Taking the sting out of mobile data theft

Losing your laptop is like losing your wallet - only worse. It's not just the inconvenience; replacing it is also expensive and time consuming.

But while you can quickly cancel your credit cards, the sting of a misplaced or stolen PDA goes much deeper. Sensitive data could be compromised and valuable work lost.

From laptops to smartphones, mobile computers are targets because of the ease with which information can be transferred and exchanged.

"The things that make them attractive, such as flexibility, are the things that introduce additional security risks," explained Andy Baines, principal consultant for Fujitsu Services.

In short, data will become mobile because it is easy and convenient. It is the job of IT to cap the flow of data that should not be contained, and to keep a vigilant eye on data which is exchanged.

Start dealing with the problem by assuming that any or all mobile IT devices in your firm can and will go missing.

Devising a plan based on this will allow you to reduce the damage created by the loss, and minimise the recovery time to get users up and running with new equipment.

"I've had two PDAs stolen in my personal life, and it never affected me," said Mike Lee, security specialist at BT Global Services.

"I took the view that I expected it to be stolen, and expected that data to be available to others. So the data I kept on there was public domain."

Not all organisations will be willing to go so far as to restrict mobile data usage to that contained in open records.

But any mobile security plan will not be universally enforceable if it doesn't stem from a strong assertion that, while data protection is every employee's concern, the ultimate responsibility rests with the firm.

"In the environment we work in, the data on the device belongs to the firm, and it needs to define and set the security policy for the device," said Jackie Groves, UK managing director at Utimaco Software.

Assume the worst, prepare for the best
Forethought and planning can draw most of the sting of mobile device damage or theft. Most of the theory is obvious, but follow-through remains an important responsibility.

Password policies remain the cornerstone of good data security. Virtually any portable device can be protected with a power-on password.

It's possible to train users to craft complex passwords that aren't susceptible to guesswork or dictionary attacks.

Make mobile only that data which needs to be mobile. "The easiest way to secure mobile devices is to make sure that data isn't on them," explained Rob Enderle, principal analyst at Enderle Group. "The more that's on the server, the more safe you'll be."

This is increasingly possible, although still by no means absolute, in a market with rapidly evolving multi-modal wireless communication. Backups are the key not only to restoring productivity, but to assessing damage.

"One of the biggest problems with PDAs is knowing that the data's been stolen," said Lee.

Regular mobile backups can make re-imaging a replacement notebook much less of a chore in the event of loss or catastrophic drive failure.

For PDAs, which typically have high-speed USB links to PCs and a small amount of memory to back up, there is little excuse not to spend the time. Backup images can be analysed to determine what data is at risk in the hands of a thief.

Data controls will not solve the entire problem. While data synchronisation can be monitored, conditionally restricted or even shut down entirely, if a user insists that a particular piece of information be incorporated in his PDA, he can manually enter it via stylus or keypad.

Working with employees to ensure that their mobile data needs are met, understood and properly backed up will pay greater security dividends than frightening them into wasting time transporting forbidden fruit, which will be much harder to recover in the event of device loss or damage.

As with so many other business problems, the question comes down to people, communication and a willingness to co-operate.

It's important to understand not only the data contained on a mobile device, but what access that mobile data may be able to unlock in the hands of another.

Browser-cached passwords and a VPN client can turn a stolen laptop into a skeleton key to your organisation. IT must be ready to cancel authorisations for users associated with missing devices at short notice. And get serious about enforcing the proper use of mobile devices.

"The worst thing you can do is give a laptop or PDA to an executive and let him configure it, because he's going to give it to his son to play with at night," said Lee.

All this does is open up the device to all manner of security threats.

Protecting PDAs
"The latest recommendation for PDAs is multi-level security-integrated biometrics, PIN, folder encryption and wireless encryption," explained Lee.

"Some of that is overkill for checking your mail but, if you have some company-specific data on these, you would want to use that kind of security."

Perhaps the biggest challenge for keeping individual data files safe on a modern PDA is deciding where to put them.

Most support removable storage. Taking the data physically away from the device and putting it in a secure location is one way to keep the PDA from compromising security.

An interim approach is to ensure that any data that can be easily removed to another location stays obscured at all times.

"You can force-encrypt all data on a [Pocket PC] storage card, so you can't download the company data to a memory card and hand it to a friend when you leave the company," said Groves.

Third-party tools for PalmOS also allow the use of the encryption component of the SecureDigital format, which can protect against data loss if the stamp-sized flash memory cards are stolen.

But constant encryption is a processor and power drain on the resources of a PDA and may prove unworkable for indiscriminate use.

Integrated biometrics, such as fingerprint scanners, are still a tentative experiment, rather than a full-blown trend, but if reliable they could solve many worries.

But any unlocked door can be exploited, and PDAs with elaborate security schemes must have short, vigilant power-off/lockout idle times, lest a PDA be stolen after being carelessly set aside in open access mode by the user.

It's possible to block deployment of Palm or PocketPC sync tools, lock a device to only sync with one designated home base, or exercise some control over the data that goes through the sync conduits.

But users can and will always find a way to store the data they need to carry in the form they want to carry it.

Ironically, the firms most at risk of major, difficult-to-trace PDA data loss are those which don't have a PDA deployment policy.

"The problem with a lot of businesses is that people like me who don't have a corporate-supplied PDA go out and buy one, sync it to the local PC on the desk, and end up with a lot of data on there," said Lee.

Even if PDAs are not approved or supported, IT authorities need to know and control the way data is transferred.

