IT managers are using middleware as the strong arm to help enforce mobile security policies.
By Arielle Emmett
There is no electronic convenience worth the threat of injuring an already sick child. That’s why Schon Crouse, a mobility support analyst at Columbus Children’s Hospital in Columbus, Ohio, the fourth largest pediatric hospital in the country, took special care to ensure the security of patient information when the hospital deployed its first mobile solution almost five years ago.
Initially, the hospital sought to make the training and record keeping of 135 new physician-residents easier, says Crouse. The residents received Palm PDAs to keep track of medical procedures they performed on young patients. The Palms were also loaded with medical calculators, a book reader and a pharmaceutical formulary providing bedside access to drug interaction data. And finally, the Palms were synchronized with desktop databases (initially via a cradle ) through OneBridge, a mobile infrastructure platform originally owned by Extended Systems and now a part of Sybase’s iAnywhere. The use of OneBridge allowed for quick user authentication and the loading of several applications at once using executable files.
“What used to take hours took 10 minutes to load, and we had quality control for the entire suite of applications,” Crouse says. When the Palm application was deployed, however, new security challenges arose. “Some of the devices had medical information on them, so that whenever a resident or doctor went into a patient’s room, he’d have the patient’s medical number and a record of procedures, symptoms and other information,” says Crouse. Hospital IT had to ensure that all record keeping was kept confidential.
“Security has been very important to us,” Crouse explains. “Today, whenever a resident or doctor goes into a patient’s room carrying a device … the mobile platform enabling the application encrypts any communication, whether [by] cradle or wireless.” Residents get a power-on password on their Palm devices, which is changed frequently, and the OneBridge server also distributes application updates, configurations and new security settings. “Before, when the residents were keeping track of patients with little cards they kept in their pockets, they’d either lose the cards or lose track of the patients,” says Crouse. “Today, if the mobile device gets lost or stolen, we can remotely ‘wipe it,’ eliminating the risk of data loss.”
Mobile Security Compliance: Spotty at Best?
Columbia Children’s Hospital isn’t alone in its concerns about security, and many IT organizations implement protections unevenly. In the mobile world, a delicate balance exists between performance and security; the speed and convenience of application deployment; and database synchronization.
Mobile infrastructure platforms that sit between the client and the corporate server frequently trade off scalability, access and “get it now” performance. Though virtually all mobile platforms now contain several layers of security—for example, power-on passwords, biometric authentication, SSL (Secure Socket Layer) encryption and virtual private networks—enterprises may not use these measures consistently, if at all.
“The biggest problem we have is the lack of a culture of security,” says Craig Mathias, a wireless LAN expert and principal of the Farpoint Group, a wireless consultancy. Even with security measures readily available, he argues, enterprises lack standards and consistent policies to protect their mobile assets. “You never let sensitive data appear in the clear (without encryption) except to authorized users,” he adds. “People should not be working in IT if they don’t understand that.” Those who don’t understand, Mathias says wryly, “need to be flogged in the public square.”
Though outspoken, Mathias expresses views that are common in the wireless IT community. The trick is not so much using security—these measures are available—it’s developing standards that work across the board, finding ways to protect mobile data and assets that have already been “lost” through attrition, inattention or theft.
“Device management and security management are the hot topics now—the biggest issues enterprises come across now relate to stolen laptops as a great jumping-off point,” says Pat Hurley, an analyst with TeleChoice. “These kinds of things happen every day, and companies have huge PR debacles as a result. Horrible as that is, though, there’s not a good incentive for companies to work hard at keeping [mobile information] secure.”
Because of compliance issues, most notably those focused on desktop access to centralized corporate data, “most enterprises don’t have a good handle on their mobile devices—where they are and who’s got them,” Hurley observes. “They don’t know what happens when employee Y or Z has a Palm Treo with corporate information on it and he gets fired.”
The fear of mobile security breaches is beginning to catch up with reality, however. Increasingly, mobile infrastructure providers are focusing on device and configuration management that confers security and authentication over the air. Rather than face the loss or theft of proprietary data, IT and even HR departments can now lock down or “wipe” the data remotely from a device. “A lot of [vendors] are calling their products ‘device managers,’” Hurley says. “Applications providers increasingly rely on device management based on Sync ML, a middleware product that enables database synchronization and management between a remote device and an enterprise backend.”
“Middleware” is almost an archaic term. Five years ago, it was a thing that made mobile apps fly, a promising category of “black box” server software that sat between the wireless device and the central IT shop, abstracting functions of the network and device, translating content, performing functions such as message queuing, security and database synchronization. In addition, middleware was touted as “shielding” programmers from the vagaries of wireless devices and networks, enabling a set of application programming interfaces (APIs) that would reduce the learning curve and provide runtime support.
