Feeds

Being mobile in a secure and managed fashion

More heated debate

  • alert
  • submit to reddit

The essential guide to IT transformation

Well, we're back! Thanks to those who registered and responded to last week's debate and workshop on mobile email. You can see a round up of this here, but meanwhile, we want to pick up on the question of mobile security and the need for device management.

The big question here is how you're creating mobile policies and practices to deal with this area, or are extending existing practices into the mobile world. Here are some thoughts and more specific questions to get you going:

Information leakage: This is a growing issue for businesses with the increasing availability and decreasing cost of high density flash memory. Flash is present in USB memory sticks, smart phones, PDAs, and of course mobile email devices. Data on mobile storage can be easily compromised through loss or theft. Since Mobile email devices have been popular with senior management, the potential lost data is necessarily likely to be very sensitive. Do you have policies in place to deal with this? If so, are they just for mobile email or across the board for mobile storage? Either way, what are the challenges and do you have any tips or advice on how to overcome them?

Lost/stolen devices: Recent media stories tell us that the lost property offices of Britain's airports are filling up with unclaimed laptops. It would seem that many users are happy to declare items lost or stolen rather than deal with the hassle of trying to find them again. Is this true? Does the attitude of users translate to a security risk? And how do you deal with lost and/or stolen devices from a security and systems administration perspective?

Malware: As the use of mobile data reaches critical mass and the market converges around a few consistent operating systems, the "attack surface" goes up and there's a higher risk of attracting the attention of malware authors. Will this create the need for similar counter-measures to the ones we are used to with the desktop environment? Indeed, have you or your users already experienced attack by mobile malware? If you think the threat is real, how do you manage (or plan to manage) the protection of remote devices? Or are the risks in this area all just hype?

Snooping: Operators tell us the connection between the device and cellular base station can be assumed to be secure from snooping. Any reason to doubt this? And what about public Wi-Fi and Bluetooth? Again, is snooping of wireless a minor or theoretical concern that has been hyped out of proportion, or something high on the list of potential vulnerabilities? If the latter, what can be done to manage the risk?

Data Encryption: If the data files on a device are not stored in an encrypted form, defeating the password (if there is one) opens up the device, as does physically targeting the flash memory. By encrypting the data you are giving yourself a reasonable chance of protecting it, but how is this working in practice? Is it available from your device supplier, do you use a third party solution, or is this all just too much hassle to be practical?

Authentication: Of course, all of the data encryption and secure connectivity in the world counts for zilch if a third party can simply pick up a lost or stolen device and start using it because there is no authentication mechanism in action to stop them. In your experience, how many devices connecting to your network are secured with even a simple password? Is there a place for advanced authentication like two factor, biometrics, tokens, etc? Users like the convenience of mobile devices, but how do you implement effective authentication without undermining this convenience factor? Fingerprint readers?

Device management: Many of the above topics clearly suggest a need for effective mobile device management. The genie is already out of the bottle with mobile email. Whether you regard it as an essential business tool or a vanity item, it would appear to be here to stay. How are systems administrators dealing with this and the evolution of requirements to access non-email applications? Is it a case of damage limitation, or proactive policy management? And are policies actually enforceable, e.g. are you suffering from users with the necessary political clout introducing devices that cannot be easily managed or supported?

Unified vs separate approaches: Some would argue that the needs of mobile security and device management are special so should be dealt with through separate tools, policies and procedures. Others make the case for extending existing IT security and administration policies and infrastructures to embrace the mobile piece to achieve as much consistency as possible to keep risks and overheads to a minimum. Where do you stand on this? The unified approach obviously has its attractions, but are traditional systems admin tools able to cope? If specialist tools are required, what is your experience of getting everything working together such as password management, application access control, single sign-on, etc?

These are just a few of the considerations in this space, and we are sure you can think of more. Once again, we'd therefore like to get your comments, so we invite you to chip in your thoughts below and add to the debate.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Déjà vu: Virgin Media jacks up broadband prices
Screw copper phone lines, we're UNIQUE, bleats telco
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
What's the nature of your emergency, Vodafone?
Oh, you've dialled the wrong number for ad fibs, rules ASA
EE network whacked by 'PDP authentication failure' blunder
Carrier is 'aware' of cockup, working on a fix NOW
ROAD TRIP! An FCC road trip – Leahy demands net neutrality debate across US
You crashed watchdog's site, now time to crash its ears
Google's so smart it's discovered SHARKS HAVE TEETH
Congratulations, world media, for rediscovering submarine cable armour
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?