It’s now well established that mobile devices improve employee productivity and extend the reach of a business. With that extended reach, however, comes vulnerabilities. PDAs, laptops, ultra portables, tablet PCs and smartphones with wireless connectivity can now contain massive amounts of sensitive corporate and customer information. It’s the very presence of customer databases, sales forecasts, source code or confidential employee e-mail on these theft-prone devices that present a serious security challenge. Data theft, unauthorized data access and data interception over a wireless connection should be concerns as well. While the proliferation of 802.11x networks and cellular modems has made it easier to synchronize a significant amount of mobile device data with your network, it has also aided the work of hackers, intruders and thieves. One way of preempting each of these problems is to adopt a managed, remote control service as part of an overall strategy for securing your extended network.
The Real Cost of Convenience
For those who expect the cost of theft or loss to be simply replacing the device, think again. To start, the affected employee will lose untold productivity, and the time and cost to restore the data will have a direct impact on your IT staff, pulling them away from other projects. There are other indirect costs that may not be felt immediately but will affect the bottom line nonetheless. If proprietary or strategic corporate data winds up in the hands of a competitor or hacker, the cost is incalculable. If you have not taken adequate steps to protect your mobile devices from data theft, the implications and costs may be enormous.
In addition to these costs, many organizations are affected by regulations or privacy policies that mandate they secure sensitive data. For example, the Health Insurance Portability and Accountability Act (HIPAA) is a concern for businesses that work with medical data, and the Gramm-Leach-Bliley (GLB) Act affects companies working with financial records. Both acts impose monetary penalties on companies that fail to protect certain private information.
Potential Solutions Abound
These direct and indirect costs should encourage you to look closely at the methods you use to protect your mobile devices. Certainly, remote access solutions such as IPSec and SSL VPN can alleviate some of the security concern. Specifically, SSL VPNs are becoming a widespread choice for accessing e-mail and applications through a Web browser. However, VPN deployment and administration can be challenging if the solution does not integrate well with critical applications and legacy systems. In addition, a VPN might weaken security if you cannot precisely manage access control and enforcement of your security policies. A poorly configured VPN can potentially compromise confidential data stored locally on the device as well as data on your network.
Any mobility initiative should also include methods for securing the device itself. One of the most basic requirements is proper user authentication that occurs at device start-up (i.e., passwords, fingerprint scans). Ideally, this authentication is coordinated with your corporate security policies. Furthermore, if application data resides on the device, you can secure the data itself so only authorized users can access it. For example, file encryption tools are widely available to automatically encrypt and decrypt files on-the-fly. These security measures can provide some comfort, but in reality, most organizations make little effort to provide serious protection for devices. Many mobile devices may not support your centralized corporate authentication methods or other security policies. Compounding the problem, most users do not have the skills or motivation to maintain proper security practices with their devices.
Aside from software locks to prevent access, keeping the hardware itself out of sight of potential thieves is a good place to start. Coach your employees on techniques and protocols that can help stave off those who might pick up a PDA or laptop left out in the open. Often, it’s the one time employees choose to turn their backs for a moment that results in the loss of costly hardware and data.
Minimize Data Theft
One solution that enterprises are implementing to avert costs, reduce complexity and improve security is to avoid putting critical data on the device in the first place. By deploying a remote control service, employees can access their important information on a mobile device directly from their office-based workstation. Typical remote control solutions use screen-sharing technology to access data where it resides, instead of synchronizing it with a device.
There are several security advantages to remote control solutions:
•Data is not compromised if the device is stolen or lost. Because the data never resides on the mobile device itself, it remains secured on your network. This avoids the security issues present with VPN technologies, which make a device a node on the network. As long as the user employs secure password practices, confidential information is protected, even if the device is stolen.
•Problems from data failure are minimized. The remote control model provides protection against data failure. Because the information is located safely back on the corporate network, remote access can guard users from losing data due to a hard disk crash or other data failure.
•Corporate network and security policies remain intact. With a remote control solution, users are accessing their network-based PC back at the office; therefore, network-based authentication policies, antivirus software, firewalls, network intrusion mechanisms and other security measures remain intact.
•Attacks on the mobile device will not compromise the data. With a remote control solution, the mobile device does not establish an unconstrained network connection that can be used to directly access the corporate LAN (unlike a VPN connection), so worms or viruses are isolated on the device and unable to affect data on the corporate network.
•Reduces complexity of connecting devices to your corporate network. The IT department must deal with increasingly disparate methods for connecting wireless devices to the corporate network and application services. Technology solutions such as VPNs are often inadequate or present additional security challenges. A remote control solution can complement a VPN solution or provide a secure standalone connection to corporate data.
By offloading much of the implementation effort to a Web-based, managed remote control service, you reduce costs and the load on your security team. A managed remote control service can reduce deployment time because the IT team does not need to implement servers or configure software.
If a managed remote control service looks like it might be right for your mobile organization, there are a few key features to look for:
•Pre-configured security. Find a solution that has pre-configured basic security that does not require activation or configuration by users. Do not trust corporate security to features that users manage themselves.
•Data encryption. The solution should provide an adequate level of data encryption during remote control sessions to protect against network snoops. Look for a recent encryption standard that offers a minimum of 128-bit encryption. This encryption level is imperative for maintaining compliance with mandates such as HIPAA.
•Strong user authentication. At a minimum, look for good authentication methods (strong passwords, multiple passwords, end-to-end password encryption) to confirm a user’s identity. Two-factor authentication or a one-time password system provides an additional layer of security.
•Centralized remote administration. If a device is stolen or lost, it’s imperative that an administrator can immediately deactivate the account from anywhere using a Web-based administration console.
•Report or usage log generation. Reporting and logging are useful for auditing to spot suspicious usage or trends. Reporting also makes it easier to track costs for charging the solution cost back to the appropriate department.
Securing a Strategy
Maintaining data security has never been easy, and the profusion of mobile devices in use today has certainly complicated the task for many IT departments. Don’t let these security issues become a deterrent to implementing mobile solutions on a wider scale. Providing the appropriate access strategy enables you to achieve a more responsive, collaborative, connected and protected workforce. By partnering with a managed remote access service for your mobility initiatives, you can alleviate some of the risk, improve security, lower costs and attain the benefits of a true extended enterprise.•
Klaus Schauser, Ph.D, is chief technology officer at Citrix Online, A Division of Citrix Systems.