Managing mobile security
With the use of mobile devices by corporates on the rise,
IT departments have their hands full combating data loss and security breaches.
Megha Banduni reports
battle between technology and security seems to be never-ending. When mobile
computing devices such as PDAs, laptops, handhelds and smartphones were introduced,
few would have thought about the related security concerns if they were lost
"At Patni, for ensuring data protection, we try not to store critical
Senior Manager, IT, IMD
Patni Computer Systems
According to a recent Mobile Usage Survey, it was discovered
that almost 30 percent of users store their PINs, passwords and other critical
information on their handheld devices without enabling the basic security features
present on the system.
With an increasing number of people storing company data on mobile devices such
as smartphones, PDAs, laptops and USB drives, and with Bluetooth-enabled devices
entering the mainstream, IT departments are confronted with security issues.
Information such as customer contacts, e-mail details, passwords
and bank account details, as well as that related to private matters, is getting
stored in devices without much consideration to security.
As a result, a lost PDA or smartphone with no protection makes easy pickings
for thieves, hackers or competitors with regard to corporate information. This
could have an impact on customer confidence and damage a companys reputation.
Off to a good start with encryption
Since mobile devices have become a necessity among all top-rung executives,
the demand for security within an organisation is growing rapidly. Hence, the
first step that most CIOs practice and recommend is encryption of data. Other
solutions could be creating awareness, conducting training, and using passwords.
The key security issues faced by users of mobile devices are misuse of data
if stolen, the ease with which data can leak out, and unauthorised access. Encrypting
data, factor authentication and blocking data transfer to pen drives are some
of the measures that CIOs can consider to ensure security on their mobile devices.
According to Ajay Soni, Senior Manager, IT, IMD, Patni Computer Systems, the
three main issues in using mobile devices are data security, theft and virus
infection. There are various ways through which one can take precautions
such as encryption of data, dual factor log-on, and so on.
But in spite of encryption, the chances of losing information
are high. In many organisations, mobile devices are issued to the users only
on a need-to-use basis. Still, it is a matter of concern. Information
from the mobile device is transmitted through a wireless network, therefore
the risk of unauthorised access is high. I agree that encryption is not widely-used,
and even if used it is prone to hacking. Another side-effect of encryption is
that it degrades the performance of mobile devices. There is a need to have
a standard encryption, comments G Radhakrishna Pillai, Head of IT at Ranbaxy.
At Patni, for ensuring data protection, we try not
to store critical information on mobile devices. However, since this is not
always possible, the next step is encryption of all the data stored in the device,
explains Soni. He says that all critical data is kept on the servers, and that
no downloads are allowed. They use dual-factor authentication which prevents
access to any PDA/laptop by a stranger. Also, every mobile device has a lock,
so if the device gets lost its data cannot be accessed.
"We encrypt all the data on mobile devices, and
training and internal awareness programmes on encryption "
" Information from the mobile device is
transmitted through the wireless network, hence the risk of unauthorised
access is high"
Awareness programmes to the rescue
In a recent survey conducted by research firm IDC on the top security issues
faced by organisations, information leakage ranked second. One of the prime
reasons for this was use of mobile devices such as laptops and handhelds.
The first step towards security in a mobile environment starts with the framing
of policies, followed by an awareness programme for users.
Today, the security threat perceived by CIOs is the main obstacle to wireless
devices. Pillai believes that authentication, privacy and authorisation are
the critical issues in mobile devices, and that the technology needed to address
them is still emerging.
We encrypt all the data on mobile devices, and periodically conduct training
and internal awareness programmes on encryption, says Zoeb Adenwala, Chief
of IT at Pidilite.
Suggests Pillai: One way to minimise the risk would be to use mobile devices
purely based on the requirements of the business, and not just for the sake
of adopting new technology. Key enablers for any security initiative for mobile
devices are the users themselves, so creating awareness among them and training
them in this regard are two tasks for the CIO.
Awareness among users certainly tops the chart. Advises R K Iyer, Director,
Technology, eFunds, Every technology has some or the other security issue
associated to it. The best and most important step for a CIO/CEO to take is
to create awareness so that the user is fully aware of the type of data he is
carrying in his device, the threats associated with this, and so on. Once the
user is aware, the next step is the configuration of devices and having a centralised
control. Last but not the least, encrypting the data is important to ensure
Awareness seems to be the best way to avoid security issues. States Soni, We
create security awareness through posters, mailers and e-learning sessions.
- Create a mobile device security policy
specifically for handheld devices.
- Start an awareness programme to make the
new policy known within the organisation.
- All security settings should be maintained
and controlled centrally.
- Deploy Enforceable Mandatory Access Control
on all devices as the first line of defence.
- Purchase PDAs for employees; never allow
users to connect their personal devices to the company network.
- Standardise on a few brands of devices,
and support only a few mobile operating systems.
- Use Password/PIN standards.
- Consider automatic and user-transparent
encryption of all data on mobile devices and removable media.
- Track and label devices; treat mobile
devices like desktops and laptops, labelling them and keeping records.
- Treat wireless like the Internet. Use
a VPN on top of WEP to connect to the internal network.
Security threats are growing on
account of the practice of storing confidential or business critical information
detachable storage cards
Sascha Beyer, the Vice-president, Asia Pacific & Africa,
of Pointsec Mobile Technologies, feels that with loss of data trust is the first
casualty. If an organisation fails to protect information, it would lead
to loss of customer confidence, affecting business growth. Data protection through
data encryption, particularly for a mobile device, is an important element of
Security analysts feel that other than protecting handheld devices through power-on
passwords, organisations can look at options such as biometric authentication
and token-based or smart card-based authentication.
The security threat is also growing due to the practice of storing information
in detachable storage cards such as MMC (MultiMedia Card) and SD (Secure Digital)
Another important aspect is protecting information (that is being transferred)
from sniffing and spoofing. The transmission of data from handheld devices to
the corporate network, either using the corporate Wi-Fi network or a third-party
network, should be encrypted using strong algorithms. For example, the transfer
of mail in most smartphones is encrypted at the application layer between clients
installed on the mobile devices and the server. Therefore, the end-to-end
security in these cases does not include encryption of e-mail beyond the server.
The transfer of e-mail beyond the mail server becomes critical especially if
the corporate mail server is hosted on the telecom service providers network.
In this case, encryption at the network layer (such as IPSec) should be implemented.
Securing data remains a critical issue for CIOs. Data protection through encryption,
particularly for mobile devices, is an important element of business success.
Organisations need to provide solutions that can protect the data on the disk.
This will ensure that in case a device is stolen or lost, the loss is purely
of the cost of the device and not of the confidential information stored, which
could be worth much to the organisation.
Many companies have learnt from their experiences and are in the process of
securing critical data by taking the necessary steps. Yet there is a long way
for them to go.