By Matt Hines
August 21, 2007
From top-level execs to workers in the field, enterprise end-users are
growing increasingly dependent on anywhere, anytime access to essential
corporate data and apps. As such, the call for an effective,
business-critical mobile initiative is fast becoming the norm for
organizations of all sizes.
But with greater exposure to information technology assets comes greater
information security risks. And just as enterprises replace conventional
mobile phones with newer handhelds that offer datacentric tools and
access to sensitive information, IT departments are increasingly being
forced to retool their data defense requirements to account for
smartphone and PDA use.
"Organizations are thinking about the BlackBerry or smartphone as an
extension of the computing network, and as a terminal that's carrying a
lot of sensitive enterprise data," says Scott Totzke, vice president of
the global security group at Research in Motion, maker of the BlackBerry
handheld device. "We're hearing more than ever from customers looking at
protecting data on the device. They want tools to kill information or
lock it down when a handheld is lost, they want to encrypt sensitive
data in transit and at rest, and there are growing concerns around
Although Totzke denies that security concerns are slowing down
enterprise uptake of RIM's BlackBerry devices, he admits the issue has
made his company's sales process "more complex," as customers are going
to greater lengths to ensure that data on handhelds is adequately
protected before they buy.
One such customer, FOWGroup, supplies IT services to the U.S. Department
of Defense, among other federal agencies.
In working with the Pentagon's IT leaders on mobile device adoption,
including an ongoing project to replace 1,200 existing handhelds with
new BlackBerries, executives at the consultancy say that security
concerns have become a primary focus.
In May 2006, the highly publicized theft of a Department of Veterans
Affairs laptop containing millions of servicemen's records led to a
series of heated debates on Capitol Hill. Since then the emphasis on
making information security a central part of the hardware procurement
process has shifted to the fore, including for handhelds, says Will
Alberts, chief executive of FOWGroup.
"No one wants to end up on the front page of the newspaper, and everyone
recognizes that the additional capability of storing more data on the
device opens new risks," says Alberts, who is also a member of the
National Security Administration's Joint Wireless Working Group.
"Senior leaders can't get enough of these types of devices," Alberts
adds. "And sometimes their concerns around security are less than you
hear from IT, but there's no question that the information-protection
issue has become a central consideration for everyone."
In addition to the security features that RIM offers, including remote
data-wiping tools and integration with two-factor authentication
systems, Alberts says that government organizations are interested in
utilizing encryption capabilities offered by the device maker and other
third-party vendors to defend mobile data more aggressively.
And it's not just the Feds who have mobile security and encryption in
mind. Private organizations in the health care, financial services, and
manufacturing sectors also confront significant mobile information
security issues, particularly those affected by data-handling
regulations such as Sarbanes-Oxley and HIPAA. As these organizations
distribute handhelds to senior executives and work through initial pilot
programs, they gain a better understanding of related security
"Mobility is bringing more functionality into enterprises as the devices
expand, and there are great productivity gains, but on the flip side the
costs of downtime and impact of potential data loss have increased
significantly," says Kara Hayes, senior product marketing manager for
the security and mobility connectivity group at Nokia. "As people look
at ways to roll out these devices to a larger community base, they want
to be able to manage security centrally and gauge the impact with their
existing security operations."
Hayes says security concerns most commonly voiced by enterprise
customers include issues related to lost devices, use of unsanctioned
handhelds or mobile applications, and the potential for hackers to
hijack the machines' wireless data transfer systems.
The technological solution that appears to be generating the most
interest among enterprises of late, Hayes says, is encryption, with
companies increasingly seeking ways to tailor the security feature to
different sets of users.
"With encryption, companies are figuring out that they need to know who
the users really are and what type of functions they are going to use;
they understand that they need to have different types of policies and
deploy different levels of encryption to the necessary users, and not
necessarily everyone," Hayes says.
"If an individual is a hard-core user of e-mail, messaging, or mobile
[CRM] tools, they are at higher risk and need this type of protection,"
Hayes says. "Having different policies in place makes it easier to
manage deployment across an entire mobile user base."
