During a home health visit last month in Oklahoma City, a nurse for Integris Health was held up at gunpoint. She escaped unharmed, but was robbed of her company-provided laptop and cell phone. Both devices held sensitive patient data, but Integris wasn't worried. "All of the sensitive files were encrypted," says Randy Maib, senior IT consultant at the company.
Integris uses Credant Technologies' Credant Mobile Guardian software, which provides data encryption for all sorts of mobile devices. "We feel comfortable that we've ensured the protection of our data - which is good, because you never know what's going to happen."
Indeed, securing data on mobile devices, especially as storage capacity grows and size shrinks, is becoming a particularly thorny problem. Vendors have begun addressing the problem, but few provide centrally managed, soup-to-nuts security. With that in mind, here are five basic steps you can take to make sure your mobile data stays safe.
1. Know what to secure
"You have to understand the type of data people are going to access and the risks associated with that data," says Jack Gold, founder and principal analyst at consulting firm J. Gold Associates. "You don't care if an e-mail about three kittens for adoption gets lost. But you do care if it's an e-mail talking about customers or financial issues with Social Security numbers and bank accounts."
Roy Balkus, CIO at Naugatuck Savings Bank in Naugatuck, Conn., takes this advice to heart. After deciding which users need peripherals, CD drives and USB devices, he uses Centennial Software's DeviceWall to control how much access and what type - read-only or read/write - they get. In addition, he provides full hard-disk encryption for mobile laptops. But he doesn't encrypt PDAs or mobile phones. The bank's acceptable-use policy spells out that no confidential or sensitive customer information can be stored on any portable handheld device without IT's permission. "People mainly use PDAs for contacts and calendar. Our business model dictates where we focus the security," he says.
Similarly, Integris' Maib uses Credant Mobile Guardian for file-level encryption, choosing the files to be encrypted according to their sensitivity. Credant provides a central console from which Maib can encrypt based on common file-types. "We're sure security is going where it's most needed," he says.
2. If in doubt, encrypt
Other IT executives would never consider anything less than full disk encryption. That's true of Troy Juntunen, the help desk manager at Battelle, a nonprofit that operates the Pacific Northwest National Laboratory for the U.S. Department of Energy in Richland, Wash.The lab solves complex problems in energy, national security and the environment. Because of the sensitive nature of the lab's work, Juntunen uses Pointsec software from Pointsec Mobile Technologies (now Check Point Software Technologies) to encrypt all data on laptops and other mobile devices, such as PDAs and smart phones. "We need to make sure the data, the procedures and the intellectual property that our scientists and researchers carry around is secure," he says. "If a laptop is stolen, all the thief gets is a nice piece of hardware - not our intellectual property."
The lab provides two layers of protection. First, users have to authenticate to Pointsec before they boot up the operating system. If they can't authenticate, the system locks them out. Second, the hard drive is encrypted, further foiling unauthorized access. "Pointsec uses 256-bit AES [Advanced Encryption Standard] encryption," Juntunen says. "If someone steals a device, and finds they can't get to the system through brute force logon tools, they can't even pull the hard drive and look at that."
Encryption is not that difficult to do technologically, Gold says. "But there are many companies that just don't do it, and that's a problem," he says. Password protection alone is not adequate for sensitive data, he says.
3. Policy perfection
In addition to encrypting data, organizations need to put formal mobile security policies in place so users are aware of their responsibilities in securing data - and the risks involved in the failure to do so. (Click here to download an Acceptable Use Policy.) "Organizations need to say formally, here are the users who have the devices, here is what they can do with them, and here are the kinds of devices we'll support," Gold explains. "If someone's not on the right device with the right security on it, then they can't get on the network. It's that simple."
Unfortunately, what's simple in theory often isn't in practice. At Integris, Maib says he often battles with physicians who buy the latest gadgets and phones and then want to use them to access applications. "It's hard to tell physicians they can't use their brand-new devices, but we're getting to the point where we have to put our foot down firmer and make sure we apply standards across the organization," Maib says.
To handle the support challenge, Integris has one full-time IT employee whose sole responsibilities are testing new gadgets to ensure they can be managed by Credant Mobile Guardian, and making sure users are aware of the company's security policies. "One breach of personal health information could cost us as much as $250,000 per record," Maib says. "We're paying one employee $65,000 a year, plus the price of the Credant product, so we're getting a lot of bang for our buck."
Some tools let users set policies at a central console and then propagate them to mobile devices, ensuring that the devices are standard and meet security criteria. For example, FMC, a diversified chemical company in Philadelphia, uses software from GuardianEdge Technologies to provide full disk encryption on mobile laptops, and to lock out nonstandard PDAs and smart phones from accessing sensitive data on the network.
"GuardianEdge has hooks into Active Directory, so we can put policies in place that encrypt devices or lock out devices based on the Windows ID and password," says Marlene Kolodziej, manager of network operations and client support services at FMC. "And if an external drive is connected to an encrypted laptop, GuardianEdge ensures that the drive is encrypted, too."
FMC doesn't encrypt PDAs and smart phones, but it does use GuardianEdge's policies to control how they access network data. Each device has client software that communicates with the central GuardianEdge server software. "The policies force the user to maintain a PIN to even operate the PDA," Kolodziej says. "If it's been synced to our network and has our data on it, it pulls down a policy that forces it to have a PIN on boot. You can't use the phone without the PIN. And if it doesn't have the client software, it gets completely locked out."
4. Train users
Even companies with solid mobile security policies in place can run into trouble if they don't deliver thorough security training. "The mistake we all make sometimes is we try using technology to solve an educational issue," Kolodziej says. "We must own the process of teaching users how best to protect themselves."
To that end, most companies have either in-person or online mobile-security training, and many require users to sign acceptable use agreements for mobile devices. At Battelle, Juntunen complements mandatory online training with optional lunchtime seminars that focus on all aspects of mobile security. "That training covers things like how you shouldn't leave a laptop on your seat while you use the airplane bathroom - the little things that people don't really think about," he says.
Good training focuses on the key reason - safeguarding data - behind the security measures. "Users need to understand that we're not doing this just to protect our laptop," he says. "The requirements are there to protect the data. That's an important distinction. Once they understand it's not just an IT thing, they're more likely to be on board."
5. Make it easy
Perhaps the most important element of mobile security is ease of use, experts say. "Users are interested in convenience," Gold says. "They're going to resist anything IT puts in place that makes life harder."
FMC's Kolodziej learned this the hard way. The first version of GuardianEdge's software was less than user friendly. "At the file level, it required two passwords, one for the Windows domain and one for the encryption software, and that had a negative impact on productivity," she says. Kolodziej quickly adopted the new version, which provides full disk encryption along with pass-through sign-on. Once a user authenticates to the Windows domain, the logon is passed through to GuardianEdge, which then authenticates the user to the encryption software. User resistance to the security tool has melted away.
Cummings is a freelance writer in North Andover, Mass. She can be reached at jocummings@comcast.net.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- Non-Compete Agreements: What IT Leaders Should Know
- RFID, Radio Location Service Use Soaring at Hospitals
- Online Encyclopedia Lists Internal Network Security Threats
- Android Puts out Call to Mobile Security Gurus
- Georgia Cyberwar Overblown
Community Comments