Managing mobile data security!

Information leakage”, as it is sometimes termed, is a growing issue for corporations with the increasing availability and decreasing cost of high density flash memory. Flash is present in nearly every consumer gadget, but of particular concern to network administrators are personal productivity tools like USB memory sticks, smart phones, PDAs, and of course mobile email devices.

Mobile email represents yet another security headache for administrators, a fait accompli due to its popularity with senior management, with encrypted attachments crossing the firewall, making inspection difficult or impossible. Once the data is on the mobile device it can be easily compromised through loss or theft. Since mobile email devices have been adopted top-down in organizations, the lost data is likely to be very sensitive, raising major questions of compliance and protection of intellectual property. You can pretty much guarantee that senior executives email drafts of quarterly earnings reports between each other.

So what is the administrator to do? Clearly the genie is out of the bottle; mobile email is either an essential business tool (or vanity item, depending on your point of view), so embracing it with a policy framework is important, otherwise users with the necessary political clout will introduce a range of devices, many of which cannot be securely managed or supported by IT.

You've probably read the recent stories in the media that the lost property offices of Britain's airports are filling up with unclaimed laptops. It would seem that we are happy to claim a laptop as lost rather than deal with the hassles of reclaiming it, and this attitude, in all likelihood, extends to mobile devices, which are easier to lose.

Remote wiping of a lost device is obviously a desirable feature, but is of dubious value since any thief will turn off the radio, or work with the device in a shielded environment. One solution is the thin client approach, with a display protocol carrying the information to client software on the mobile device. One of the great advantages of thin clients is that with a presentation server sitting inside the firewall, attachments can be opened, read and edited using original applications that would be too large to install on the client. The disadvantage is of course that with any interruption to the communications channel the system simply does not work. For users who are moving around in different environments where they are not intimately familiar with network coverage, this could be a continual problem, and it clearly is not an option for those who like to work on their email on an aeroplane or a train.

The simplest security approach is password protection on the device. This is fine, but it should be realized that if the data files are not stored in an encrypted form, then it is possible to physically target the flash memory. Even where encryption is built in, this does not overcome the problems of password management. Unless this can be managed by policy from the centre and a strong company culture, it is a vulnerable area, since users left to their own devices will more likely than not pick easy to guess words, turn off the password feature or write the password on the device itself.

The best option would be two-factor authentication including biometrics, or biometrics alone; fingerprint being the easiest, since it doesn't require a token or some other item that could be stolen at the same time as the device (and which would annoy the user).

When the inevitable happens and a device is lost, central synchronisation does at least make the issue of a replacement unit straightforward. A new device can be synched to the last good state of the lost one and sent overnight to the user, with the password naturally provided by an alternative means, such as a phone call, bringing the user back on line with all of their preferences intact as well as their mailbox and PIM.

There are bound to be further technical refinements to security of remote email. Microsoft is giving push away free with the latest Exchange Service Pack, so hopefully that will help spur some aggressive innovation. A central policy-based approach to mobile email clearly makes sense for many reasons: control over the end device, simplifying support and enforcing security policies; automatic synchronisation; and demonstrating a company desire to manage information movement. Network administrators will probably want to make sure that they practice sound hardware selection, and that there is a strong culture of password management and security in the organization, backed by active and passive controls on the flow of sensitive data across the firewall.