Home >  Articles > Securing the mobile data diaspora

•  
•  
•  
•  

More and more of an organisation's data is seeping outside the network on laptop computers, PDAs, mobile phones and peripheral storage devices. Brett Winterford looks at how to minimise the exposure to risk.

If "a PC on every desktop" was the premise that defined computing in the 90s, then surely "a computer in every pocket" is today's successor.

We are today, undoubtedly, living in a mobile world.

Australia also boasts the world's highest rate of mobile phones per capita - and increasingly, these devices come loaded with considerable data processing capabilities.

Last year, analyst group IDC estimates that Australians purchased over 1.2 million notebook computers - while DCITA (the Department of Communications, IT and the Arts) tells us that some 30% of Australian workers 'telework' - stretching the boundaries of the enterprise to homes and coffee shops all over the country.

Risky business

These statistics represent a major mobilisation of data. Alongside the productivity gains this shift provides are significant increases in risk. More than ever, IT departments are struggling to maintain control over where the organisation's data resides and travels.

The risks are threefold - company data can fall into the wrong hands via lost and stolen devices, via holes left in wireless networks when mobile workers access the corporate network remotely, or via the loss or distribution of small peripheral storage devices.

Loss or theft of data comes at a significant cost - both financially and in terms of the organisation's reputation.

In the United States in particular, where organisations are required by law to make public any breach of customer privacy, government departments and corporations are routinely 'named and shamed' over data loss.

The United States Privacy Clearing House (see www.privacyrights.org), for example, lists a comprehensive database of reported security breaches in America in the last 18 months. The organisation claims that some 90 million confidential records have been compromised since February 2005 - records that include the financial and social security details of millions of Americans.

Breaches are not taken lightly by privacy advocates, the media or the public. The US Department of Veteran Affairs (DVA), for example, made headlines in recent months over two separate incidents involving stolen computers containing masses of client records. In one example, the DVA's data processing agency Unisys offered a US$50,000 reward for information leading to the return of one stolen computer. Just two months earlier, a separate DVA laptop stolen from a staff member's home contained the confidential details of some 25 million Americans - representing the largest information security breach in the US government's history.

Risk factors

In the early days of mobile computing, risk concerns centered on vulnerabilities in wireless networks. Early wireless networks, authenticated by a protocol called WEP (wired equivelancy protocol), were too often left open by default or too easily cracked by hackers.

Common sense and education seems to be prevailing in this area. A new wireless encryption protocol called WPA (Wi-Fi protected access) has succeeded where WEP failed. Corporate IT departments also seem to have their perimeter defence sorted out - including strong, secure VPNs (virtual private networks) for nomadic users.

Hacking is still a big issue, but according to AusCERT's 2006 Cybercrime survey, there are far fewer incidents being reported. The US Privacy Rights Clearing House data also shows hacks trending downwards - balanced out, unfortunately, by an increase in the physical theft of laptop computers.

"The biggest risk is not coming from hackers," said Robin Simpson, research director for mobile and wireless at research group Gartner, "but from the employee physically losing the device and more importantly the data on it."

Out of the 389 companies and government departments surveyed in AusCert's survey, 58% had experienced laptop theft, 9% had experienced theft of handheld computers and 29% had experienced theft of other computing devices such as portable drives. This compares to only 7% that had been hacked from outside the organisation.

Gartner has worked with one local council in Sydney, for example, that allows in its IT planning for each staff member to lose or have a laptop stolen once a year.

"Generally the physical asset, the device, is covered by insurance," said Andrew Walls, principal security consultant for Cybertrust. "It is what the device contained that is of most value."

Indeed many thieves do not even bother stealing the laptop as a whole and merely steal its hard drive. "Grabbing the hard drive is not fundamentally different to stealing the whole laptop, it's just a hell of a lot easier to get away," Walls notes.

And it's not just the laptops and their hard drives, but also smaller mobile devices that IT departments need to keep track of. Smart phones at the most basic level contain personal and business contacts that carry privacy obligations, and may carry corporate information in push emails and other business documents.

"The smart phone is today more powerful than a desktop computer was 10 years ago," Simpson said. "It needs to be treated as an IT asset in terms of security and support. Certainly the smarter they are, the bigger risk they represent."

Policies and how to police them

The dispersion of data into the mobile world has created a very urgent need in IT departments to create policies around use of mobile devices and peripherals, and to educate their users (ie, employees) about the risks involved.

Legally, an organisation requires a data control policy, said Walls, so that employees have a clear business practice to follow.

Employees at large corporations or government departments already tend to have policies around employee use of internet and email - and it's not unreasonable to have another concerning the use of mobile devices, of removable media and treatment of company data.

