Mobile security: the balancing act

Losing sensitive data is a major fear for businesses, particularly those with remote workers. William Knight looks at how businesses are marrying greater security with usability and productivity

Fear is a word that is rarely used in IT. It suggests uncontrolled emotions, and activities far from the rational risk-analysis processes that most enterprises aspire to conduct. Nevertheless, fear can be useful, as it can force you to focus on a problem.

It is with a certain level of fear that many companies face the demands of legislation regarding handling data and the prospect of losing sensitive data.

At law firm Turcan Connell, it is Peter Quinn's biggest fear that confidential data pertaining to its clients will get into the hands of the press or will be used against the business. As with most businesses handling sensitive data, the firm's reputation is key to its success.

As head of IT infrastructure, Quinn is responsible for IT security. The law firm holds clients' private information on all of the 70 Orange SPV pocket PCs the lawyers use when working remotely, and ensuring that sensitive data held on the devices remains secure in the event of theft, loss or compromise presents Quinn with a major challenge.

Quinn says that allowing lawyers to work remotely with devices containing this sensitive information is problematic. "We are dealing with a number of clients through various confidential issues, legal work and asset management. Even personal contact information is a difficult area to control," he says.

Quinn realises that loss of reputation is only one adverse effect of losing sensitive data. There is a growing worldwide collection of laws, standards and protocols that dictate how information can be processed, transferred and stored.

From the well-known Sarbanes-Oxley regulating US-listed companies, to the UK's Data Protection Act and the less understood Cold War Wassenaar arrangement potentially forbidding encrypted data exports to Hong Kong, companies storing sensitive data face a crowded legal landscape.

Many regulations require not only adherence, but provable compliance, says Andy Kellett, senior analyst at analyst firm Butler Group. "You have to control the people who have access to your sensitive information. If you fail to do so properly, compliance will be what kicks in and gets you into trouble," he says.

It is relatively straightforward to comply to controls when certain data is held behind the enterprise fortress walls, but securing against mobile devices and remote working presents a more difficult challenge.

Memory sticks, e-mail attachments, instant messages and web portals can siphon data away from central servers before you know who is logged on. For this reason, organisations limit functionality of mobile devices to a finite set of well-understood features, with quantifiable risk profiles.

Johnnie Walker is the IT user support manager at financial services organisation Cofunds. Before rolling out Blackberry handheld devices, the company conducted a 12-week comprehensive pilot study.

"We have a security team that runs a risk audit first, and we have to meet their risks with controls. We had to ensure we were properly secure, that nobody could infiltrate the Blackberry, get onto the device, take any data from it, intercept it over the airways, penetrate our firewalls, or get to the server itself," says Walker.

The pilot study helped Walker to strike a balance between maximum flexibility and minimum risk when using the devices. Walker says the process helped him decide the user functionality that could be added or removed based upon risk analysis and evidence.

"No data is kept on the Blackberry, it is all on the back-end, on Exchange. You have got all your encryption using Advanced Encryption Standard and Triple-Data Encryption Standard on the device so that nothing can be intercepted wirelessly. E-mails are stored encrypted, but there are no files stored. If you send an attachment it can be retrieved from the server but, once closed, it is not stored locally, you have to retrieve it again," he says.

Choosing devices that cannot store data, but can only view it - a thin client - is an effective way to secure data, says Jeremy Green, principal analyst for enterprise mobility at analyst firm Ovum.

"There is an important school of thought that says you should not have anything on the device. All the important information stays on the server and you just have a browser-based application that lets you view it," he says.

Limiting the user's activities relieves many security issues. So while devices are becoming increasingly powerful, security teams are busy hobbling available features. Device manufacturers cater for this with custom controls and downloaded policies that determine how the device behaves.

Walker has limited Cofund's Blackberries via a downloadable policy. "We do not allow access onto the network and you cannot access the network drive. It was a risk under the risk assessment, so the option was removed completely."

