In the old days, the term “edge of the network” typically referred to a firewall located on an enterprise’s premises. Today, handheld devices and laptops are the new network edge and these items walk out the door and are easily (and often) lost or stolen.
This creates a new set of security problems for enterprises, problems that Mike McClaskey, CIO of Perot Systems, painfully understands. That’s because his company’s business depends on mobile access. It has 14,000 users carrying laptops and other mobile devices like Black Berries. And on each of those devices is sensitive e-mail and other data.
“We have a fair number of devices that go missing in a year,” acknowledged McClaskey.
Data Sensitive
The problem isn’t so much the expense of replacing the devices but, rather, the sensitive nature of information stored on them, noted Bob Elfanbaum, author of Incorporating Handhelds Into the Enterprise and CEO of Asynchrony Solutions, which sells mobile device management and security software.
Elfanbaum said this is not just a problem for IT managers who implement security policies.
“I talk with a lot of CIOs and they’re the ones who are saying that (mobile devices are) strategically important, that they use them to put data in the hands of people in the field who touch customers,” he said. “If you put devices out there, there’s risk. CIOs are seeing the benefits of mobile devices, but they also have to clearly recognize the security risks.”
Problems and Solutions
There are many anecdotes about the potentially disastrous lack of security applied to mobile devices. One of the most widely-repeated stories is how a high-level executive of a large financial services firm sold his Black Berry over eBay and discovered, long after the sale, that the device contained all manner of sensitive data.
However, hard data quantifying the risk also is starting to emerge. A recent Forrester study found that less than 10% of all large enterprises centrally manage and secure mobile devices. Similarly, a survey by a European security firm found that two-thirds of all users don’t encrypt confidential data kept on mobile devices and that a third don’t use password protection.
Yet, the survey found that 13% of the respondents have lost a mobile device.
Fortunately, a number of solutions are readily available, according to Elfanbaum, McClaskey and Steven Branigan, a consultant for technology vendor Stroz Friedberg.
“This problem is just beginning to reach a level of consciousness in the enterprise,” Branigan said. “One of the most attractive solutions is centralized management.”
Software is available from a variety of vendors such as Computer Associates and JP Mobile that help IT personnel centrally manage devices and the security policies used to lock down the devices.
“The biggest problem is developing policies that people will follow,” Branigan said. “To do that, people have to understand how they use their PDAs and what they are storing on them. There are a lot of best practices that have evolved over the years for security that can be applied.”
For instance, Elfanbaum cited password selection policies that have long been used in companies. In addition to centralized management, McClaskey and Branigan said they use security that is built into the devices.
McClaskey said Perot Systems only supports laptops, Black Berry devices from Research In Motion and palmOne Treo smart phones. By limiting the devices available to end users, Perot simplifies management, McClaskey said. Plus, both supported PDAs have powerful built-in security capabilities. For instance, the devices can be set to require users to log-in if there is inactivity for more than a certain amount of time.
“That creates a usability issue, but it’s worth it,” McClaskey said.
In addition, if repeated log-ins fail, indicating a stranger is trying to gain access, all the data is automatically wiped off the device. If necessary, that data can be restored remotely via wireless connections, a capability supported by the supported devices.
Also, once the devices are confirmed to be missing, data can be deleted remotely, even if the device is turned off, McClaskey said. Other options include encrypting data on laptops and smaller mobile devices, a capability that is typically built into the devices themselves.
With so many key personnel using mobile devices to increase profits and productivity today the network edge is no longer the security barrier it once was but this is okay so long as technology executives lead the effort to make sure the devices and the data remain secure.