," says Alberts, who is also a member of the National Security Administration's Joint Wireless Working Group.

"Senior leaders can't get enough of these types of devices," Alberts adds. "And sometimes their concerns around security are less than you hear from IT, but there's no question that the information-protection issue has become a central consideration for everyone."

Encrypted mobility

In addition to the security features that RIM offers, including remote data-wiping tools and integration with two-factor authentication systems, Alberts says that government organizations are interested in utilizing encryption capabilities offered by the device maker and other third-party vendors to defend mobile data more aggressively.

And it's not just the Feds who have mobile security and encryption in mind. Private organizations in the health care, financial services, and manufacturing sectors also confront significant mobile information security issues, particularly those affected by data-handling regulations such as Sarbanes-Oxley and HIPAA. As these organizations distribute handhelds to senior executives and work through initial pilot programs, they gain a better understanding of related security implications.

"Mobility is bringing more functionality into enterprises as the devices expand, and there are great productivity gains, but on the flip side the costs of downtime and impact of potential data loss have increased significantly," says Kara Hayes, senior product marketing manager for the security and mobility connectivity group at Nokia. "As people look at ways to roll out these devices to a larger community base, they want to be able to manage security centrally and gauge the impact with their existing security operations."

Hayes says security concerns most commonly voiced by enterprise customers include issues related to lost devices, use of unsanctioned handhelds or mobile applications, and the potential for hackers to hijack the machines' wireless data transfer systems.

The technological solution that appears to be generating the most interest among enterprises of late, Hayes says, is encryption, with companies increasingly seeking ways to tailor the security feature to different sets of users.

"With encryption, companies are figuring out that they need to know who the users really are and what type of functions they are going to use; they understand that they need to have different types of policies and deploy different levels of encryption to the necessary users, and not necessarily everyone," Hayes says.

"If an individual is a hard-core user of e-mail, messaging, or mobile [CRM] tools, they are at higher risk and need this type of protection," Hayes says. "Having different policies in place makes it easier to manage deployment across an entire mobile user base."

Secure by integration

One of the issues Nokia stresses with smartphone customers is the need for organizations to synchronize mobile device security with back-end network protection to ensure that administrators can isolate potential weak points in their overall infrastructure.

And consultants agree that a comprehensive security strategy is vital for preventing headaches down the line.

If mobile device security is handled without direct consideration of its impact on other IT operations, issues of interoperability and compromises in protection will be inevitable, says Mark Lobel, principal for advisory services at PricewaterhouseCoopers.

"The problem and the opportunity with these more powerful mobile devices is that the data is now everywhere users want to carry it, and people sometimes bring the technology onboard in consideration of the benefits without considering all the risks," Lobel says.

"The mature IT organizations that bring network security people to the table during the decision-making process are the ones who are doing the best job," Lobel says. "And people need to have these conversations about the risks and solutions in business terms so that everyone involved understands; it's hard to tell the CEO no when he wants something, so it's important to explain things in way that everyone grasps."

The mobile security ecosystem

Where there is cause for concern, there are market opportunities, and security software makers are moving quickly to cash in on the demand for more sophisticated mobile security.

One company, F-Secure, is sourcing its security applications through wireless carriers in an effort to stake a claim in the mobile device space. The Finland-based security vendor has signed deals with a range of leading European mobile operators, including Vodafone, T-Mobile, and Orange, to make its security tools -- which include anti-virus applications, firewalls, and encryption technologies -- available under the carriers' SLAs. F-Secure is looking to extend this practice in the United States in the near future.

According to F-Secure officials, bundling security into wireless contracts and allowing operators to offer additional device defense services will prevent enterprises from having to deal directly with a wide array of vendors, thereby securing mobile initiatives in a more cost-effective manner. Moreover, with security part of the package, end-users will also be more likely to use their smartphones in more interesting ways, says Curtis Cresta, general manager of F-Secure North America.

"The critical mass of smart device users is changing perceptions of adoption; much as with laptops, there has been a natural evolution with security, and a growing number of enterprises are now coming to us for advice," Cresta says. "For instance, there has previously been a bit of resistance to pushing business applications out to handhelds, and applications companies have even come to us looking for help selling their products, but the market appears to be coming around, and having better security available from the carriers is a significant part of that."

Wireless operators themselves are looking to benefit from the greater emphasis on mobile security, as some are already marketing what they describe as mobile lifecycle management services, which promise to offer end-to-end security capabilities.

Sprint Nextel, for example, offers Sprint Mobility Management. Available for roughly $8 per user, the portfolio includes compliance, data protection, and anti-virus services for handhelds, along with other nonsecurity capabilities.

Sprint executives contend that wireless operators, which have existing relationships with device makers, operating system providers, applications developers, and the like, are best positioned to pull together a comprehensive set of security features and to free user organizations from trying to manage them all on their own.

"Security concerns have slowed down adoption of smartphones in the past, especially with high-sensitivity organizations operating under regulations and compliance concerns," says Stephanie Burnham, product marketing manager at Sprint. "We're trying to recognize these concerns and help organizations get over the obstacles that prevented them from using all the mobile business applications they might otherwise adopt."

Learning from laptops

In addition to researching device capabilities, carrier services, and aftermarket technologies to help protect mobile devices, analysts advise enterprises to look at advanced handhelds in the same way they have come to view laptops and other technologies from a security perspective.

Sam Bhavnani, an analyst at Current Analysis, contends that organizations should take the best practices they have developed for laptops and port them directly into their smartphone adoption plans.

"This all goes back to the migration from desktops to laptops. There are a lot of common sense implications, and people need to be sensible about creating realistic policies that both protect the data on the device and allow users to tap into the potential of the smartphones," Bhavnani says. "Some people are still scared to go there. They know that adopting these devices will open another can of worms, but creating smart policies ahead of time and building on their laptop experience will be the best ways to foster strong mobile security."

In other words, your best bet for a mobile security framework may already be in place.