Mobile Devices Pose Security Hazards
Mobile devices pose significant and increasing security hazards. Organizations must learn to treat these devices as full-fledged clients, and create and apply the same sorts of security policies that they've devised for desktop and laptop computers. Randall Nichols, CTO of Infosec Technologies and George Washington University, says that organizations tend to adopt PDAs informally, and that lack of formality can have disastrous consequences.
To minimize the security threats from loss or theft of the device, organizations must mandate the use of power-on passwords, and put remote-destruct policies (which erase data on the device remotely) in place. He advocated random audits to check for compliance, and severe penalties for breaching the security policies. Nichols stressed that organizations cannot rely on users to provide their own security. Even common operations, such as synchronization and simple file transfer have the potential to circumvent current network security and disrupt operations, bypassing network-level virus-checkers, for example, or allowing employees to leave the premises with devices containing sensitive information.
|"Through 2005, 90 percent of mobile devices that contain enterprise data will have insufficient power-on protection and storage encryption to withstand casual-to-moderate hacker attacks."
If such policies seem overly draconian, there is supporting data that should scare you. Gartner Vice President and research director John Girard writes that "Through 2005, 90 percent of mobile devices that contain enterprise data will have insufficient power-on protection and storage encryption to withstand casual-to-moderate hacker attacks." Further, "at least 5 percent of enterprises in every major industry segment will expose sensitive information to a competitor through mobile, wireless, and user-owned devices."
To rein in the gargantuan task of managing enterprise requirements on a vast sea of devices, Gartner recommends that IT departments adopt a three-tiered "Cafeteria Plan" that gives organizations a semblance of control over device support while still giving users some choice over what devices they can use. (See the sidebar "Making a Cafeteria Plan.")
We Know Where You Are
If the network coverage, device and platform proliferation and versioning problems, disparate user profiles and needs, and security hazards aren't enough, some of the more advanced capabilities of wireless devices offer unique opportunities—and hazards. An increasing number of devices offer built-in digital cameras, voice recorders, and GPS capabilities. Organizations can use these features to improve services and efficiency, providing directions to delivery personnel or letting a dispatching center know exactly which mobile unit is closest to the scene of an emergency for example. Video and audio capabilities also show promise, letting experts talk beginners through procedures, or letting field workers send or receive detailed pictures that may help them solve problems, or show specific situations to remote experts.
Unfortunately, such capabilities can easily backfire, because they also give people using the devices the capability for capturing images or recording conversations more easily than ever before—possibly in locations and situations where the organization might not wantthem to take pictures or capture audio. Employees may, either intentionally or accidentally, send images or capture audio that cause problems for the organization. Employees and unions may object to the privacy intrusion inherent in GPS tracking. Even worse, there are no legal precedents for some types of problems.
For example, suppose a consumer using a GPS application gets the wrong directions and misses an important appointment, or worse, gets injured while following those incorrect directions. The legal ramifications of such possibilities are not yet clear, nor are the social or workplace controls in place to limit the use of knowledge about a person's location at any given time. <!In fact, wireless application use introduces a gamut of new social and legal concerns, largely separate from the technical challenges, and IT will need to work ad hoc with other business units to predict these risks and find solutions.
The uncertainties involved in wireless development should change the way you approach your design and implementation.
- Choose projects that truly need wireless capabilities and that will have an immediate bottom-line impact on the organization.
- Plan for security as part of the application—don't rely on built-in security standards such as WEP to protect your data.
- Bring users into the process early, create a pilot project, and listen to users' needs and reactions.
- Plan for frequent change—wireless applications built in 2003 will be volatile, due to upcoming changes in networking, devices, and users' expectations.
- Capitalize on the lessons learned from agile programming—break large applications into small modules, use small focused teams, use unit tests to ensure that all code changes meet requirements.
- Give developers access to users, and give both users and developers the training they need to build and use the applications. Make sure every wireless project has a management sponsor, someone who will champion the application even through early-stage implementation and rollout problems.
- Control the devices—and test on all supported devices throughout the implementation/change cycle.
It is easy—and understandable—to feel daunted at the prospect of enabling a wireless enterprise. There is much to do and nearly ever step is couched in an ugly cloud of risk and uncertainty. But there is another way to see it as well—as an exciting and nascent opportunity to do what developers were born to do: tread unspoiled ground in information technology, blazing a path for new possibilities in computing.