PDA security starts to improve
Handheld security is making rapid advances - and not before time.
As was noted in PDAs make a comeback, personal digital assistants (PDAs) have returned to sales growth after a few years of modest growth or even decline. After a period where innovation came in small doses, the sector now finds itself dealing with an issue that must have looked very small indeed during the good times of the late 1990s security.
In fact, this is a theme that urgently confronts the whole mobile computing field as a particular problem. If a device can be taken out of the protection of the network, how can the information on it be secured while it is on its travels? Indeed, how can these devices be protected so that they dont themselves become unwitting Trojans for all sorts of malware to make its way back inside the network when they return?
Lets ignore for now the plethora of products that claim to protect handhelds from the threat of viruses that execute on thedevice itself. The risk is unproven for the moment, and it is hard to see that the cost justifies the investment. Inevitably, handhelds will need anti-virus protection especially the Windows Mobile platform because history tells us you never need less security, always more and different.
Device security can be thought of as having a number of rungs, at the top of which comes the number one priority of information security. The problem with mobile computers and especially the highly portable computers such as PDAs is that information and physical security are, unusually, the same thing. Instead of being a secured and probably encrypted resource inside a network, information on a PDA is vulnerable in the event of theft. It all depends on which information is allowed to be held on the PDA but this is never easy to mandate.
Handheld computer vendors have started making some advances here which put PDAs at the forefront of mobile security thinking. PalmOnes LifeDrive, for instance, goes to some to some lengths to protect the data itself, including a mixture of file, directory and device passwords backed up by 128-bit encryption. If desired, the intrusion protection feature will erase all data from the computer and return it to factory settings after a user-specified number of failed password attempts. Although based on conventional password security, these are features that have helped the LifeDrive get a U.S. government security certification.
On cue, Microsoft has managed to go one step further. The recently announced Windows Mobile 5.0, which is due to appear later in the year, will include a number of features that benefit customers that use Exchange Server. Most of these are in the area of management, and cover the ability to remotely enforce security settings, including password policies. But one new feature that has been reported is the ability to remotely wipe the date on a Windows PDA running version 5.0 in the event that it is lost (see below).
Customers not using Exchange as their primary messaging system, however, will have to fall back on features similar to those on the LifeDrive which vary from implementation, depending on manufacturer.
Utimacos Safeguard PDA is an add-on software product that takes information security of a Windows device to the next level. Using Microsofts MMC as its management interface, the corporate version (a personal version is also available) lets IT staff impose password rules, shut down communications interfaces that are not considered necessary or secure (Bluetooth for instance) , and encrypt all data held on the device, including on add-on cards.
Hard resets can also be implemented according to pre-set criteria such as the device not communicating for a certain period of time. The major limitation of the system is that it is designed only for users of Windows Mobile-based PDAs and smartphones.
Conveniently, Patchlink has just announced a new multi-platform PDA security system based on its enterprise Patchlink Update platform, due for release in Q3 of 2005. Supporting Symbian and RIMs Blackberry in addition to Palm One and Windows Mobile, this will close an important gap for the majority of companies that find themselves using more than one mobile platform at their extended edge. Multi-platform security protection will doubtless become the norm in the next year.
Managed devices are being handed out but IT people dont have the tools to manage them, says Patchlink CEO, Sean Moshir. Companies have to comply with the same rules and regulations for handhelds that they do for PCs and servers.
In the case of Patchlink Updates handheld management software, this makes it possible to look after a number of security functions at once using an agent installed on the device. Anti-virus (if that is installed) can be kept up-to-date, policies set for a variety of security parameters including passwords and VPNs, and the device monitored and patched where needed. It can also be properly logged, which means its security state can be assessed for compliance.
If they use Update for other elements of their software patching and compliance, then they will effectively have a single console for managing this entire function, though the handheld element can also run standalone. As with Windows Mobile, any device in this system can be remotely wiped if it is lost or stolen. It may not, for instance, be possible to directly communicate with a lost device, but this in itself can become a condition for a wipe when it is finally turned on.