Balancing ease of use with security
Balancing ease of use with security is difficult. Networks expert Steve Cassidy – who specialises in keeping lawyers connected and protected - says: “All the networks I've seen that think it's big and clever to extend a VPN to a smartphone, end up with very low customer satisfaction levels, because the people doing the implementation turn out to have other, overlapping stupidities that kill off the VPN altogether.”
It’s essential that your handsets have the same level of password security as laptops with passwords needing to be refreshed, auto-lock and power-on passwords, memory encryption for removable memory, limits on application installation, and automatic email forwarding. You additionally want control over data deletion.
It should be easy to wipe a lost phone remotely or wipe itself if the password is entered incorrectly too many times. You’ll also want simple data restoration, not only for when the phone is found or replaced but so that it isn’t too much of a nuisance when one of your staffers gets drunk with his mates and they think it would be a bit of fun to enter the wrong password ten times while he’s at the bar.
The migration of web security with SSL to the handset has helped a little - there was a time when the mobile world saw WTLS as the future and the translation between mobile and web standards meant all data was held in plain text on machines at the mobile network operator.
Microsoft initially made its link to the enterprise a major USP (unique selling point). RIM took this crown with lower bandwidth requirements, significantly better security and superior mail handling. Security so good that it’s caused governments concern. All data is held on BlackBerry’s servers so you need to trust someone but many spooks and law enforcement agencies do.
Apple isn’t in the same league, particularly in regard to signalling efficiency, which has led to some concern behind closed doors in the operator community. Still that doesn’t stop gadget fans wanting them. As Shaun Collins of CCS Insight has been quoted as saying: “Operators never planned for the day when teenage girls wanted BlackBerries and CEOs wanted iPhones”.
For the particularly data paranoid there are some end to end device software solutions. While cracking the GSM encryption and mobile viruses are more the stuff of headlines than of real life if you are really paranoid you can go for heavy duty solutions. For voice encryption there is Cellcrypt.
This is a smartphone VoIP solution. Voice data is securely encrypted. Since there has never been any hint that 3G security has been compromised you’d probably be most worried about legal intercept to go for this expensive solution.
A solution that is more in line with most IT requirements is CryptoExpress which ensures than no information is kept outside of your network in a non-encoded form.
But there might be an opposite benefit of using a unique, personal device, Steve Cassidy again: “I actually think there is an opposite trend that may well develop, where people need to rely on physical authentication, a bit like posh banks and those credit-card sized RSA key generators. Smartphones that surface their IMEI (or an analogous identifier) could well end up *enhancing* security”.
There is however a difference between being secure to all intents and purposes and knowing that you are absolutely secure. Many professions need to know and it’s those that will pioneer security for the rest of us.