Mobile PC lock down
- By John McCormick
- Aug 30, 2005
Mobile PC security is divided into three critical parts. First, always, is physical access to the device, whether this means fastening down your notebook PC in a hotel, using a secure carrying case in a vehicle or preventing access to the operating system via a biometric or password-based utility.
Next in the hierarchy of parts is access to the actual data on the mobile device; this usually means encryption or even software that can automatically wipe the hard drive in the case of unauthorized access attempts.
The third piece is related to the rapidly expanding use of wireless networks, including public access networks that, although extremely tempting to use because of their convenience, can promobile security vide easy access to mobile data.
But in a very real sense, all mobile-security worries boil down to just one overriding concern'loss of control over users and data once they leave the office.
Mobile-security requirements are far more difficult to meet than those for a workstation or network. Mobile equipment is vulnerable to all the same threats networked workstations are, plus they have additional weak spots unique to handheld hardware.
For example, there are viruses and Trojans that target personal digital assistants and cell phones, just as there are for PCs. But on top of that, there are the security vulnerabilities of wireless connectivity as well as the problem of loss or theft.
As weak as some network security is, once you take a data storage or processing device of any sort outside the relative safety of the network umbrella, you are treading on thin ice.Vulnerable security schemes
User policies regarding access controls, as well as what data can be stored on a mobile device, must be codified and strictly enforced.
No matter how good a password, biometric or encryption scheme is, you must strictly forbid users from putting certain information on a PDA, notebook or cell phone.
That's because all such security schemes have a finite probability of being broken by a clever hacker or rendered vulnerable by an undetected flaw in the security tools.
Certainly, confidential agency contacts, log-in information and agency credit card numbers must be forbidden, as well as such simple data as phone numbers and e-mail addresses of supervisors or colleagues.
Of course, this is exactly the sort of information many of us would like to store on a mobile device.
The hardware, software and other tools'such as a security case'included in this guide can help a lot, but they should be part of an overall security strategy. As a matter of policy, it's better to be safe than sorry.
A good mobile-security policy must include rules for:
- Keeping vital data off the device
- Securing or disabling any wireless connectivity features
- Installing and maintaining data encryption tools
- Enforcing mandatory encryption of all data at all times
- Installing and maintaining anti-malware tools
- Assigning physical responsibility for the device to one person
- Maintaining good records of who has possession of the device.
A policy also must have rules for:
- Maintaining current, secure records of what software and data are on each device
- Using strong authentication and access controls, including passwords and biometric tools
- Attaching alarms or tracking devices where practical
- Performing secure, periodic data backups, even while on the road
- Imposing restrictions on personal use of a device.
Critical to any mobile-device security policy is your ability to enforce the policy. But in addition to that, you have to instill a security-conscious culture.
For example, some users may view their mobile devices as personal property, putting their own data and even games on them. They may also feel a certain amount of freedom from centralized management as they walk out the door with a mobile device.Drawing the line
You must emphasize to users that mobile devices are even more difficult to secure than their desktop computers and that they will be held responsible for losses of data or devices. Moreover, data will have to be considered compromised if they lose physical control over a device even for a few minutes.
Of course, users may already have lost wireless control even if they retain physical control, but that is why you need good electronic protection.
Cloning software is the ideal method to ensure that devices conform to a consistent standard as they are handed out to users. It can also provide users a way of quickly restoring data and software onto their devices, even when in the field.
Knowing that all data can be easily recovered will make it much more likely that a user will simply reset hardware when there is any possibility of data compromise.John McCormick is a freelance writer and computer consultant. E-mail him at firstname.lastname@example.org.