With the introduction of Palms newest Treo, Nokias partnership with Google for instant messaging on the handheld and BlackBerrys move into China, its clear that powerful devices abound, offering sophisticated capabilities both inside and outside the office.
Enterprises must balance the promise of such products with the security implications they bring.
When intellectual property expert and attorney Mark Halligan wants to show business leaders how easy it is for their employees to secretly walk out the door with important data, he simply shows them his watch and asks them to tell him what time it is.
While the uninformed may simply gaze at the timepieces face and mutter some reading of its hours and minutes, those with a truly sharp eye catch on fast, because the seemingly innocuous wristwatch bears a USB connector that allows the device to download and store roughly 1GB of electronic information.
The experts Dick Tracy-like gizmo might still be rare at this point, but the demonstration serves as a sobering reminder for even those firms already keeping a watchful eye on their employees behavior.
Smart phones, digital music players and USB drives might help your workers feel happy and even be more productive, said the trade secret protection expert, but at the end of the day such consumer devices may pose a greater security risk than he feels most companies should be willing to stomach.
“It costs more in the short run for companies to issue their own equipment, but in the long run its probably the best approach,” said Halligan, a principal in the Chicago-based law firm Welsh & Katz.
“With outside consumer devices, you need to build strict policies that police and limit the use of each individual technology, each device, or else someone will bring them into your operation and simply walk away with your data.”
Industry watchers agree that enterprises are navigating largely uncharted seas as they attempt to strike a balance between allowing their workers to use new mobile hardware, while safeguarding their own interests.
Solutions to the issue range from the crude—squirting hot glue into PCs USB ports to keep keychain fobs and iPods off the network—to the advanced—blending IT systems with physical security tools to actively monitor peoples behavior.
One of the biggest issues in dealing with the explosion of consumer devices coming into the enterprise is companies growing dependence on employees experiences outside of the workplace in familiarizing themselves with emerging technologies.
For instance, experts have long maintained that the adoption of smart phones, powerful handhelds with PC-like features and sizeable onboard memory, will be driven by peoples use of the devices outside work.
Telling workers to leave their smart phones at home is counterproductive, said Steve Baker, analyst with NPD Group, Port Washington, N.Y. Banning them will extend the timeframe for moving this next generation of mobile devices into the corporate environment, he said.
If IT administrators had banned Palms original PDAs out of security fears in the mid-1990s, we may not have the companys latest Treo smart phones today, he said.
“These types of technologies tend to move through the consumer market into the hands of business users who demand the ability to use them in their business life because the devices are very helpful,” Baker said.
“Theres no way for enterprises to stop these kind of things; users are bringing them in because they see a business rationale. Enterprises must find ways to allow people to use consumer devices securely, as banning them will only lead to people staging rebellions from within.”
Promising Tools
As a result of the increasing seriousness of the problem, technology vendors are cooking up a wide range of tools aimed at helping companies at least control the manner in which consumer devices can be used within their walls or on their networks.
Among the companies attempting to address the issue directly is Microsoft, which is promising tools that give IT administrators expanded capabilities for managing the use of device-control in its next-generation Vista operating system.
Enhancements to the softwares Group Policy settings, which allow administrators to enforce configuration settings for individuals, groups and specific machines, claim the power to block access to removable devices such as CD-ROMs, DVD drives and USB tokens.
“We talked to many enterprise customers, and they told us that they wanted an easier way to manage and protect corporate information assets,” said David Zipkin, a product manager at the Redmond, Wash.-based software giant.
“One of the more common scenarios where intellectual property assets were compromised was by employees plugging in external storage devices into the corporate network and copying files.”
Another potential answer to the security problems posed by consumer technologies is the use of applications such as Centennial Softwares DeviceWall, which creates a virtual “white list” of approved devices assigned to specified groups and individual users, which can be configured to automatically block any device not explicitly permitted by a firms policies.
While Microsofts efforts in Vista address device-controls, Centennial officials said, DeviceWall goes one step further by directly protecting a companys databases at the same time.
By tying someones device usage privileges directly to their user names and passwords, company officials say, there is little room left for people to secretly bypass programs meant to direct group policies, a feat they say isnt hard for experienced users to pull off.
One company using DeviceWall is Motor Information Systems, a specialty automotive publishing company owned by Hearst Publishing, and based in Troy, Mich.
Network Administrator Jeff Schmitt said his company has been using the application for six months to protect its wealth of editorial content, the lifeblood of Motors business.
“We have some people who need to use USB ports to print information or download photos, but at the same time you appreciate the risk of having someone plug in their iPod and walk off with a gigabyte of data,” said Schmitt.
“This way we can allow people to have unique privileges based on their jobs, and even keep an eye on who is trying to attach something else to the network and warn them if theres a potential problem.”
In fact, before announcing that the company had launched the new software, Motors IT department was able to turn on DeviceWall and find out which employees were already breaking policies and warn them about future transgressions, he said, which has eliminated most risky behavior altogether.
Blended Tools
At the cutting edge of the device-monitoring field are some technologies that look to blend traditional facilities security tools like building cameras with IT operations.
Since blocking a USB port does nothing to stop users from taking pictures of important documents with a camera phone, or even just making copies of sensitive paperwork to carry out, companies must consider becoming more like the Big Brother government of George Orwells classic “1984,” some experts said.
One company marketing such tools is 3VR Security, which in April introduced the fourth iteration of its IVMS (Intelligent Video Management Systems), which promises to convert raw video from security cameras into a searchable database.
The system promises to detect misuse and warn administrators if it appears that someone is stealing data, or attempting to log into computers or a data center where they do not have access privileges.
“From both an IT and traditional security standpoint, theres a massive market for surveillance and video technologies and information management is the biggest problem customers have,” said Steven Russell, co-founder of 3VR.
“In addition to giving companies the ability to say for sure who exactly was sitting at a certain computer when it accessed or downloaded some proprietary data, there is the ancillary benefit of having people know that they are being watched; it may sound obtrusive, but companies in the health care and financial services industries in particular have to consider that they can be held liable if they dont know where this information went.”
Security experts recommend that the simplest way to limit the security implications of consumer devices in the enterprise is to establish clear user policies governing the use of such technologies, to the point where there is little question as to the exact details.
Steve Hunt, analyst for 4A International, Chicago, a research firm studying the convergence of IT and traditional corporate security measures, believes that companies will ultimately be forced to convince workers that they are being constantly monitored in order to discourage people from believing they can get away with stealing information.
“Companies need to create the same sort of atmosphere as the health clubs, where if you pull out a camera phone in the locker room, not only does management have a problem, but so will the person sitting next to you,” said Hunt.
“It may seem sort of Draconian at first, but with all the devices that are finding their way into the office, it may someday be the only choice companies have.”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
