Beware the cool-factor danger zone

Connecting slick devices to the corporate network calls for strict security policies

Ever have one of these conversations?

Me: OK, Mr. CEO Gadgetfreak, we're done configuring your system. It's the best technology at the best price for the business goals you said were most important to you. You're saving big bucks from both ends of the equation. Yay.

CEO Gadgetfreak (looking petulant): Yeah, but …

Me (looking puzzled): But what?

CEO Gadgetfreak (in a rush of excitement): Everything's so … normal. My golfing buddy, Jerry Clueless, told me that his IT guy gave him a PC that has two flat-screen monitors and says "hello" to him every morning, then downloads Alyssa Milano's private e-mails and connects to a secret Webcam in the ladies room despite strict legal and HR policies against sexual harassment and invasion of privacy.

Me (stunned, massaging the bridge of my nose with two fingers while squeezing my eyes tightly shut, hoping I'll wake up -- with blood running out of my ears)

It doesn't matter how good a job you do for some folks' bottom line: You'll eventually run into Mr. CEO Gadgetfreak. He's thrilled with your IT management success on a subliminal level, but what he really wants is as much sleek, silver, blinking stuff on his desk as possible. Until recently this was just a minor pain in the posterior I'd delegate to the technician who bothered me most that week, after I had milked the CEO for as much wacky gadget money as he was willing to spend -- along with my 80 percent annoyance markup, of course.

Unfortunately, the time has come when this once minor speed bump has turned into a big red stop sign. The problem is those smartphones I was gurgling about in my previous column. They're sure cool, and every week sees the debut of an even cooler one, which Jerry Clueless will get and Mr. Gadgetfreak will thus immediately desire. These smartphones have cameras, Web browsers, MP3 players, little SD cards you can stuff with important data, and all kinds of attachment gizmos that guarantee you avoid female companionship in almost every social setting.

You can give Mr. Gadgetfreak as many multihead, HDTV-capable displays as his desk will hold, but cool cell phones have become security targets -- right as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II, and other laws with fun names are starting to become aware of them. The last thing you need is a boss or a client dragging your name into a failed compliance audit ("But our IT guy said it was OK ….").

If mobile devices are a part of the business environment, then you need a PDA, smartphone, and even cell phone security policy. Not only because Mr. Gadgetfreak will store his most personal contact and schedule list on a mobile device, but also because he'll probably download any number of sensitive corporate memos or other correspondence. Not to mention a good chunk of his e-mail inbox. And don't forget that many of these devices now support 802.11x, so he'll want true client connectivity back to the corporate network, even though in reality the thing won't come out of his briefcase while he's out of the office. That's another potential clear text authentication violation unless you're careful.

PDA security is mobile security. When Microsoft and Cisco finally get their VPN quarantine/NAP (network access protection)/NAC (network admission control) technology straightened out, this will be a cinch. In the meantime, you need to cover a few key issues, including asset management, perimeter security, authentication, data encryption, support, and software updates. On the upside, this is all pretty standard stuff that you simply apply to a new platform. On the downside, except for a few key players, there aren't many all-in-one PDA security and management platforms yet available.

One of the better such platforms I've found is Pointsec , which has a product version for every mobile OS, including Symbian. Another good one is SureWave Mobile Defense  from JPMobile. Both concentrate more on security than asset or network management, but they're broadly featured and constantly updated. Another good platform is Bluefire, a PDA-capable wireless authentication, firewall, and roaming platform similar to NetMotion Wireless.

Failing these, Microsoft has a few security downloads for the Windows Mobile OS, but the company will direct you to the Handango  software store for more in-depth purchases. Handspring has most of its stuff on its own site. You can find most anything you need at these sites, but very little of it is name-brand. There are loads of data-encryption apps for safe data storage and a few authenticators and anti-virus products. Some lowlife even stole my remote PDA-killer idea. (If you lose your PDA, you send an SMS message to it and all your data is wiped. I'll partner with anyone who wants to beat these guys to market.) Bottom line: You need to test any purchases hard before deployment.

No matter which software toolkit you choose, you still need to reign in Mr. Gadgetfreak. He needs to choose a single smartphone or PDA platform. IT needs to track it and enforce a strict policy on what he can and can't do with the device. Network authentication must be strong, preferably WPA (Wi-Fi Protected Access) -- although I don't think that exists for PDAs yet, unless you go with an external Wi-Fi card. Furthermore, the password policy must be hard-line as well. After all, this window into the corporate network is the device most likely to wind up in a stranger's hands.

If he complains too much, just get him the USB fish tank with the e-fish that die whenever he powers down the system. There are lots of moving colors, and that should keep him quiet and drooling long enough for you to get out of the building.

Copyright © 2005 IDG Communications, Inc.