Device-based security, which despite competing notions of stored data vs. data-in-motion, has its role. In that case, according to the Tower Group’s Bob Egan, keep in mind that the drivers-both legal and “reputational,” if you will-are powerful and the market is small. Smart phones comprise only 2 percent of the handheld market in the United States.
The upshot? Tower Group tracks about 30-40 vendors in this space and the good news is that they’re serving a need. The limiting factor, according to Egan, is that many are engineer-based efforts in search of business success via hard-to-come-by name-brand partnerships, sales and distribution deals.
“Do they have the right stuff?” Egan asked rhetorically. “And do they have the money and the staying power? Three out of four vendors in emerging markets like this typically go away in less than five years, either because they’re acquired, run out of money or don’t have the right stuff.”
Egan’s advice: “The destiny of security vendors must be built on understanding particular customers’ needs, which may require an industry-specific focus. Each industry requires a specific security product and each industry has its own regulatory burdens.” (Tower Group specializes in the financial services industry.)
None of these points are directed at the specific handset-based security vendors mentioned here, all of whom practice the seemingly ubiquitous approach of combining caveat emptor with gravitas to suggest that you’ve found the right vendor, but perhaps you should be leery of other offerings.
Pointsec Mobile Technologies estimates that 60 percent of security breaches occur from device theft or loss, 25 percent are due to network intrusion and viruses, and 15 percent is social engineering that tricks a user into revealing personal identity data or critical corporate data.
“The biggest security threat is losing the equipment,” said Bob Egner, vice president of product management and global marketing at Pointsec, which is headquartered in Stockholm (where it is publicly traded), with U.S. offices in Chicago. “I just walk right in the front door, because I have the key.”
Pointsec recommends a security policy based on what content should be stored on an end point, putting appropriate technology in place for access control (authentication) and encryption of the stored data, plus anti-virus, anti-malware controls for a secure network. Authentication requires a physical “token” (e.g., in the form of a microSD card) and knowledge (user name and password).
“We think that a combination of these factors supports a secure mobile worker,” Egner said.
Pointsec’s centrally managed solution focuses on stored data, as opposed to data-in-motion. Pointsec recommends developing a security policy at the corporate level, which is pushed out to devices used by the enterprise, including smart phones running Symbian Ltd., Palm Inc. or Microsoft Corp.’s Windows Mobile operating systems, and portable storage media such as memory sticks and USB drives.
Dennis Szerszen, vice president of marketing and corporate strategy for privately held SecureWave, with U.S. headquarters in Herndon, Va., said his company’s Sanctuary product is an endpoint software-based solution. Clients determine their own policies on endpoint and company data, then SecureWave “whitelists” allowable devices, behaviors and personnel. (Whitelisting implies specific permission for specific devices, people, policies, etc., rather than the more porous concept of barring an ever-expanding list of things to avoid.) Downloaded data is encrypted, the amount of data is limited and hours are set so that certain activities are allowed only during certain hours.
“Enterprise needs clear policies on who is allowed to access company data and on what devices,” Szerszen said. “Then we `socialize’ it by letting employees know what are allowable behaviors.”
SecureWave pursues what it characterizes as “low-hanging fruit” markets such as government, banking and healthcare. It has built a side business of testing hardware vendors’ products to see if they’re “enterprise ready.”
Benjamin Jun, vice president of technology for Cryptography Research, said his San Francisco-based company provides security services and technology licensing. Cell-phone security involves four things, he said. First, handsets are “thin” devices, meaning its microprocessors are “wimpy” and operating systems are “thin.”
“There’s no reason you can’t have good security on a device like that,” he said. “But two things are stacked against it. First, people tend to make things secure after having a history of problems. Also, thin hardware and software makes it more likely that a short messaging application could spill over and effect a banking application, for instance, running on the same device. That’s because there aren’t good protections via hardware or software. Microsoft’s operating system has gotten good because they’ve had problems and have had time to iterate the design. We’re only now starting to see that for handsets.”
Secondly, handsets are akin to handing out devices with memory that access your corporate network and they may not have complete amnesia when a session is complete. Thirdly, enterprises switching to a common platform for devices create breeding grounds for viruses and worms by using the same firmware and connected to the same network. If a virus is introduced, it spreads easily. Fourth, enterprises buying enterprise services from a carrier trust the carrier to deal with security issues, but carriers are positioned to protect against fraud, or cloning, and are good at it.
“What enterprises are concerned about-and they should be-is someone picking up a device that’s been lost and accessing corporate data with it,” Jun said. “Data security is something new. We’ve only begun to see smart phones that can do this stuff in the last two years. These are the reasons we should care.”
Encryption can deal with data security, but that can depend on the operating system provider, according to Jun.
“Basically, we have tools that, if you lose your phone, we can remotely turn it into a brick,” Jun said. “That’s the perfect scenario.” But often encryption depends on the user’s diligence and, in recently publicized losses of private data, encryption procedures weren’t used. Thus the value of automatic encryption, as well as policies on access, usage policies and behavior.
“If you’re an enterprise rolling out mobility, it makes sense to lock down databases to prevent full access to sensitive data,” Jun said. “Our database technologies are not at the point where this can be easily done.”
One major factor to consider when contemplating the authentication and encryption piece of the security mosaic, Tower Group’s Egan concluded, is the trade-off between security and functionality. Put simply, encryption reduces functionality by burdening a handset’s limited processing power. And limiting the productivity of connectivity, if you will, has other ramifications.
“You need to balance the performance of security measures while allowing the job at hand to get done,” Egan said. “Technology plays an increasing role in how corporations measure workers’ productivity, which relies on connectivity. So you don’t want to introduce new roadblocks to worker productivity.”
