Mobile Security: Where Risk Meets Opportunity, Part 3

As your most valuable customers adopt the latest mobile devices, you will need to know how to protect them. This article describes the wide variety of value-added services you can offer to your corporate road warrior clients.
Smartphones and PDAs have grown more capable and connected, but many mobile professionals use these devices without protecting the data they store and send. ISPs can offer mobile security products and services to help subscribers mitigate these risks.

In Part 1 of this series, we introduced common mobile device capabilities.

In Part 2 of this series, we described security threats, and OS defenses

Here in Part 3, we explore after-market products that can be re-sold or used as a platform for offering secure mobile networking services.

Today's Windows Mobile, Symbian, Palm, and BlackBerry-based devices incorporate a number of built-in security measures, from power-on PINs and secure web browsers to crypto libraries and privilege levels.

These measures provide basic defenses against threats like misuse of a lost device, wireless eavesdropping, and system file tampering. But that still leaves plenty of room for after-market solutions that add required functionality or enable IT control over otherwise unmanaged mobile devices.

Access controls
Basic device locks can be strengthened by policy enforcement programs that ensure PINs or passwords meet minimum security standards for length, complexity, uniqueness, and freshness. Some of these programs can also disable or hard-reset a mobile device during a password-guessing attack, or let users safely recover a forgotten PIN without requiring a return trip to the office or a help desk call.

TeaLock

For example, TealLock (see above) defines Quick, Full, and Emergency passwords. Users get just one try at entering their short password. If they fail, the longer full password is required. If a user forgets his full password, the emergency password can be used to unlock the device.

Alternatively, PINs or passwords can be replaced with authentication methods that make mobile devices easier to use legitimately and/or harder for a thief to compromise. For example, VoiceSecureIt lets a user unlock her Palm PDA or smartphone by speaking a defined "voiceprint phrase" instead of typing a PIN. One of several alternatives implemented by SafeGuard PDA is X.509 certificate logon using an MMC card (i.e., logon fails if the PDA is stolen without the user's MMC card).

Compared to laptops, PDAs and smartphones are used more frequently for shorter tasks, requiring these mobile devices to be instantaneously available. Access controls that get in the way tend to get disabled; this is why most OS-supplied PINs go unused.

To balance usability and security, some mobile security programs let you control access more selectively—for example, requiring a user password to read e-mail, an administrator password to install software, but no password at all to answer phone calls. Instead of locking the device itself, these access controls may actually unlock encrypted data associated with the application (e.g., phone book, mailbox, registry).

This article was first published on ISPPlanet.com.






Comment and Contribute

 


(Maximum characters: 1200). You have characters left.