"They should be aware that you have the capability to investigate any breach of that policy," said Howard Waterson, regional manager for security vendor Centennial Software. "These should be things that they must adhere to in their contract of employment."

The weakest point in any technological system tends to be human behaviour, Simpson said. He is consistently surprised by how much data users cart around on their notebooks, particularly when wireless networks keep getting so much faster, providing easy access to store your data on company servers.

"There are pack rats out there who never remove anything from their drives," Walls said. "They might have old client records there that haven't been touched in years. In keeping them, they expose themselves and the organisation they represent to far greater risk."

The sledgehammer approach

It's the enforcing of a policy, rather than mere encouragement, that tends to deliver the best results in terms of risk mitigation, said Richard Halliday, technical director for IT consultancy, Orstead.

For those with serious security concerns, administrators can take what Halliday calls "the sledgehammer approach".

"You develop a strong standard operating environment (SOE) for every computer whether they are workstations, or laptops, or mobile devices," he said. "You lock down all of these machines - disabling USB ports and limiting rights. It might prove unpopular for staff, but it's effective in cutting down your risk."

Of course, there are some considerable downsides to this approach. For a start, mobile devices are issued to employees to make them more productive. Simpson said it is most often the employees themselves, and not IT departments, that discover ways that technology can make them more effective.

"Employees will come up with ideas that have productivity gains, but only if they get to play with the featureset of the device," he said.

Users also tend to circumvent any barriers that prevent them from achieving their goals. Simpson has had first-hand experience of this when advising large Australian organisations on their mobile device policies.

The mobile phone, he said, has become an Australian's "conduit to the outside world" - a symbol of a person's status. "Any attempt to force people to use a different device is likely to be met with outright hostility or at least an attempt to get around the rules," he said.

Increasingly, however, the data capabilities of these devices are proving to be a risk to the organisation. The variety of platforms available also makes it difficult for IT departments to cover all their security bases.

Gartner recommends a three-tier support policy. IT departments are encouraged to offer a 'cafeteria' selection of approved devices, dependent on their job role, for which they would provide 24/7 support and actively develop applications and server-based synchronisation via Outlook or Domino.

The middle ground

Ideally, Halliday said, you need a policy that strikes a middle ground between encouragement and enforcement.

The general consensus is that decisions on a mobile device policy should first be driven by senior management, before considering the detailed technological implications with IT and seeking buy-in from employees.

"If you leave decisions purely to the technical department, things can be missed," Halliday said. "IT can't always be aware of what's going on in all areas of the business."

The policy should also be a living document. Once drafted, it should still consider the needs and take in the feedback of users. "You have to ask users, if we were to disable your USB ports, how would that affect your job? The policy will most probably need to be modified on the basis of that feedback," said Mark Geddes, ANZ director of Sybase mobility solutions.

Where applicable, automate

Physical security devices, such as cable locks, lockable device cases and lockable PC docks, tend to be affective against theft. But they don't always help administrators sleep well at night - being that their effectiveness is still entirely dependent on whether the employee actually uses them.

Mark Pullen, country manager for RSA Security, argues that if the breakdown in any system is the human, administrators should remove the human element from any data that is high risk.

"You need to put the technical controls in that make it impossible for the user to do anything otherwise," Pullen said. "You can't leave it up to chance. That's not control. That's hope."

Ideally, the end user should not even know the control is in place, Pullen said. The good news is: the tools that go about enforcing these policies in an automated manner are becoming both more effective and cheaper.

Richard Moss, head of British Telecom's security practice in the Asia-Pacific, said: "Everything we do in IT presents a threat to an organisation. The right policy is about understanding your risk appetite - how much risk you are prepared to accept to maintain your productivity."

"You develop a strong standard operating environment (SOE) for every computer whether they are workstations, or laptops, or mobile devices."

"IT can't always be aware of what's going on in all areas of the business."

Tips for securing mobile workforce

• Write a user policy that stresses employee responsibilities to maintain data security.
• Allow for user feedback to ensure your policy does not gag productivity.
• Provide employees with a selection of approved mobile devices that balance administrator control with user choice. Actively develop useful applications for approved, secure devices to make them attractive to users.
• Develop an SOE that only allows users to save files to a network server. In the very least, encourage users to regularly back-up and delete old files from their hard drives.
• Choose encryption tools that are transparent to the user.
• Offer and only allow company-issued USB thumb drives that automatically encrypt data.
• Invest in physical security such as cable locks, lockable docking stations and lockable carry cases.
• Apply tighter security in those areas where data is most sensitive (such as remote kill functionality on executive mobile devices).
• Be proactive - consider employee needs by providing alternatives to breaking the rules.

• Share this Article:
• digg this
• add to del.icio.us
• StumbleUpon
• RSS Feeds