Mobile working Toolkit

Focus on these four areas when securing mobile devices

Tim Landgrave Tech Republic

Published: 06 Aug 2003 10:25 BST

Once mobile devices leave the well-protected, four walls of the company's building, what keeps outsiders from stealing the information stored on the devices? This is especially critical given the recent surge in the use of PDAs for applications like patient data collection or sales force automation. The devices now have customer, inventory, and pricing information that the business has to secure for itself as well as patient or client information that the business may have a legal or fiduciary responsibility to keep secure.

If the devices only stored the data locally and only synchronised locally, the problem would be manageable and containable. But now that the devices have cellular modems, analog modems, 802.11 LAN cards, and Bluetooth LAN controllers built-in, the users expect to be able to synchronise remotely using the mobile network, their home network, or an 802.11 connection in their local library or coffee shop. And in many cases, the business application requires that they be able to accomplish this synchronisation during the day rather than waiting for a nightly upload or requiring the outbound employee to come back to a home base to synchronise data.

Four areas of security
I've worked with customers to come up with the four major areas that they consider essential in device security. These include:

Synchronisation security: There must be a method of securing the data channel that carries any data between the mobile device and whatever device manages the data connection.
Device security: Once put on the device, the data must be secured in such a way that the casual unauthorised user cannot easily retrieve data and passwords.
OS security: The device must have an operating system or an add-on product that can prevent malicious code from corrupting the operating system, applications, or data on the device.
Authentication and authorisation security: Whenever the client device connects to the corporate network, the user and the device should be authorised to make any changes to the corporate network.

I'll give you an idea of where you can start when considering these security issues in your application and system architecture design.

Synchronisation security
A synchronisation security strategy allows the mobile client to send and receive data through a secured connection that cannot be spoofed or traced. At a minimum, most mobile clients should support some kind of SSL connection over HTTP so that you can send and receive the data between the mobile client and a secure Web site. For more advanced data synchronisation and replication scenarios, you should look for solutions based on VPN tunnels, using either PPTP or IPSec. Using a tunnelling solution separates the synchronisation logic from the application logic and lets you use industry-standard firewalls, routers, and server solutions to build and maintain your secure connections.

Device security
A robust device security system should include three elements. First, you should be able to secure the device itself to prevent it from booting up or coming out of a low power mode without the user being authenticated locally as a valid user. This could be as simple as requiring a password to start the device or as complex as a biometric fingerprint reader like those that come standard on high-end HP iPaqs.

Second, any security credentials stored on the device should be encrypted rather than clear text. These credentials include not only user IDs and passwords but sensitive host system information like machine names and IP addresses. Finally, whenever possible, the application data on the device should be encrypted so that it cannot easily be read and interpreted by another user. You may choose not to encrypt the data for performance reasons or because the data isn't considered valuable enough to protect. You should remember that although it may be convenient to use whatever database facilities the device provides (contacts, electronic mail, calendars) to hold information for your application, these facilities are not normally encrypted