Despite the fact that the use of PDAs poses obvious security risks for companies, little is done to address these security issues. The seriousness of the problem that unprotected PDAs create is evident from a survey conducted for Computer Weekly by PDA security software suppliers Pointsec and Infosecurity Europe. The survey, which questioned 332 IT professionals, found that many of these professionals who regularly use a PDA for business tasks “admitted to downloading the entire contents of their personal and business lives into their handheld device and leaving the information unencrypted and without password protection,” according to a report on the survey by Mobileinfo.
Here are some of the results from the survey that point to the seriousness of security concerns associated with PDAs, along with the details on a new PDA security solution relying on SSL VPN.
The problem with PDAs
According to the survey, things such as passwords, PIN numbers, corporate information, and bank account numbers made it to the top 10 pieces of information stored on PDAs. However, only 22 percent of the respondents polled said their employer had a specific PDA usage policy. Forty-one percent of them said they never changed their passwords, and 65 percent of those who store banking details on their PDAs do not encrypt the data. A whopping 71 percent of those storing customer info admitted to not encrypting that data, and no less than 77 percent synchronized the data on their PDAs with their company PC or laptop. Almost 90 percent used their handhelds as a business diary. Bear in mind that those surveyed were IT professionals, so it’s conceivable that the rest of network users with PDAs would score much worse.
With nearly four out of five respondents using their own PDAs for work, the risks are so obvious that Magnus Ahlberg, managing director of Pointsec, advised organizations to ban the general usage of private PDAs. Industry analysts already predicted some time ago that, by this year, there will be more than one billion "smart devices" connected wirelessly, with more than half of them Web-enabled, according to an article by Daniel M. Lyon for SANS. According to Lyon, studies have shown that PDA devices have a 30 percent loss rate.
Losing a PDA can also have serious legal implications for employers. Graham Hayday, in a Silicon.com article on PDA security risks, pointed out that “companies holding data about customers, suppliers, and employees have certain responsibilities under the data protection act. If this data is held on insecure devices, companies may be liable for prosecution."
Hayday’s articles (part one and part two) contain excellent suggestions for making PDA use more secure.
A security solution using SSL VPN
In the light of these security concerns, Aventail Corporation’s announcement of the first SSL VPN to support full anywhere, anytime application access on a Pocket PC is welcome news. It is used to easily authenticate, authorize, and encrypt access across any application or device supported by Pocket PC, including the full functionality of Microsoft Pocket Outlook and Exchange. Support for the Pocket PC will be a standard feature for users of Aventail OnDemand, a Java SSL VPN agent and one of three access options of Aventail's Anywhere Secure Access Policy (ASAP) Platform.
The biggest headaches for IT managers who have a sizable contingent of PDA users are manageability, support cost (time and monetary), and, above all, security (as evident from the sources listed above). The solution Aventail offers addresses all these concerns. IT managers will welcome the comprehensive set of real-time monitoring and reporting tools, taking the guesswork out of managing usage and users, while the system’s tracking features put you in control regarding the use of the SSL VPN system. Another big plus is that Aventail's SSL VPN platform is network independent. Pocket PC users can therefore use any wireless connection, including mobile/cellular connections or wireless LANs.
“As part of the Aventail SSL VPN platform, ASAP customers can incorporate support for Pocket PC into their overall suite of remote access, allowing IT to use the same policy, platform, and product to support remote access via kiosks, laptops, home office computers, and extranets. This helps eliminate security concerns about wireless cards and costly headaches from the device-by-device work required with existing PDA solutions,” according to the company.
Evan Kaplan, president and CEO of Aventail, sums up the benefits by saying, “Allowing the IT department to treat PDAs just like they would a corporate desktop is a huge win for IT and for the entire remote access market. By mixing the significant benefits of Pocket PC with SSL VPN technology, end users get the mobility they need and IT gets to manage an already in-place security infrastructure. This significant milestone provides IT with a common enterprise-ready system that is simpler and less expensive than multiple offerings.”
Secure as a laptop
Aventail comes with excellent credentials. With seven years of SSL VPN experience, it is a recognized leader in this field and has been positioned in the leader Quadrant for Gartner's Managed Remote Access for the last two years.
But is SSL VPNs the way to go? According to the Gartner report, it is. “The simplicity and portability of SSL VPNs can lower the cost to implement remote user VPNs for company-owned work stations and also for access from non-company systems such as personal computers,” says Gartner. “Enterprises seeking easier and more flexible ways to deploy secure remote access should consider SSL VPNs for new investments, and as upgrades for legacy VPNs.”