http://www.fcw.com/article102990-06-18-07-Print
By Alan Joch
June 18, 2007
Security is one of the biggest management challenges that agencies face
with mobile wireless devices. Chief among managers’ worries is the risks
associated with employees using their own smart phones and personal
digital assistants for official work.
“If you don’t own the device, you can’t secure it,” said Michael King, a
research director at Gartner.
By provisioning devices for employees rather than allowing them to
connect to agency networks using personal gear, managers can ensure that
the right security software is running on each device and that hardware
is up-to-date with software patches and other upgrades, said Ira
Winkler, author of “Zen and the Art of Information Security,” a book
that examines digital security threats.
Organizations that provision wireless devices also have better control
of sensitive information if an employee leaves the agency, said Doug
Landoll, general manager of En Pointe Technologies, a systems
integrator. “If it’s my PDA, and I leave the organization, how do you
know that I’ve deleted the data?”
Retaining the phone number is also important. “When someone has been
representing your agency, that number is a kind of advertising,” Landoll
said.
He recommends that agencies include representatives from organizations
outside the information technology department when writing wireless
management policies.
“There are questions for the legal department, and having the device
returned when someone is terminated is a [human resources] issue,”
Landoll said. “When you’re writing policies, you need to integrate all
those various departments.”
Security policies should clearly spell out who receives reports of lost
or stolen devices. Policies should also include procedures for
decommissioning a missing unit to prevent someone from downloading or
sending sensitive information, Landoll said.
The Commerce Department uses a combination of strong passwords and
encryption to keep unauthorized users from accessing data and wireless
services.
“If someone gets access to my [e-mail account], he can send messages as
though they came from me,” said John McManus, Commerce’s deputy chief
information officer and chief technology officer. “Things like phishing
become easy to do when you’ve got access to a legitimate user’s
account.”
Commerce uses the standard security tools for the Research in Motion
BlackBerry to protect devices and scramble data when its traveling
through the wireless network, McManus said.
Platform security
The BlackBerry platform gets high marks from technology analysts for its
security capabilities. Its closed-loop architecture connects agency
e-mail servers to a BlackBerry Enterprise Server, which communicates via
a secure channel to a network operations center and to BlackBerry
devices.
“It’s one of the few wireless end-to-end systems that the [Defense
Department] has said is okay,” King said. “But because it’s a closed
loop, it’s hard to expand that functionality beyond just e-mail. What
you gain in security and manageability you sacrifice in flexibility and
extensibility.”
Platforms based on the Microsoft, Palm or Symbian mobile operating
systems are easier to customize, King said, but they require more
upfront work and third-party security tools, such as Sybase’s Afaria
mobile security suite and encryption software from Bluefire Security
Technologies, Certicom and VeriSign.
“I’m not suggesting that you can’t secure mobile devices on those
platforms. I’m just saying security is not as built-in as on the
BlackBerry side,” he said.
Standard configurations
To ensure that mobile wireless devices are secure, agencies also must
take steps to securely configure the devices. Commerce technicians
disable any default features on mobile devices that employees don’t
require to do their jobs. That includes a sync feature that allows
devices using Bluetooth technology to discover other compatible wireless
hardware in the area.
“The default configuration would allow someone to come into the room
with a Bluetooth device that says, ‘Tell me all the other Bluetooth
devices in here.’ And your device would actually say, ‘Hi, I’m here, and
here’s my status,’” McManus said. “You can also turn off things like
file transfer, because you don’t usually expect people to be doing a
file transfer from their BlackBerry to another BlackBerry. If I’m a
consumer, I may not care if anybody can use the Bluetooth capabilities.
But if I’m a senior executive in the federal government, [that’s] a
whole new threat.”
Agencies also need to control the amount and type of data their
employees download onto their wireless hardware. “They are going to put
more data that you would never think of on the devices,” Winkler said,
“which means there’s going to be more data than you ever thought
possible at risk.”
-=-
Joch is a business and technology writer based in New England. He can be
reached at ajoch (at) worldpath.com.
Received on Tue Jun 19 00:06:04 2007