While server-side and transport security is vital to an overall mobile data security plan, this white paper will focus on security as it relates to the mobile device. Issues addressed include:
- How much of a security threat is the mobile device to my organisation?
- What threats do these devices bring to the enterprise?
- What security policies should be deployed to provide adequate protection?
- Should I have any regulatory or compliance concerns?
WHITE PAPERMobile Device SecuritySecuring the Handheld, Securing the Enterprise"Untitled DocumentMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007CONTENTS1 Introduction2 Mobile Devices: A Productivity Boon, An Enterprise Risk3 Major Security Risks5 Securing the Handheld10 Regulatory Requirements11 ConclusionUntitled Document1 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007IntroductionProfessionals are increasingly realizing the productivity bene ts of mobile devices such as Smartphones, personal digital assistants (PDAs) and converged PDA/phones. While this mobile revolution is an advatage to professionals, it is creating a tremendous security management challenge for CIOs and other IT professionals. Proprietary and con dential data is now moving outside of the secure perimeter of the enterprise and onto mobile devices that can be located anywhere in the world. What s more, these devices have a variety of data communication and storage technologies, such as e-mail/PIM synchronization software, infrared data transmission, Bluetooth and removable data storage. As a result, it is easy for mobile devices to become strongholds of enterprise information. Unless actions are taken to secure this information, the mobile device represents a potentially severe security risk to the enterprise. This white paper identi es security threats to corporate data on mobile devices and details how mobile devices can become a backdoor to the enterprise. This paper also details how immediate action can be taken to defend against these threats and which issues an IT security manager should be aware of while planning a comprehensive handheld security policy. While server-side and transport security is vital to an overall mobile data security plan, this white paper will focus on security as it relates to the mobile device. Issues addressed include:" How much of a security threat is the mobile device to my organization?" What threats do these devices bring to the enterprise?" What security policies should be deployed to provide adequate protection?" Should I have any regulatory or compliance concerns?Untitled Document2 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007Mobile Devices: A Productivity Boon, An Enterprise RiskSmall, powerful and connected to essential enterprise information, mobile devices have been embraced by professionals and are fast becoming a standard enterprise productivity tool. It is precisely this small size and enterprise connectivity, however, that make the mobile device a potential risk to the enterprise. While they may contain vital data similar to a desktop or laptop, mobile devices are far more vulnerable to loss, theft or malicious use.MOBILE WORKERS RAPIDLY INCREASINGThe analyst rm Frost & Sullivan estimated that in 2004 there were 50 million workers whose jobs required them to perform work outside of the of ce. By 2010, there will be 72 million a number representing a compound annual growth rate of over 6 percent. In addition, the number of mobile data users will grow much more quickly, at a compound annual growth rate of 34 percent. By 2010, the total number of mobile professionals using their devices to store data will be 37 million.The greatest number of mobile device users tend to be managers, sales professionals and service professionals the people who are most likely to work with sensitive, proprietary information. According to Frost & Sullivan, executives, directors and mid-level managers make up 57 percent of enterprise professionals using mobile devices; eld service employees conducting installation, service and repair comprise 17 percent; mobile sales employees16 percent; and vehicle operators make up the remaining 10 percent.1INCREASING MOBILE ACCESS TO ENTERPRISE INFORMATION: E-MAIL AND BEYONDAccess to e-mail has been one of the major drivers of mobile device use. By 2008, e-mail is still expected to be a killer application. Numbers indicate that over four- fths of mobile knowledge workers will have wireless e-mail access and the installed base of corporate wireless e-mail mailboxes is expected to increase from 6.5 million in 2005 to more than 123 million by 2009.2 Access to other enterprise data, such as sales force automation, inventory or pricing information is also increasing, as information from backend applications is made available on mobile devices. REQUIREMENT: ENTERPRISE DEVICE SECURITY MANAGEMENTWith great power, however, comes great risk. A recent study indicates that 30 percent of mobile devices are lost every year.3 Further, the Gartner Group estimates that, through 2006, 90 percent of mobile devices containing enterprise data will have insuf cient power-on protection and storage encryption to withstand casual to moderate hacker attacks.4In Gartner s 2004 Enterprise IT Survey of 1,400 CIOs around the world, CIOs in the US and EU rated mobile workforce issues as a top ve priority and nearly two-thirds of all CIOs expected mobile workforce spending to grow faster than overall IT budgets. Their highest ranked concern regarding wireless adoption: security.1Frost & Sullivan, Mobile Of ce Report, 2004 2Radicati Group, Corporate Wireless E-mail Market, 2005-20093SANS Institute4Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04Untitled Document3 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007Major Security RisksMobile device risks can be summed up in two general categories: devices that are lost, stolen or held by former employees and devices currently in use and connected to the enterprise.LOST, STOLEN AND EX-EMPLOYEE MOBILE DEVICESIf a device with con dential data is lost or stolen, the corporation is at risk from the loss or misuse of information stored on the device or its removable storage card. Often, basic security mechanisms such as a password requirement on power-up or data encryption are not utilized. As a result, the corporate data on lost or stolen devices, such as the 250,000 mobile devices that are left in U.S. airports every year, is exposed to potentially unauthorized viewing. If a mobile professional misplaces a device in an airport, critically important data could be at risk, such as user IDs and passwords to corporate applications and servers. According to a security survey commissioned by RSA, 22 percent of users keep a list of passwords on their devices.5 In addition to passwords, device-stored information could also include:" Human resource records" Compensation information " Business reorganization plans " Merger and acquisition details" Sensitive e-mails " Business proposals " Financial records" Sales reports" Customer information" Product release information" Medical reports This information could be viewed by or sent to a wide variety of unintended recipients, such as a competitor, a business associate, a journalist or an identity thief. When professionals leave a company, they could depart with a signi cant amount of con dential information on their mobile devices and removable storage cards.Disgruntled ex-employees pose a particular risk. While reorganizations or layoffs are not everyday occurrences, enterprises could protect themselves from retaliatory activities if IT could wirelessly erase the data on multiple devices instantly or at a time of their choosing. 