Cover

Managing mobile security

With the use of mobile devices by corporates on the rise, IT departments have their hands full combating data loss and security breaches. Megha Banduni reports

The battle between technology and security seems to be never-ending. When mobile computing devices such as PDAs, laptops, handhelds and smartphones were introduced, few would have thought about the related security concerns if they were lost or stolen.

"At Patni, for ensuring data protection, we try not to store critical information on mobile devices" -Ajay Soni Senior Manager, IT, IMD Patni Computer Systems

According to a recent Mobile Usage Survey, it was discovered that almost 30 percent of users store their PINs, passwords and other critical information on their handheld devices without enabling the basic security features present on the system.

With an increasing number of people storing company data on mobile devices such as smartphones, PDAs, laptops and USB drives, and with Bluetooth-enabled devices entering the mainstream, IT departments are confronted with security issues.

Information such as customer contacts, e-mail details, passwords and bank account details, as well as that related to private matters, is getting stored in devices without much consideration to security.

As a result, a lost PDA or smartphone with no protection makes easy pickings for thieves, hackers or competitors with regard to corporate information. This could have an impact on customer confidence and damage a company’s reputation.

Off to a good start with encryption

Since mobile devices have become a necessity among all top-rung executives, the demand for security within an organisation is growing rapidly. Hence, the first step that most CIOs practice and recommend is encryption of data. Other solutions could be creating awareness, conducting training, and using passwords.

The key security issues faced by users of mobile devices are misuse of data if stolen, the ease with which data can leak out, and unauthorised access. Encrypting data, factor authentication and blocking data transfer to pen drives are some of the measures that CIOs can consider to ensure security on their mobile devices.

According to Ajay Soni, Senior Manager, IT, IMD, Patni Computer Systems, the three main issues in using mobile devices are data security, theft and virus infection. “There are various ways through which one can take precautions such as encryption of data, dual factor log-on, and so on.”

But in spite of encryption, the chances of losing information are high. In many organisations, mobile devices are issued to the users only on a need-to-use basis. Still, it is a matter of concern. “Information from the mobile device is transmitted through a wireless network, therefore the risk of unauthorised access is high. I agree that encryption is not widely-used, and even if used it is prone to hacking. Another side-effect of encryption is that it degrades the performance of mobile devices. There is a need to have a standard encryption,” comments G Radhakrishna Pillai, Head of IT at Ranbaxy.

“At Patni, for ensuring data protection, we try not to store critical information on mobile devices. However, since this is not always possible, the next step is encryption of all the data stored in the device,” explains Soni. He says that all critical data is kept on the servers, and that no downloads are allowed. They use dual-factor authentication which prevents access to any PDA/laptop by a stranger. Also, every mobile device has a lock, so if the device gets lost its data cannot be accessed.

"We encrypt all the data on mobile devices, and periodically conduct training and internal awareness programmes on encryption " -Zoeb Adenwala Chief, IT Pidilite

" Information from the mobile device is transmitted through the wireless network, hence the risk of unauthorised access is high" -Radhakrishna Pillai Head, IT Ranbaxy

Awareness programmes to the rescue

In a recent survey conducted by research firm IDC on the top security issues faced by organisations, information leakage ranked second. One of the prime reasons for this was use of mobile devices such as laptops and handhelds.

The first step towards security in a mobile environment starts with the framing of policies, followed by an awareness programme for users.

Today, the security threat perceived by CIOs is the main obstacle to wireless devices. Pillai believes that authentication, privacy and authorisation are the critical issues in mobile devices, and that the technology needed to address them is still emerging.

“We encrypt all the data on mobile devices, and periodically conduct training and internal awareness programmes on encryption,” says Zoeb Adenwala, Chief of IT at Pidilite.

Suggests Pillai: “One way to minimise the risk would be to use mobile devices purely based on the requirements of the business, and not just for the sake of adopting new technology. Key enablers for any security initiative for mobile devices are the users themselves, so creating awareness among them and training them in this regard are two tasks for the CIO.”

Awareness among users certainly tops the chart. Advises R K Iyer, Director, Technology, eFunds, “Every technology has some or the other security issue associated to it. The best and most important step for a CIO/CEO to take is to create awareness so that the user is fully aware of the type of data he is carrying in his device, the threats associated with this, and so on. Once the user is aware, the next step is the configuration of devices and having a centralised control. Last but not the least, encrypting the data is important to ensure security.”

Awareness seems to be the best way to avoid security issues. States Soni, “We create security awareness through posters, mailers and e-learning sessions.”

Strong algorithms

Sascha Beyer, the Vice-president, Asia Pacific & Africa, of Pointsec Mobile Technologies, feels that with loss of data trust is the first casualty. “If an organisation fails to protect information, it would lead to loss of customer confidence, affecting business growth. Data protection through data encryption, particularly for a mobile device, is an important element of business success.”

Security analysts feel that other than protecting handheld devices through power-on passwords, organisations can look at options such as biometric authentication and token-based or smart card-based authentication.

The security threat is also growing due to the practice of storing information in detachable storage cards such as MMC (MultiMedia Card) and SD (Secure Digital) memory card.

Another important aspect is protecting information (that is being transferred) from sniffing and spoofing. The transmission of data from handheld devices to the corporate network, either using the corporate Wi-Fi network or a third-party network, should be encrypted using strong algorithms. For example, the transfer of mail in most smartphones is encrypted at the application layer between clients installed on the mobile devices and the server. Therefore, the ‘end-to-end’ security in these cases does not include encryption of e-mail beyond the server. The transfer of e-mail beyond the mail server becomes critical especially if the corporate mail server is hosted on the telecom service provider’s network. In this case, encryption at the network layer (such as IPSec) should be implemented.

Securing data remains a critical issue for CIOs. Data protection through encryption, particularly for mobile devices, is an important element of business success. Organisations need to provide solutions that can protect the data on the disk. This will ensure that in case a device is stolen or lost, the loss is purely of the cost of the device and not of the confidential information stored, which could be worth much to the organisation.

Many companies have learnt from their experiences and are in the process of securing critical data by taking the necessary steps. Yet there is a long way for them to go.

megha@expresscomputeronline.com