ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Mobile working Toolkit

Focus on these four areas when securing mobile devices

Tim Landgrave

Published: 06 Aug 2003 10:25 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Once mobile devices leave the well-protected, four walls of the company's building, what keeps outsiders from stealing the information stored on the devices? This is especially critical given the recent surge in the use of PDAs for applications like patient data collection or sales force automation. The devices now have customer, inventory, and pricing information that the business has to secure for itself as well as patient or client information that the business may have a legal or fiduciary responsibility to keep secure.
 

If the devices only stored the data locally and only synchronised locally, the problem would be manageable and containable. But now that the devices have cellular modems, analog modems, 802.11 LAN cards, and Bluetooth LAN controllers built-in, the users expect to be able to synchronise remotely using the mobile network, their home network, or an 802.11 connection in their local library or coffee shop. And in many cases, the business application requires that they be able to accomplish this synchronisation during the day rather than waiting for a nightly upload or requiring the outbound employee to come back to a home base to synchronise data.

Four areas of security
I've worked with customers to come up with the four major areas that they consider essential in device security. These include:

  • Synchronisation security: There must be a method of securing the data channel that carries any data between the mobile device and whatever device manages the data connection.
  • Device security: Once put on the device, the data must be secured in such a way that the casual unauthorised user cannot easily retrieve data and passwords.
  • OS security: The device must have an operating system or an add-on product that can prevent malicious code from corrupting the operating system, applications, or data on the device.
  • Authentication and authorisation security: Whenever the client device connects to the corporate network, the user and the device should be authorised to make any changes to the corporate network.

I'll give you an idea of where you can start when considering these security issues in your application and system architecture design.

Synchronisation security
A synchronisation security strategy allows the mobile client to send and receive data through a secured connection that cannot be spoofed or traced. At a minimum, most mobile clients should support some kind of SSL connection over HTTP so that you can send and receive the data between the mobile client and a secure Web site. For more advanced data synchronisation and replication scenarios, you should look for solutions based on VPN tunnels, using either PPTP or IPSec. Using a tunnelling solution separates the synchronisation logic from the application logic and lets you use industry-standard firewalls, routers, and server solutions to build and maintain your secure connections.

Device security
A robust device security system should include three elements. First, you should be able to secure the device itself to prevent it from booting up or coming out of a low power mode without the user being authenticated locally as a valid user. This could be as simple as requiring a password to start the device or as complex as a biometric fingerprint reader like those that come standard on high-end HP iPaqs.

Second, any security credentials stored on the device should be encrypted rather than clear text. These credentials include not only user IDs and passwords but sensitive host system information like machine names and IP addresses. Finally, whenever possible, the application data on the device should be encrypted so that it cannot easily be read and interpreted by another user. You may choose not to encrypt the data for performance reasons or because the data isn't considered valuable enough to protect. You should remember that although it may be convenient to use whatever database facilities the device provides (contacts, electronic mail, calendars) to hold information for your application, these facilities are not normally encrypted

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
121 out of 231 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Mobile working


Related Jobs

Senior Cisco CCNP certified Network Engineer, Accrington, 34-40k

Pre-sales consultant - LAN WAN VOIP Wireless - Network pre sales

WANTED, Immediately Available Snr Systems Engineer Oldham

Related Siemens Resources

Does 802.11n deliver better wireless services for Enterprises?

Farpoint Group report - 802.11n Access Points and POE: Key considerations

Practical Considerations for Deploying 802.11n

See All White Papers

On The Road Blog

Skype Account Hijacking

Ok, I'm breaking my own rule already. I had promised myself that I would not write about Skype more than once a week, because honestly I'm sick of writing it, and I'm sure a lot of... More

Post a comment

Weather Station Net-book

Here's an engineering project for somebody and a reason for me to buy a netbook. A netbook would work because it is small and low-powered. An OLPC or an ASUS eee PC would be perfect... More

Post a comment

Dell "mini" coming on Thurs?

The Wall Street Journal is reporting that Dell might be finally about to announce is response to the netbook. The Journal claims the device will sell for under $400 and may be announced... More

Post a comment