Once mobile devices leave the well-protected, four walls of the company's building, what keeps outsiders from stealing the information stored on the devices? This is especially critical given the recent surge in the use of PDAs for applications like patient data collection or sales force automation. The devices now have customer, inventory, and pricing information that the business has to secure for itself as well as patient or client information that the business may have a legal or fiduciary responsibility to keep secure.
If the devices only stored the data locally and only synchronized locally, the problem would be manageable and containable. But now that the devices have cellular modems, analog modems, 802.11 LAN cards, and Bluetooth LAN controllers built-in, the users expect to be able to synchronize remotely using the cell network, their home network, or an 802.11 connection in their local library or coffee shop. And in many cases, the business application requires that they be able to accomplish this synchronization during the day rather than waiting for a nightly upload or requiring the outbound employee to come back to a home base to synchronize data.
Four areas of security
I've worked with customers to come up with the four major areas that they consider essential in device security. These include:
- Synchronization security: There must be a method of securing the data channel that carries any data between the mobile device and whatever device manages the data connection.
- Device security: Once put on the device, the data must be secured in such a way that the casual nonauthorized user cannot easily retrieve data and passwords.
- OS security: The device must have an operating system or an add-on product that can prevent malicious code from corrupting the operating system, applications, or data on the device.
- Authentication and authorization security: Whenever the client device connects to the corporate network, the user and the device should be authorized to make any changes to the corporate network.
I'll give you an idea of where you can start when considering these security issues in your application and system architecture design.
A synchronization security strategy allows the mobile client to send and receive data through a secured connection that cannot be spoofed or traced. At a minimum, most mobile clients should support some kind of SSL connection over HTTP so that you can send and receive the data between the mobile client and a secure Web site. For more advanced data synchronization and replication scenarios, you should look for solutions based on VPN tunnels, using either PPTP or IPSec. Using a tunneling solution separates the synchronization logic from the application logic and lets you use industry-standard firewalls, routers, and server solutions to build and maintain your secure connections.
A robust device security system should include three elements. First, you should be able to secure the device itself to prevent it from booting up or coming out of a low power mode without the user being authenticated locally as a valid user. This could be as simple as requiring a password to start the device or as complex as a biometric fingerprint reader like those that come standard on high-end HP iPaqs.
Second, any security credentials stored on the device should be encrypted rather than clear text. These credentials include not only user IDs and passwords but sensitive host system information like machine names and IP addresses. Finally, whenever possible, the application data on the device should be encrypted so that it cannot easily be read and interpreted by another user. You may choose not to encrypt the data for performance reasons or because the data isn't considered valuable enough to protect. You should remember that although it may be convenient to use whatever database facilities the device provides (contacts, electronic mail, calendars) to hold information for your application, these facilities are not normally encrypted.
Operating system security
The news here is both good and bad. The good news is that since the operating system on these devices is typically stored on a chip, it's not easily compromised by viruses. But any application you develop could certainly open the device to potential abuse. And there aren't, as yet, any widely available antivirus solutions for Palm Pilots, Pocket PCs, and programmable cellular phones. This is an area that deserves continual observance by the individual responsible for OS security on mobile devices.
Authentication and authorization security
This is arguably the most important aspect of your security strategy. No data should ever even get to the handheld unless the individual responsible for using it has the appropriate corporate system permissions. Because most of the current crop of mobile devices lacks the support for proper corporate systems authentication, many system designers fall back to simpler mechanisms like shared credentials authenticated over a clear-text channel using basic authentication on a Web server.
Wherever possible, look for solutions that support your existing internal standards; don't compromise your internal systems just so the mobile clients "fit in." If you're a Microsoft Active Directory shop, use devices that allow NTLM authentication and authorization protocols. If you're a mixed shop or a UNIX shop, require that devices use Kerberos and can retrieve directory information from an LDAP directory. If the data is valuable enough to give to the user when he or she is inside the building, the same authentication and authorization standards should apply when the user wants to take the data out of the building or use the mobile client to update corporate data remotely.