Smarter security for smartphones
Getting that balance with ease of use
Mobile phones are emotive devices. They have your kids as the wallpaper, texts saying who loves you and both your work and personal lives in one.
Even if it’s a company device there is an emotional bond between the user and the device that is unlike any other. Very few people feel precious about their laptop. Mobile phones are also a status symbol, male jewellery.
It’s why an 80kg sales manager decides that his 100g phone is “too heavy”. Staff want to choose their own device. Often to the extent of buying it.
This makes managing their pocket computer a challenge for IT departments. While you can, usually, dictate that your workplace is a Windows environment it’s much harder to do the same with the raging religious wars of BlackBerry, iPhone, Symbian and Windows 7.
Just as you get some exec wanting a Mac as their laptop and upsetting your plans for VPNs, managed builds and security, on the basis that they paid for it, so you must support it, you’ll get the same with handsets.
As the vagaries of phone fashion change you can soon be running to keep still. If you are spread between Europe and the US you are likely to have users who want Nokia and Palm devices because that’s what they’ve always used.
The biggest problem is security.
Inside the building, outside the firewall
One threat that is rarely worried about with mobile phones is the hole they provide to carefully built firewall policies. While you may have crafted a security policy which prevents users from getting to sites and exporting data over the corporate network there is nothing to stop them from sitting at their desk, disconnected from your network, with a tethered phone, using webmail to send whatever they like to whoever they like.
You have a device which contains confidential information, is highly portable and often in the position where it might get left in a taxi. Worse it has VPN access to a network you’ve worked hard to keep secure, and runs through networks where you have no control over the security.
Balancing ease of use with security
Balancing ease of use with security is difficult. Networks expert Steve Cassidy – who specialises in keeping lawyers connected and protected - says: “All the networks I've seen that think it's big and clever to extend a VPN to a smartphone, end up with very low customer satisfaction levels, because the people doing the implementation turn out to have other, overlapping stupidities that kill off the VPN altogether.”
It’s essential that your handsets have the same level of password security as laptops with passwords needing to be refreshed, auto-lock and power-on passwords, memory encryption for removable memory, limits on application installation, and automatic email forwarding. You additionally want control over data deletion.
It should be easy to wipe a lost phone remotely or wipe itself if the password is entered incorrectly too many times. You’ll also want simple data restoration, not only for when the phone is found or replaced but so that it isn’t too much of a nuisance when one of your staffers gets drunk with his mates and they think it would be a bit of fun to enter the wrong password ten times while he’s at the bar.
The migration of web security with SSL to the handset has helped a little - there was a time when the mobile world saw WTLS as the future and the translation between mobile and web standards meant all data was held in plain text on machines at the mobile network operator.
Microsoft initially made its link to the enterprise a major USP (unique selling point). RIM took this crown with lower bandwidth requirements, significantly better security and superior mail handling. Security so good that it’s caused governments concern. All data is held on BlackBerry’s servers so you need to trust someone but many spooks and law enforcement agencies do.
Apple isn’t in the same league, particularly in regard to signalling efficiency, which has led to some concern behind closed doors in the operator community. Still that doesn’t stop gadget fans wanting them. As Shaun Collins of CCS Insight has been quoted as saying: “Operators never planned for the day when teenage girls wanted BlackBerries and CEOs wanted iPhones”.
For the particularly data paranoid there are some end to end device software solutions. While cracking the GSM encryption and mobile viruses are more the stuff of headlines than of real life if you are really paranoid you can go for heavy duty solutions. For voice encryption there is Cellcrypt.
This is a smartphone VoIP solution. Voice data is securely encrypted. Since there has never been any hint that 3G security has been compromised you’d probably be most worried about legal intercept to go for this expensive solution.
A solution that is more in line with most IT requirements is CryptoExpress which ensures than no information is kept outside of your network in a non-encoded form.
But there might be an opposite benefit of using a unique, personal device, Steve Cassidy again: “I actually think there is an opposite trend that may well develop, where people need to rely on physical authentication, a bit like posh banks and those credit-card sized RSA key generators. Smartphones that surface their IMEI (or an analogous identifier) could well end up *enhancing* security”.
There is however a difference between being secure to all intents and purposes and knowing that you are absolutely secure. Many professions need to know and it’s those that will pioneer security for the rest of us.