Increasingly, companies want to give mobile or field-based employees direct, instant access to critical corporate applications previously accessible only from a desktop. To do so, existing security, authentication and management infrastructures have to be extended and adapted so that mobile devices, along with their data and wireless connectivity, are managed as surely and fully as desktop PCs.
But that's not the case in many mobile deployments today, according to consultants who specialise in working with enterprise customers. "What we see is an ill-defined policy regarding devices," says Dan Croft, president and CEO of Mission Critical Wireless, a technology services company that specialises in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft says.
Taking control falls into four broad areas, says Jack Gold, principle of J Gold Associates, a mobile consulting company: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.
Securing and managing every device
Mobile devices, whether bought by the company or by the individuals, are accessing company networks and company data. Device security and management are closely intertwined, because you have to be able to monitor the devices in order to enforce policies.
In most cases, practitioners recommend standardising on two or three mobile device models, minimising the support, security and management challenges. "Other smartphones [brought in by users] might not be capable of supporting your specific security and administration polices," Patrick Salmon, a mobility architect for Enterprise Mobile, a technology services company that specialises in Windows Mobile deployments, says. Using mobile device passwords or PINs is advised.
"If your enterprise doesn't enforce a password policy on those devices, you might as well stop with all your [other] security measures," Croft says. Salmon favours PINs, coupled with a limit on the number of access attempts. After that number, the next attempt triggers an automatic lock or wipe of the handheld.
Enforcing effective passwords is one of the essentials at Florida Hospital, in Orlando, where wireless notebooks are widely used by staff and nurses, along with BlackBerry devices for email. The hospital is also exploring what's involved in granting access to clinical systems from physicians' smartphones.
The hospital enforces regularly changed passwords (a function of its enterprisewide identity management infrastructure), up-to-date antivirus software and some ability to remotely wipe data from mobile clients, says Todd Franz, associate CTO.
"We see the need to protect the data on these mobile devices just as much as we do on a desktop PC," he says.
On selected notebooks, the hospital also uses the CompuTrace service from Absolute Software. with it, a stolen computer can be traced and tracked down. Franz won't say how often hospital laptops have been stolen, but the recovery rate for laptops protected in this way is 100%. According to some accounts, 10% to 15% of all mobile devices go missing.
Consider using comprehensive device management applications such as Sybase's Afaria, Credant's Mobile Guardian, Nokia's Intellisync, Microsoft's System Centre Mobile Device Manager, and others from the likes of Checkpoint and Trust Digital, to name just a few. These policy-driven suites blend monitoring and enforcement capabilities focus on mobile clients, and typically work with back-end authentication and other servers.
Managing every connection
"These connections are a pretty significant exposure if they're not done right," Gold says. "Don't leave it up to the end users."
These practitioners favour enforcing VPN connections with IPSec for mobile deployments.
"SSL, which uses TCP port 443, is the path of least resistance," Salmon says. "I consider this the weaker of the two options." That's chiefly because while the target server has a certificate and is trusted, the SSL client is not. IPSec requires that ports have to be specifically opened, but both ends of the connection have certificates, he says.
A related issue is allowing mobile devices to connect only if they pass muster. Is the antivirus software up-to-date? Is the VPN active? Is the wi-fi connection from a public hotspot?
Protecting every piece of data
Selective data encryption should be an essential item in any mobile deployment. With a managed mobile device, you can distribute and enforce encryption policies for specific data.
"Document folders, your email in-box, user data, contacts, certificates, and so on as the kinds of things that should be encrypted," consultant Gold says. Also consider encrypted or encryptable removable storage devices, such as high-capacity SD cards, he says.
Educating every user
"Few companies educate end users on the proper procedures and policies to safeguard [mobile] corporate assets," Gold says. "Get the users on your side."
"The greatest vulnerability is human," Salmon says. "If a stranger asked to borrow your laptop for five minutes to check his stock portfolio, you'd say "No!" because you've been educated about the risks. There's no way you're going to let a stranger use your laptop. The same thinking has to apply to your mobile phone."
To school its nurses in mobile technology, Florida Hospital relies on trainers who also have been, or are, nurses. "They speak the same language as the users," Franz says. "We try to keep IT people out of the way of this training, because they do not speak the same language."
Franz makes a key point about nurses and mobile technology that's relevant to all such deployments. "People don't go to nursing school to become a clerk-typist," he says. "They go because they want to help people. Technology can assist them in doing that."