Securing The Mobile Enterprise

by Sohini Bagchi    Jul 11, 2005

The proliferation of laptops, personal digital assistants (PDAs), and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options have enabled the workforce to access valuable enterprise information even outside the standard office environment.

This has indeed resulted in improved productivity; streamline operations and creation new revenue sources. Conversely, the trend has also mounted pressure on companies to provide more flexibility and remote access to their employees. As data travels outside the boundaries of a company’s secure LAN firewall and over public networks, companies are gearing up to secure their mobile enterprise, with technology vendors, offering a complete security infrastructure for protecting this mobile data.

“The cornerstone of any security strategy is user authentication. Hence, a password should be required before a mobile user can synchronize with a back end database or browse information stored on a company server,” said B. Ashok, senior vice president, IT-services, Cisco Systems, India and SAARC. His advice to CIOs is use mobile device management software to ensure that users have not circumvented security measures or stored their password in a file on their device.

Synchronization tools for PIM, e-mail, or enterprise data should be able to support managed, server-based synchronization. When transmitting data, one needs to ensure that it is secured from end-to-end. Any mobile middleware solution should operate on a secure connection for both data synchronization and client/server communications. With regard to this, many companies are turning to a relatively young technology, Secure Sockets Layer Virtual Private Networks (SSL VPNs), to provide a full range of remote access while ensuring maximum security. VPNs have been widely deployed by enterprises as a cost-effective and secure means to connect remote users with internal corporate resources.

“SSL VPN protocol allows a client application to verify the identity of a server, and ensure that they communicate only with servers they trust and are used for remote and mobile access in a world where IT may not control the network, user or desktop. In fact, SSL has become the de facto protocol for securing Web transactions and messages over the Internet, and is included in all standard browsers along with most Web server products,” said Rakesh Singh, general manager, Asia, NetScaler.

However, Ashok argues, “SSL is not always the right technology. IPSec is a more viable technology when it comes to intra-enterprise site-to-site connectivity, and it works better when traffic from a large number of applications needs to be secured. Essentially all flavors of VPN have their pros and cons.”

Today, organizations of every size also need to protect sensitive data from increasingly sophisticated security threats like data theft, network security, breaches, virus attacks, and hardware loss. Speaking on safeguarding in case of theft of mobile devices, Narayanan Krishnamurthy, consultant, Lenovo India opines, “The Embedded Security Subsystem (ESS) in Lenovo offers a unique suite of hardware and software-based security solutions. These solutions complement each other to provide robust, comprehensive and individualized levels of security.”

To prevent disclosure of the data stored on a mobile device, his advice is, encrypting sensitive data, which can be stored on hard disks, in persistent memory, or on removable flash cards and encrypting the entire file system, when using data outside of a database, such as in a spreadsheet. “One of the cheapest and most cost effective solutions to deter thieves is to attach a security cable to your laptop,” adds Krishnamurthy.

However, the biggest threat to the security of the corporate systems and data are often its own users, who disable security mechanisms and configurations in order to save a few seconds when logging in or synchronizing data.

“Safeguard your mobile assets such as your machines, devices and data through centralized management. Protect and enforce system configurations by automatically identifying and correcting devices where users have defeated password protection by storing the password on the device, or changing security configuration options,” tips off Ashok.

According to Ashok, data encryption is not the only safeguard against unauthorized data access on lost devices. Enterprises should fight back with centralized management software by enabling a self-destruct policy that destroys confidential data on a lost device.

Recently there has been an increase in deployment of security solutions from the government, public sector units, banks, and insurance. A number of technologies that have been introduced aim at reducing the security risks of online computing. The most promising of these include intrusion protection, vulnerability management, threat and early warning systems, firewalls, content filtering and e-mail security.

Airing his views on CIO concerns on security, Muthu Kumar, MD of Avaintail India, said, “Whether the security solution meets the immediate and future security requirements of a company is the prime concern of any CIO today. Enterprise IT heads are more concerned about integration of existing applications, servers and network to provide the right mix of security and functionality.”

Security auditing and penetration testing along with identity management software is becoming more common. The Cisco Security Agent, which offers threat protection for server and desktop computing systems, helps to reduce operational costs by identifying, preventing, and eliminating known and unknown security threats.

“It is all the more important to have an IT and security policy in line with the company’s business policy. This should be translated into deployment procedures and monitoring mechanisms. A review of security within the organization should be seen as an investment rather than as an overhead,” sums up Ashok.

With an array of options to secure mobile devices, currently, enterprises are looking at investing in security based on the investment done in their IT security infrastructure.