5RSA, RSA Security Password Manage-ment Survey, September 2005Untitled Document4 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007UNPROTECTED DEVICES: A BACK DOOR TO THE ENTERPRISE Even enterprise-connected devices can represent a risk to the enterprise. This can happen either when an unauthorized device is used by an authorized user, or when an improperly secured device is subject to attack. In the rst case, even corporations that spend millions protecting traditional networks and data are vulnerable to mobile professionals who are using individually purchased wireless devices for business use. Even if the IT department doesn t know of the device s existence, the device could be capable of connecting to the network using a proper user ID and password to gain access. When the wireless device connects back to a laptop, server or to an application, the enterprise sees a trusted user and a trusted device. It is at this point that the corporation is vulnerable. Malicious code, such as software viruses, also poses a threat to both the device and the enterprise. Malicious code accesses a device when an infected e-mail attachment is received wirelessly or when data is transferred through the Infrared Data Association (IrDA) port ( beaming ) or over a Wi-Fi connection in a hotspot. Types of malicious code include:" Viruses A type of software program that can replicate itself and spreads by inserting copies of itself into executable code or documents. Usually propagated through a user-initiated action such as opening an attachment or running a script, viruses attempt to spread undetected through the device by attaching themselves to other les. " Trojan horses A malicious program that resembles a legitimate program. Trojan horses perform an unauthorized, harmful activity once access is gained to a user s device." Worms A self-replicating computer program that attaches itself to another executable program; unlike a virus, a worm does not need to be part of another program to replicate itself. A worm can be designed to delete les or send documents.Mobile device hackers target devices in order to launch larger attacks on corporate networks, with the intent of accessing business-critical information or hampering business activities. An example of such an enterprise attack is a man-in-the-middle attack.In a successful man-in-the-middle attack, an attacker is able to read, insert and modify messages between two parties without either party knowing that the link between them has been compromised. Such an attack can enable other attacks when a user s authentication credentials are captured. For example, when the compromised device attempts to connect to the network, the attacker can steal the re-association requests, which contain each client s Media Access Control (MAC) address and service set identi er (SSID). With those two pieces of data, an attacker can impersonate a legitimate device on that wireless network. Untitled Document5 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007SECURING THE HANDHELDEnterprises are quickly responding to mobile security risks. Analyst rm IDC states that mobile device security software spending will grow from 70 million in 2003 to an estimated 993 million in 2008, a 70 percent year-on-year growth rate.6 During that same period, IDC expects an increase in both the number and sophistication of attacks targeted at mobile devices. With gigabytes of data stored on mobile devices and ActiveSync /HotSync , Wi-Fi, IrDA and Bluetooth communication capabilities, enterprise-wide mobile security policies and compliance are fundamental for data protection. SECURITY POLICY RECOMMENDATIONSTo meet the mobile device security needs of the enterprise, the following security standards and capabilities are highly recommended.USER AUTHENTICATION BASICKey to any mobile device security policy is the ability to limit mobile device access to authorized users. Password protection is a basic authentication requirement and should be activated whenever the device is switched off. This most basic authentication step can typically be done by users for their own devices but, surprisingly, is often overlooked. USER AUTHENTICATION ADVANCED The central establishment and enforcement of password policies provides the greatest authentication security to the enterprise. When controlling password policies from a centralized console with wireless capability, administrators can quickly and easily control policies for a broad array of users, without ever having to handle the end user s device. Ideally, policies could establish and enforce a variety of password parameters, including minimum length and alphabetical/numeric characters. Additionally, policies should:" Require a new password after a designated length of time." Require a password distinct from passwords recently chosen by the user." Require password entry after a designated amount of idle time or device shut-off." Establish a maximum limit of failed password attempts before the handheld clears all application data or requires unlock only by an IT administrator.On the administrative side, a password reset policy needs to be implemented so that an administrator can easily and wirelessly reset the device for users who have lost their passwords.6IDC, Worldwide Mobile Security Soft-ware Report, 2004Untitled Document6 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007DATA ERASEAdministrators should be able to set policies to wirelessly erase ( bitwipe ) selected databases, applications or folders if excessive incorrect password attempts are made.ENTERPRISE DEVICE AUTHENTICATION AND AUTHORIZATIONEnterprises must be able to control user access to enterprise networks, servers, applications and data. Corporate security policy should involve not only applications that have been pushed to and are running on mobile devices, but should also address all ad hoc requests for synchronization and data