With a centrally-set secure password reset every 30 days and a limit of five log-on-attempts, Walker is happy the security of Cofund's devices is well within the limits set by the risk assessment.

But many companies want the power of handheld devices to keep staff productive while working remotely. Limiting device functionality can limit advantages.

Lawyers at Turcan Connell need access to sensitive files while travelling, at home and while disconnected from the company's servers. There is no choice but to keep files on the handheld device, says Quinn. Lawyers manage e-mails, personal contacts, client data and a calendar. Client-related documents may also be kept on the device.

"The ability to remotely wipe the device is crucial," says Quinn. If the device is lost or stolen, a command can be issued to delete the data. To help, Turcan Connell sourced software from mobile device software supplier Synchronica. The software allows Quinn to lock the device and wipe the data, along with another more ostentatious feature.

"There is a nice facility to 'lock and scream'. When you switch the device on it screams at you. A loud scream. If you remove the battery it will stop, but as soon as you put the battery back in, it will start screaming again.

"We had to do it on one occasion. We had one of our lawyer's bags stolen from his car and it contained the device. When a device is reported missing, we have a policy to immediately change that user's account password," Quinn says.

"So even if the thief bypassed the security, the device would not be able to synchronise back to the main Exchange server. We changed the password and used Synchronica to wipe the device."

The "scream" feature relies on central control for activation, however, a feature that is possibly more secure is what Green calls the "dead man's handle". This idea is inspired by the railway safety device that ensures a train stops if the driver falls asleep or suffers a heart attack.

For mobile devices, if you do not enter your password periodically, or if it cannot call home, it switches off, perhaps deleting sensitive data.

"If the device is no longer connected to the network then after a while it is going to shut itself off. Of course, that is rather user unfriendly. Some of the things you want to do for the sake of security contradict usability, and some of them contradict other things that you want to do," says Green.

The difficulty for users adapting security features is something both Quinn and Walker have had to address through user training, seminars and enforcement.

Walker is certain his users would love free-roaming access to the internet and access to all their network drives, but he says it is simply not possible. "If we gave that sort of access we would not have a tight control over security. It is necessary to protect the integrity of the company. This is company equipment, after all. This is the way we do things," says Walker.

Such constrictive policies can annoy users, and password management can be a particular area of conflict.

"Putting on and using the security on your laptop is just one more barrier to being able to work effectively. It is all very well for IT people to put security barriers on devices, but if you are trying to do work and each time you have to put in hordes of passwords you will get round it as best you can," says Green.

He admits to changing his own Blackberry's automatic password time out from two minutes - as set by his IT department - to two hours. "I have made it less secure, but I have made it less secure because I want to work, not because I am cruel or because I want to make things less secure. I just want to do my job," he says.

Most enterprises still rely heavily on passwords as a security measure. Newer identity and access management systems, which may include multifactor authentication such as biometrics and smart cards, are seen as overbearing.

"One of the realistic arguments against fully-functioning identity and access management systems is that they are too complicated and too expensive to police and monitor and control. There is too much going on," says Kellett.

"Those organisations who have done better out of using this type of system have been the ones who have stepped back in the very beginning and said, 'what are the key things that we are trying to achieve here?' If you try and achieve everything in a big project, dragging everybody in at the same time and linking in all the access codes, you end up restricting the organisation itself."

Quinn tries to balance security and usability. He accepts that the background fear of data compromise will always be with him, but he is confident in his "robust security arrangements". He is now considering new applications for further business advantages.

"We want to establish as many core systems on the mobiles as we can. It is critical when you have a high volume of your workforce that is actively mobile that they have access to the information that they need to do their job," he says.

Fear of mobility should not constrict the users unduly or prevent the enterprise advancing. As Quinn says, "The more you can give the users, the greater the enhancement to the business."

Business data protection: the expert view >>

New attacks demand new defences >>

Set strict policies for mobile workers, says SurfControl >>

Network access control learning guide >;>;

Turcan Connell >>

Cofunds >>

Synchronica >>

Comment on this article: [email protected]

Read more on Mobile networking