The PDA backup problem is becoming easier to solve through central management. Software outfits such as CA and Tivoli offer enterprise-managed backup solutions for PDAs, which can take a great deal of the uncertainty out of the recovery process.

"The backup is the key to all of this. If you don't have a backup, you're relying on the employee's memory," warned Rebecca Taylor, senior product manager at Palm Solutions Group.

Most digital devices are stolen and resold for their hardware value, rather than for the software or data.

While this is by no means a guarantee of protection, given the relatively high barriers to entry to hacking a solid-state Ram chip inside a PDA, even a basic power-on password may be enough to frustrate thieves into yanking the batteries and restoring the device to a clean, factory reset state.

Smartphones and E-Mailers: Unique Challenges
Mobile phones keep getting smarter. But in general, the smaller the device, the more closed the system and the more difficult it is to install customisable security tools.

This means that, as they become more sophisticated, phones are in real danger of outstripping security and backup solutions. And smartphones often have an uncluttered view into crucial information.

"In most cases, what you're likely to put on the phone is passwords, and store those in a browser cache, and now someone has access to your site," said Enderle.

Smartphones typically have at least a user-manageable synchronisation and backup procedure, but it may be more difficult to control at an enterprise level.

Intuwave is looking for carrier partners to pilot its m-SafetyNet solution, which allows Symbian phones to initiate their own incremental backups via GPRS to a central server, and initiate recovery through a quick call to customer support.

Although the recent GSM network hack has attracted a lot of attention, savvy users never stopped thinking of wireless voice and data transmission as anything but an open system.

"It used to just be that someone with a radio could pick wireless calls up, so the reality is that people need to stop believing that they're secure," said Enderle.

Portable wireless email devices such as the Blackberry offer invaluable access to information. Help protect that investment by ensuring that emails pulled down by those devices are not lost from the server, in case they need to be retrieved after the loss of the emailer.

The Blackberry's inability to store large documents or data files could be seen as a security feature, although it is possible to create damning, publicly embarrassing, or not-fit-for-public-consumption emails in just a couple of kilobytes.

Enderle is not convinced of the security of Blackberry-style devices, given that they are fairly closed systems built for convenience and ease of use, rather than rigid authentication controls.

Corporate IT should have an action plan ready to execute with the network provider to stop service to the account when a RIM-type portable email device is lost, and to immediately terminate all email forwarding to the device.

That should help limit any data loss and resulting damage to just the information available on the device at the time of loss.

Yes, it seems a pessimistic view, but treating mobile devices as potential public access terminals and building a security procedure that defends against that outcome is the surest way to protect the device, and control any resulting damage. Of course, it is possible to get carried away.

"All of these things have to stand by a risk assessment: what is the value of the data stored on this device, and what are the implications of the loss?" said Baines.

It's far too easy to give the answer that all corporate data is equally sacrosanct and build a counterproductive fortress that negates the purpose of mobile devices.

A missing £300 device can account for £30,000 in lost trade secrets, or be a pesky insurance claim and a short replacement and re-imaging synchronisation away from being a closed matter.

Build a sensible mobile security policy that protects information as well as user demands, and minimise the sting.

Wireless hotspots offer little protection
The only thing worse than knowing that data has been stolen is not knowing. The rapid expansion of wireless hotspots add an extra layer of complications to mobile security strategies, since hotspot networks tend to be unencrypted, leaving them wide open to eavesdropping.

Lee outlined the restrictions placed on BT managers who wish to make a hotspot connection.

First, they must use the OpenZone network, and only if the laptop has been pre-approved and equipped with a VPN client, a hardware dongle, and a special security certificate.

The dongle must be unlocked by pass-phrase before the wireless radio will activate and, if the code is given incorrectly three times, the dongle goes to lockout mode and must be reset in the office.

Finally, the connection is limited to the BT Exchange server, and browser destinations are limited.

"Customers probably wouldn't go for that," said Lee. Not everyone needs to go that far, but devices that can and will go wireless should be treated as though they may be part of a public local area network at any time.

For maximum protection, firewalls and strictly controlled drive sharing are a must on hotspot-ready notebooks, as are VPN clients and encrypted browser proxies.

How to secure your notebooks
Laptops are the best suited of mobile devices for deploying and enforcing a corporate data protection strategy. But because of their value, they are frequently targeted.

The surest way to keep data safe on a laptop is whole-disk encryption, backed by password access.

Even if the disk is removed from the laptop and the computing portion sold on, the data would be useless to all but a dedicated hacker with large-scale resources. Such security measures can be implemented and enforced with little intervention.

"If you're using hard disk encryption, it's transparent to the user, so there is no worry about users remembering to encrypt the data," explained Groves.

The trouble, according to Enderle, is that, even on modern PCs and notebooks, whole-disk encryption can slow performance, which can make it an unpopular choice with IT and field users.

The good news is that laptops can easily be equipped with personal firewalls and VPN capability. Many biometric solutions are available for portables, but very few are built into the case itself, resulting in a clumsy 'security dongle' scheme.

Be prepared to write off any missing hardware as a permanent loss. "There are tracking products, but the chances are you're not going to get it back," said Enderle.

He recommends that staff be encouraged to look at the devices like the value they represent. "Treat it like it's cash and always keep it in sight."

FURTHER READING:

Microsoft's house documents on Pocket PC security can be found here.

Credent Technologies
Providers of Mobile Guardian, an enterprise-grade PDA security solution.
www.credant.com

Secure Digital Card Association
www.sdcard.org