As third-party developers and vendors of handheld devices beef up encryption and password management technologies, Palm OS, Pocket PC and other handhelds are becoming more secure.
But, experts say, IT managers should not rely on the availability of improved software alone to secure handheld devices. To be sure, users should be required to install anti-virus software and keep it up-to-date, authenticate with user names and distinct passwords, and use encryption software to safeguard confidential data (click here for recommended best practices). But, because many handheld devices still make their way into the enterprise through the back door, IT managers also need to go out of their way to communicate to users that the same policies used to secure PCs should be applied to handheld devices.
“Various technologies are very much safeguarding mechanisms so that damage can be kept to a minimum,” said Bill Jaeger, an analyst at Meta Security Group Inc., in Charlotte, NC. “But because the hand-to-hand proliferation of handheld devices is so great, you really have to back up the technologies with policies to protect your organization and to keep people honest.”
One thing is clear: The trickle of handheld devices into the enterprise has grown to a flood. Last year, the global handheld PC market grew to roughly 12 million units worldwide, according to Gartner Inc., in Stamford, Conn.
Unfortunately for handheld users—and for their organizations—most handheld operating systems such as Palm OS still lack built-in encryption and strong password management features, said David Pollino, managing security architect at security consultancy @Stake Inc., in San Francisco. While Palm OS and Windows CE devices come with security software installed by their manufacturers, analysts say they are often insufficient for enterprise users.
“Security that comes on these handheld devices are the equivalent to having a lock on the screen door to your house,” Metas Jaeger said. “Any information found on a handheld could be considered mission-critical if it supports business functions and should be protected as such.” (See eWEEK Labs analysis of security improvements on tap for future mobile operating systems.)
Experts agree that even if the devices supported strong security technologies, many users would likely ignore them. Thats because, in most organizations, handheld devices are purchased and deployed not by enterprise IT organizations but by individuals who often see passwords and other security steps simply as productivity inhibitors.
As a result, @Stakes Pollino and others say, IT managers need to work harder to encourage individual PDA (personal digital assistant) users to adhere to some basic security best practices. Users should be discouraged from storing sensitive enterprise information on their PDAs in the first place, said Pollino, since these devices are so frequently lost and difficult to secure via passwords. Indeed, Gartner estimates that as many as 250,000 mobile phones and handheld computers will be lost at airports this year.
: Back to Basics”>
Second, said Pollino, individuals should make use of the default password capabilities built into PDAs, even though most are not robust. When PDAs are stolen, thieves are most often after the hardware itself, not the possibly sensitive data they store. So even a password thats easy to crack or bypass will discourage some thieves.
Jaeger also recommended that organizations make encryption software available on a company intranet, regardless of whether the handhelds are officially supported. This way, precautions can still be taken to safeguard handhelds that are brought into an organization without authorization.
And, said Jaeger, when PDAs are used to communicate wirelessly with the corporate network, its essential to use a combination of technologies such as IP Security clients, digital certificates and VPNs (virtual private networks) to protect the traffic.
Thats exactly what IT officials at Medepass Inc., in San Francisco, are doing. There, IT managers are looking into providing physicians with digital certificates so confidential patient data and information can be transmitted via handheld devices such as PalmPilots, Windows CE devices and tablet PCs, said Girard Pessis, chief technology officer at Medepass.
Medepass, which was formed by the California Medical Association to verify the online identities of health care professionals and to serve as its certificate authority, would use Certicom Corp.s MobileTrust services to issue wireless digital certificates if and when the project is approved. The company will be able to leverage its registration authority, which runs on Certicoms TrustPoint PKI Portal software.
Experts say organizations should build upon the access management technologies and policies they have in place. This means extending VPNs and PKIs (public-key infrastructures) to handle the authentication of handheld users. While few high-profile handheld-borne viruses or other security events have grabbed top management attention to date, tying handheld security mechanisms to a companys security strategy will ensure that an enterprise will be able to respond to threats when they do arise.
“Overall, the people most worried about viruses on PDAs are the anti-virus companies,” Metas Jaeger said. “Still, enterprises need to remember that mobile platforms are designed with portability in mind. Theyre not built to fend off malicious attacks.”
- Handheld OSes Due for Security Advances
- Security in Hand