Secure by integration
One of the issues Nokia stresses with smartphone customers is the need
for organizations to synchronize mobile device security with back-end
network protection to ensure that administrators can isolate potential
weak points in their overall infrastructure.
And consultants agree that a comprehensive security strategy is vital
for preventing headaches down the line.
If mobile device security is handled without direct consideration of its
impact on other IT operations, issues of interoperability and
compromises in protection will be inevitable, says Mark Lobel, principal
for advisory services at PricewaterhouseCoopers.
"The problem and the opportunity with these more powerful mobile devices
is that the data is now everywhere users want to carry it, and people
sometimes bring the technology onboard in consideration of the benefits
without considering all the risks," Lobel says.
"The mature IT organizations that bring network security people to the
table during the decision-making process are the ones who are doing the
best job," Lobel says. "And people need to have these conversations
about the risks and solutions in business terms so that everyone
involved understands; it's hard to tell the CEO no when he wants
something, so it's important to explain things in way that everyone
The mobile security ecosystem
Where there is cause for concern, there are market opportunities, and
security software makers are moving quickly to cash in on the demand for
more sophisticated mobile security.
One company, F-Secure, is sourcing its security applications through
wireless carriers in an effort to stake a claim in the mobile device
space. The Finland-based security vendor has signed deals with a range
of leading European mobile operators, including Vodafone, T-Mobile, and
Orange, to make its security tools -- which include anti-virus
applications, firewalls, and encryption technologies -- available under
the carriers' SLAs. F-Secure is looking to extend this practice in the
United States in the near future.
According to F-Secure officials, bundling security into wireless
contracts and allowing operators to offer additional device defense
services will prevent enterprises from having to deal directly with a
wide array of vendors, thereby securing mobile initiatives in a more
cost-effective manner. Moreover, with security part of the package,
end-users will also be more likely to use their smartphones in more
interesting ways, says Curtis Cresta, general manager of F-Secure North
"The critical mass of smart device users is changing perceptions of
adoption; much as with laptops, there has been a natural evolution with
security, and a growing number of enterprises are now coming to us for
advice," Cresta says. "For instance, there has previously been a bit of
resistance to pushing business applications out to handhelds, and
applications companies have even come to us looking for help selling
their products, but the market appears to be coming around, and having
better security available from the carriers is a significant part of
Wireless operators themselves are looking to benefit from the greater
emphasis on mobile security, as some are already marketing what they
describe as mobile lifecycle management services, which promise to offer
end-to-end security capabilities.
Sprint Nextel, for example, offers Sprint Mobility Management. Available
for roughly $8 per user, the portfolio includes compliance, data
protection, and anti-virus services for handhelds, along with other
Sprint executives contend that wireless operators, which have existing
relationships with device makers, operating system providers,
applications developers, and the like, are best positioned to pull
together a comprehensive set of security features and to free user
organizations from trying to manage them all on their own.
"Security concerns have slowed down adoption of smartphones in the past,
especially with high-sensitivity organizations operating under
regulations and compliance concerns," says Stephanie Burnham, product
marketing manager at Sprint. "We're trying to recognize these concerns
and help organizations get over the obstacles that prevented them from
using all the mobile business applications they might otherwise adopt."
Learning from laptops
In addition to researching device capabilities, carrier services, and
aftermarket technologies to help protect mobile devices, analysts advise
enterprises to look at advanced handhelds in the same way they have come
to view laptops and other technologies from a security perspective.
Sam Bhavnani, an analyst at Current Analysis, contends that
organizations should take the best practices they have developed for
laptops and port them directly into their smartphone adoption plans.
"This all goes back to the migration from desktops to laptops. There are
a lot of common sense implications, and people need to be sensible about
creating realistic policies that both protect the data on the device and
allow users to tap into the potential of the smartphones," Bhavnani
says. "Some people are still scared to go there. They know that adopting
these devices will open another can of worms, but creating smart
policies ahead of time and building on their laptop experience will be
the best ways to foster strong mobile security."
In other words, your best bet for a mobile security framework may
already be in place.
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!