ENTERPRISE SECURITY FOR MOBILE COMPUTING DEVICES
Abstract Enterprise security plans must now assure the protection of data residing on mobile computing devices. But the inherent lack of physical access controls on mobile devices creates special challenges that must be resolved to provide effective and practical security. This paper will help security officers and staff of large organizations seeking to protect sensitive data on mobile computing devices.
Executive Summary Mobile computing devices such as notebook PCs, PDAs and smart phones have become an indispensable part of the modern enterprise. Unfortunately, the very portability that makes these devices attractive greatly increases the risk of exposing confidential data, of allowing network penetration, and of "importing" infections inside the network. The core problem is that the majority of mobile devices lack the physical and electronic access controls necessary to maintain security in non-secure environments. As a consequence, data stored on mobile devices is much more "at risk" than transmitted data. User-controlled authentication and discretionary file encryption cannot provide sufficient or dependable security for enterprises. Only security products that combine enforceable, mandatory access control and automatic encryption provide the foundation for securing mobile devices. But even these mechanisms are not sufficient; in an enterprise setting, a special security infrastructure is required to deploy and maintain the security regime on multiple types of devices regardless of location. Pointsec security products offer the physical and electronic access control features essential for securing mobile devices, and the infrastructure necessary for enterprise usage.
Mobile computing devices have become part of the enterprise information and security infrastructure Seemingly endless numbers of mobile computing devices are being deployed by organizations as a primary or auxiliary work platform. A wide range of machines including notebook PCs, tablets, handhelds, PDAs and smart-phones are used for production, not just reference, in a growing array of applications. This important trend is driven by pressures to reduce operating costs, improve service, and create greater flexibility. Less obvious is the fact that mobile devices increasingly contain the most confidential and valuable information found in many organizations; in fact, one study indicates that about two-thirds of "fresh and critical business data" resides on employee 1workstations, not on servers. Proprietary company files, passwords, user credentials, and logon scripts are frequently found on mobile computers. Company email stored on portable PCs and Web-enabled cell phones can also contain sensitive information.
? Copyright 2002 Pointsec Mobile Technologies, Inc. All rights reserved Page 1 of 11 ENTERPRISE SECURITY FOR MOBILE COMPUTING DEVICES
Even without special security issues, the sheer number of mobile devices being deployed forces organizations of all sizes to consider the protection of data on mobile devices as an essential part of enterprise security planning. Ultimately this means that mobile device security must be of sufficient strength and sophistication to enforce and support corporate security policy. The crucial test is whether a given piece of data can reside as securely on a mobile device in a public place as it would on a desktop device within the company security perimeter. The realization that mobile device security is a permanent enterprise security issue leads to the conclusion that it cannot be viewed as an "add-on" expense any more than door locks can be considered an optional feature of a building. The real issue is not ROI but prudent management of vital corporate resources. When viewed from the enterprise standpoint, the general requirements of mobile computer security become clear. The security mechanism must: i) Protect confidential data at a specific level of security as defined by company policy ii) Be scalable, easily deployable, and very robust iii) Not inconvenience or deter users or impair machine performance iv) Enable the organization to comply with applicable Federal regulations that mandate information security such as the Health Insurance and Accountability Act (HIPAA) governing health care organizations, and the Gram-Leach-Bliley Act (GLBA) pertaining to financial institutions v) Pr... [download for more]