Middleware has changed, however. With the growing robustness of wireless IP and the advent of Microsoft Web Services and service-oriented architecture, which provided a standardized way for IT developers to plug into backend systems, the need for mobile translation and content repurposing has been reduced. Wireless devices can now “appear” to the network as miniature desktops, fully capable of accessing html. They can be thin clients (where virtually all the resources are held on the network) or rich clients.
“A lot of middleware is being subsumed into other categories,” says Mike King, a research director at Gartner. These categories, he and others suggest, have splintered into best-of-breed applications and mobile infrastructure platforms. Some focus on end-to-end mobile messaging and email, rich media (i.e., MMS), virtual private networks, device management, and even better defense management.
“No one black box supports six different types of applications effectively,” says Upal Basu, a VP of marketing for mFormation Technologies, a mobile infrastructure software company providing device management and over-the-air security and customer care to mobile operators such as Telefonica, T-Mobile and Unicel. “While early- generation companies put a lot of device management and content repurposing into middleware, the middleware piece has shrunk,” says Upal. One reason is that middleware no longer needs to translate between enterprise IP and 2G circuit-switched networks. Wireless is now packetized. But Gartner’s King says that middleware functionality is still required to boost security and performance. Given the nature of radio networks, “you’ve got variability, jitter, latency and connection ambiguity,” he says. Wireless devices are also a jungle of options. One multichannel access gateway vendor reported it had 3,000 different mobile device portfolios,” King observed. Mobile platforms are still required to deal with device variability.
Not everyone agrees with King. With rapid wireless IP evolution and the Web Services model, much of the intelligence and security protections of middleware are being subsumed by the network, argues Farpoint’s Mathias. Eventually, a thin-client model may reign, with the network providing the bulk of security protection. Today, though, leading mobile platform vendors fill that role. Their security suites include multi-level authentication, data encryption and synchronization, device firewalls, remote wipe and lock capabilities, VPNs, SSL for thin clients and IP Sec for thick clients.
While there is always a gap between what vendors say and users do, some enterprises remain extremely conscientious about mobile security. For David Kerr, a general manager of NoInk LLC, a GHX company developing software for medical device and pharmaceutical sales, the need to find a secure mobile platform drove him to OneBridge almost six years ago.
“Rather than building out our own middleware, we decided to do a benchmark on several different products,” Kerr explains. The OneBridge mobile infrastructure platform proved the most reliable in benchmark tests in “occasionally connected” hospital environments. “We needed to do robust database synchronization with a fair amount of complex transactions,” says Kerr. Sales rep customers needed a thick client that would enable them to get inventory and pricing information during the rare times in hospitals where they could get a connection. Quick synchronization was obviously a priority.
By 2005 NoInk’s requirements continued to change and NoInk LLC became a Sybase partner. Some NoInk customers, including Smith & Nephew Orthopaedics, one of the largest orthopaedic companies in the world, with 700 sales reps, wanted real-time mobile querying and inventory replenishment. “They purchased our NoInk software and we integrated that into SAP, and they’d get the OneBridge synchronization technology along with our software,” Kerr says.
Sales reps carrying iPAQs and orthopaedic toolkits equipped with bolts and screws would record physicians’ activities in the operating room. For example, if a physician were replacing a hip, the rep would assist the physician with ‘here’s the particular hip stem that’s needed, here are the instruments,’ and if the physician used five screws, the reps would record that with their handheld device, then synchronize it to SAP, and SAP would trigger a replenishment order and an invoice.’”
Security and device management became richer. The OneBridge platform now integrates as many as 10 different types of security/authentication provisions, including LDAP, Active Directory, SSL, encryption, singular user authentication and VPNs.
However, Harris acknowledges the trade-off problem. “Customers are paying us for performance. Because our application synchronizes a lot of data down to the device, inevitably it takes a long time.” Users can get frustrated when speeds bog down, “whether it’s bandwidth, handheld processing speed, network speed, security overhead or mobile platform speeds,” Harris says.
Even with store and forward capabilities, getting users to accept a security-laden device with less than instant update performance has been the challenge. “Companies want the exact same security rules exposed on the handheld as they have for desktop users,” Harris observes. “But until we have 100 percent guaranteed wireless access, until hospitals allow connections into these devices with different frequencies, there will be problems. User acceptance is the whole ball of wax.”
Arielle Emmett is the author of Wireless Data for the Enterprise.