Mobility versus security – getting the balance right

By | March 1, 2006

We live in an increasingly wireless world. According to recent research from analyst firm, IDC, 50 per cent of Europe´s employees will be mobile workers by 2007. At present, 2.2 million people in the UK alone work remotely, with countless others who are on the move on a regular basis. But, of course, to keep all these peripatetic staff effective, access to information is essential – with the result that mobile email has become an essential application for keeping the mobile workforce on the move.

But this raises a challenge for organizations and individuals alike. Not only is mobile email subject to the viruses and spam that plague fixed system, they also open new threats to an organization´s information security. Every mobile phone, laptop or PDA is a potential way in to the corporate network. And every lost devices is a possible treasure trove of valuable corporate, customer and financial data.

The area of wireless security is therefore an essential one. As more workers leave the physical confines of their company´s premises, the devices they use expand the boundaries of the corporate network, and traditional methods of protection are no longer adequate.

Clearly the proliferation of mobile devices requires a rethink on security – particularly as they have become such common-place items for many people that it is hard to regard them as a big security threat. For many organizations that will involve re-assessing their corporate network, identifying its new points of vulnerability, and putting both technology and procedures in place to protect them.

There are several ways of securing mobile email systems and the devices on which they operate, and users need to assess which ones are appropriate for the level of data they are sending.

However, one of the big problems that all organizations face is that mobile devices require a certain amount of dexterity to use, they are often operated when the user is in a hurry, and many people still haven´t really got to grips with how they work. It´s not hard to imagine someone inadvertently breaching the Data Protection Act by pressing send instead of save on their PDA while in the back of a bumpy cab.

Which is why any security measures put in place need to be built round the understanding that human beings are just that: human. Fallible. Capable of losing things, breaking things, making mistakes. After all, if members of MI6 can leave their laptops lying around in coffee shops and taxis, then what hope is there for the rest of us? If the numbers of gadgets handed in at London transport´s lost property offices every month are anything to go by, the answer is not much.

So the security of mobile devices needs to be designed round real-life experiences of users – and not just technological theory. The point where people interact with IT is where systems are at their most vulnerable. Security, therefore, needs to be designed to protect your data, network and applications from even the most absent minded, or determinedly unintelligent human action.

As many have discovered, it is often the simplest solutions that prove the most effective. Losing a mobile device is all too easy. But the cost of that loss can often be measured in terms of the data that goes with it, rather than the value of the equipment. Therefore, one of the simplest and most effective security measures is to ensure that data is not permanently stored on the phone or laptop, but remains on the corporate server. If it falls into the wrong hands there is no way to read emails that have been sent to or from it.

This also negates the need for so-called ´poisoned pill´ software. This is an application that is designed to be sent to a device to remove its contents as soon as it is lost. It is an effective method of securing data in the right circumstances, but it does have its limitations, aside from the added cost and complication involved. For example, if the missing appliance is out of network range than the poisoned pill can´t be sent. Not very helpful for international travellers whose PDA is in New York when they´re in New Delhi.

Much of the value in mobile email is the ability to send and receive documents as attachments, which is where the majority of problems arise when it comes to sending emails to the wrong people by mistake. To counter this there are applications available that effectively block unauthorized recipients from reading messages sent to them in error. Software, like concealed media for example, assigns security keys to documents: users then register who is authorized to access, open or modify them. To maximize the impact of this kind of software, controls should be administered centrally so that it too is not at risk from human error in less than ideal travelling conditions.

Simple expedients like this can accomplish a great deal. But as systems become simultaneously more complex, more pervasive and much easier to use, so the opportunities increase for them to be breached. Fortunately security measures which can ensure the integrity of data in any mobile email communication are also growing in sophistication. Data encryption is one way to achieve this, and users should ideally look for mobile email services that apply the highest recognized level – 256-bit AES.

All these measures are suitable for confidential, commercial data, and have been used widely within the financial sector which, understandably, places a strong emphasis on securing its information systems.

However, for organizations with information that is particularly sensitive, further security enhances can also be integrated with mobile email systems. Firstly anti-virus software can be installed, ideally with components that protect against adware and spyware which are frequently sources of Trojans and email worms.

Secondly, the growing trend to two-factor authentication can also be applied to mobile devices. These require users to have something they know – such as a password or PIN – as well as something they have, for example a secure token. Only by matching the frequently changing data on the token with their personal details can individuals access the email system through their mobile device.

Security experts have long been promoting the enhanced protection that two factor authentication offers, and many large organizations in particular have adopted them for their fixed networks and these solutions are now available to enhance the security on mobile email devices. However, there are policy issues here – just like a credit card and its PIN number, the token and the device should not be kept together.

Finally, there are security measures available designed to meet government standards that have been developed and are monitored by the Communications-Electronics Security Group (CESG), GCHQ´s information assurance arm. The CESG assisted product scheme (CAPS) standard is essential for any product that is to be used by the government to send extremely sensitive information. Many of these, for example the X-Kryptor family of network security appliances, can be integrated with mobile email systems where necessary.

It is widely recognized that information security is a business imperative – both in terms of maintaining commercial viability and, increasingly, to ensure compliance with national and international legislation. Securing wireless connectivity needs to be taken seriously if the benefits of flexible and mobile working are not to be lost to security breaches. However, with the right measures in place, there really is no reason why your mobile email system should be the point at which that security is compromised.

Leave a Reply