General

Mobile Security:
Where risk meets opportunity, Part 3:
Additional Value-Added Security Services — page two

by Lisa Phifer VP Core Competence, Inc. [July 28, 2006]

Stored data encryption
Encrypting all or some data stored on a mobile device is a popular way to boost that device's factory-default security posture. BlackBerries include a content protection option that encrypts data when the device is locked. For other PDAs and smartphones, many after-market programs are available to hide stored data from intruders.

Some programs just encrypt sensitive values, from user-supplied passwords and credit card numbers to application databases that malware might try to read or over-write. You can find many freeware and commercial examples by searching for "E-Wallet" or "Password Safe" at sites like PocketGear or MySymbian.

Other programs offer full-device encryption, preventing any data from falling into the wrong hands should the PDA be stolen, compromised by malware, or penetrated by a wireless attack. The extent of data covered by encryption varies—for example:

SecureDoc PDA encrypts data on the PDA itself and on removable media (CF, SD, MMC cards), and prevents encrypted data from being synchronized onto a desktop without a password.

Airscanner Mobile Encrypter (shown at right) supports both folder/file encryption and mounted volume (virtual directory) encryption, where volumes are decrypted when mounted and auto-encrypted when dismounted.

Protection strength depends on encryption algorithm, data integrity checks, and how keys are generated and stored. Some programs use OS-supplied crypto functions, while others use vendor-supplied modules that add speed and/or strength. For example, Utimaco SafeGuard products use the same private 128/256-bit AES crypto module on both Windows Mobile and Win32, letting data scrambled on a mobile device remain protected when synchronized onto a desktop. Pointsec provides full-time, transparent NIST FIPS 140-2 Certified encryption for Windows Mobile devices.

Companies subject to industry regulation or privacy laws may need to meet minimum encryption strength or certification requirements. They may also require creation and collection of audit logs that track when protected data is accessed, by whom. In fact, many companies are being motivated to invest in data protection to comply with mandates like HIPAA and SOX, creating a lucrative opportunity for suppliers.

Secure communication
As described in Part 2, mobile OSs have expanded support for protocols that deter over-the-air eavesdropping and forgery. When newer mobiles send data over 3G cellular, Wi-Fi, or Bluetooth, measures are often available to protect that communication. However, they may not be enabled. In particular, Wi-Fi and Bluetooth security measures are disabled by default and rarely used when connecting to public hotspots or headsets, respectively. Furthermore, wireless security ends when mobile data is routed onto the public internet. Many businesses require more, securing communication end-to-end, between client/server or user/gateway.

Traffic sent to secure websites or secure enterprise servers may be protected by built-in protocols like SSL. To support other enterprise applications or provide a consistent solution for heterogeneous mobile devices, mobile groupware products can be added. For example, BlackBerry Enterprise Solution provides over-the-air security and central device management for BlackBerries. Goodlink Mobile Messaging provides secure over-the-air messaging and device management for Windows Mobile and Palm OS devices. SEVEN offers secure e-mail access for individuals, small businesses, workgroups, and larger enterprises that use a variety of mobile devices. Competition in this arena is hot; several patent infringement suits were recently filed by Visto. One way that ISPs might tap this emerging market is by hosting mobile groupware servers for SMBs that lack the bandwidth, capital, or staff to roll their own.

Some companies may prefer to add PDAs and smartphones to their the existing VPN. Providers who offer managed remote access VPN services can use embedded VPN clients found in Windows Mobile and Symbian. If those prove incompatible with your flavor of VPN, after-market clients are available from many sources, including Mergic (PPTP VPN), Bluefire (IPsec VPN), and Aventail (SSL VPN).

Mobile workers who use more than one wireless network, or who need to stay connected when moving through no-coverage areas, are better served by a VPN that provides seamless roaming and application session persistence.

Mobile VPN products from companies like Columbitech and Ecutel have been used by field staff for years, focusing on situations where conventional VPNs are just too hard to use.

For example, NetMotion Mobility XE (see right) secures data end-to-end, from a VPN gateway, through the internet, across wireless links, to Windows Mobile devices. When coverage is disrupted, or the device enters power-save mode, application sessions are maintained. When wireless coverage resumes, the VPN client automatically chooses the "best" available link and applications just continue where they left off.

Wireless carriers have already started to offer mobile VPN solutions like these. ISPs may want to add mobile VPN services to their managed VPN portfolio, helping them retain customers as remote workforces move from dial-up to hotspots and 3G wireless.