• PC World
• » Networking & Wireless

Recognizing the growing popularity of mobile computing devices such as handhelds, personal digital assistants, and smart phones, companies are rolling out a host of new products to secure data and communications on portable devices.

From disposable soft tokens to virtual private network software for PDAs to security management software for mobile devices, security companies are catching up to and cracking down on mobile users. In September alone, Trust Digital, RSA Security, and ION Networks announced security products targeted at users of cell phones, PDAs, and other mobile devices.

"Companies have more mobile workers than ever, and they want to give [those workers] all the tools they need to do their job effectively," says Laura Koetzle, an analyst at Forrester Research in Cambridge, Massachusetts.

However, much of the infrastructure that enables mobile computing is inherently insecure, according to Koetzle, who notes that the 802.11b wireless protocol and encryption technology such as wired equivalent privacy used by laptops and handheld devices have proven easy to exploit.

Supply and Demand

For companies like Trust Digital of Fairfax, Virginia, concerns such as those raised by Koetzle, coupled with the rapid adoption of portable computing devices in information-sensitive sectors like the federal government and the health care industry, has meant increased demand for their line of data security solutions for portable devices such as PDAs and smart phones.

"In the last 12 months, we've seen tremendous growth in the use of PDA devices and the ways in which they are being rolled into the enterprise networking environment," says Kevin Shahbazi, vice president of marketing at Trust Digital, which last week announced the release of PDASecure, VPN software that can be run on PDAs using Microsoft's Pocket PC and Palm's PalmOS operating systems and comes with a per-device licensing fee of $40 per year.

According to Shahbazi, the small size of PDAs and their role as tools of convenience present unique problems for security software makers like Trust Digital that are targeting the PDA market.

"The biggest fears of the CIOs we speak with is that [employees] will lose [portable] devices or never invoke passwords and security on them," says Shahbazi.

Invisible to the End User

The trick, say Shahbazi and others, is to make security both compulsory and transparent to the mobile computing user.

"The average end user doesn't want to know about the idiosyncrasies of VPN. They want to connect to a remote application, see that the tunnel is secure, then go ahead and send information," says Shahbazi.

"There's a definite trade-off between wanting to provide customers with peace of mind and not wanting to make [security] such an imposition in the way they do things that they'll say, 'Oh forget it'," says Charles Golvin, a senior analyst at Forrester Research.

The same themes can be seen in the growing number of configuration management software solutions that are being marketed to organizations--from public utilities and police forces to vending machine operators and insurance companies--with mobile workforces that rely on mobile computing devices.

Filling the Holes

Mobile Automation's new Mobile Life Cycle Management Suite uses a software agent installed on a portable device to enable IT administrators to push software updates, applications, and configuration changes from a central server out to mobile devices over a secure connection, according to Doug Neal, chief executive officer and cofounder of Mobile Automation of Santa Monica, California. According to Neal, his company's software fills what was a gaping security hole for many companies with mobile workforces.

"Commonly, companies would have to manually maintain [mobile] devices...send technicians out into the field, or wait until the quarterly sales meeting for everyone [with a mobile device] to be in one place, or send out a CD and leave it up to users to maintain their own devices, " says Neal.

Despite the attention being given to securing communications from portable devices, however, some see the recent spate of new product announcements as a natural step in the evolution of corporate networks from static, wired to mobile and wireless entities.

"There's a lot of noise in the discussion [about security for portable devices]," says Forrester's Golvin. "There are certainly security issues--802.11b, which has been broken and proven to be for an enterprise a completely inadequate defense mechanism, for example. But if you look at the wireless LAN issue, it's no different from other network security issues. Companies don't just send proprietary information over their wired network unprotected, nor should they send them over the air unprotected."

Software Tokens

While some companies see portable devices as a security hole that needs to be plugged, others see them as a powerful tool in making networks and the Internet more secure.

Both RSA Security and ION Networks unveiled disposable soft token technology in September that use portable devices to push out one-time secure software "tokens" that can be used by remote workers to log on to sensitive network infrastructure. Like the smart cards they replace, soft tokens allow two-factor authentication--a user must be in possession of the portable device that will receive the secure token, and must know a password associated with the token in order to log on to a secure network.

Unlike smart cards, however, soft tokens can be generated at almost no cost, cannot be lost or stolen, can carry policies that limit user access once logged on, and are deactivated after a single use, according to Kam Saifi, chief executive officer of ION Networks of Piscataway, New Jersey.

ION's Secure Soft Tokens software can be used with the PalmOS, Research in Motion's BlackBerry, and Microsoft operating systems. Soft Tokens licenses are available to customers using ION's Secure PRIISMS Administrator Portal software at a cost of between $200 and $400 for each network access point that is being secured using the software. Customers are then entitled to an unlimited number of tokens for use in connecting to that network access point.

RSA's RSA Mobile product also supports a wide range of mobile platforms and is targeted toward larger organizations. RSA Mobile comes with a per-device licensing fee ranging from $5 to $10 per year and is sold in packages starting at 100,000 licenses. The price includes the cost of the RSA Mobile Server software.

Analysts agree that the emergence of soft token technology such as RSA's and ION's highlight some of the promise of portable computing devices when it comes to spreading awareness of network security issues.

"These solutions use a channel that is widely available, [soft tokens technology] is something that's fairly simple to explain, and it requires a behavioral change to consumer--but not that much of a change," says Golvin.

• See more like this:
• mobile,
• security,
• VPN,
• PDASecure,
• software tokens,
• PDA,
• handheld,
• wireless,
• 802.11b,
• network