transfer. User and device authentication requires a database of all of the authorized users, groups and devices with the appropriate IDs, passwords and certi cates integrated into a security management system. The mobile device as well as the user must be able to prove that it is authorized to communicate on the network. It must not be possible for an attacker to impersonate a mobile device or a server, thereby misleading authentic services into communicating with it. COMPLIANCESecurity policies are valueless if there is no mechanism to ensure user compliance. Effective compliance requires two measures. The rst is requiring the installation of appropriate security policies or third-party software on every device prior to permitting use of the device. The second is the periodic assessment of devices to ensure that they continue to comply with requirements. To achieve these requirements quickly and effectively, wireless management and auditing is fundamental.Without such a solution, end users would have to voluntarily inform IT that their mobile device contains con dential and proprietary corporate data. Such self reporting would be seen as onerous by mobile professionals, and few would likely comply. As a result, a signi cant vulnerability in enterprise security could easily emerge. Untitled Document7 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007WIRELESS DEPLOYMENT AND UPDATINGCompliance with corporate security policies is rapidly assured when the security policy manager can deploy security policies automatically and wirelessly. Wireless capability is extremely important, because it ensures that security policies are deployed quickly and with little IT burden. Cradle deployment, in contrast, leaves a larger window of time when the device lacks security policies, removes the device from the user s hands and is burdensome to IT, especially when large numbers of devices are involved. Wireless updating of security policies, device security software or required third-party applications is also important. In order to maintain the highest level of device security, enterprises require the quick updating of all devices whenever policies change or software is updated to provide greater protections. Given the rate of change of technology, wireless updating easily maintains security for a large, diverse and geographically spread population of devices. Also, a user s permission status can change as a user s role within the organization changes. Wireless updating helps IT continue to provide the level of security and permission appropriate to the user s changing role. Ideally, wireless over-the-air capability is built into the device security solution. This ensures the appropriate and complete integration of functionality.WIRELESS THREAT RESPONSEArmed with an automated inventory of all mobile professionals and their authorized devices, IT and security administrators can provide instantaneous response to security breaches or threats. Such a response could include:" Changing the security policy les" Locking the device" Data erase of selective les, applications and databases" Data erase of the entire deviceDATA RECOVERYBackup and recovery planning should include backing up con dential data stored on mobile devices to an enterprise server, since regulatory agencies require documents and correspondence to be provided upon request in the event of an investigation. Untitled Document8 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007INTEGRATION WITH PUSH E-MAIL/PIM It is important that a device security solution be integrated with push e-mail/PIM vendor products. If there is no integration, a device could be locked with its data encrypted, preventing synchronization from taking place. This effectively strips away the many advantages of the always on, always connected productivity goal of push e-mail/PIM applications. Most device and server security solutions have been developed independently of mobile applications, such as wireless push e-mail/PIM and therefore do not interoperate effectively. As a result, the user is forced to participate in an authentication process such as entering his or her username and password for every transaction pushed to the device from the server. This authentication process reduces ef ciency and usability and, in many cases, is a step avoided by the end user. When the user refuses to authenticate, the device does not allow access and the value of the device erodes. Devices can avoid authentication and still receive e-mail when the security solution and e-mail/PIM solution are working together in the background to resolve this con ict. Always-on PIM will be available even while the device is password-locked.DIRECTORY SERVICES INTEGRATIONLDAP and Active Directory integration with the mobile security solution ensures that your security policies appropriately match the needs and pro les of the user community over time. The IT administrator s work is streamlined when it is not necessary to reenter and maintain user les in a separate security application. Inheriting user-group information from either LDAP or Active Directory is a signi cant advantage, since security policy les created for groups can be deployed quickly and easily or updated in one simple process.ENCRYPTION OPTIONSData can be stored both in the device s Random Access Memory (RAM) and in external storage cards, such as Secure Digital/Multimedia Cards (SD/MMC), CF cards and PC storage cards. Since these storage cards can save gigabytes of data, most security groups want the ability to secure them with data encryption.Even when issued by the corporation and used primarily for work, devices often store both business and personal information. For this reason, most corporations want to provide the option to encrypt personal les. It is critical that a security solution be capable of encrypting all of the device data or only select applications, databases and les. When inserting a protected memory card into the device s expansion slot, the security product should be able to detect a protected card and prompt the user for the card s password. The user would then have access to information only if they enter the correct password.Untitled Document9 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007Encryption algorithms should be Federal Information Processing Standard (FIPS) certi ed and designed to provide data encryption in a transparent method. Transparency ensures that the user is impacted as little as possible while providing the maximum data protection.SELECTIVE APPLICATION LAUNCH CONTROLIn some enterprises or government agencies, it is important to restrict which applications a device is permitted to run. This need is especially great when the organization has purchased and con gured all of the devices or when there is a speci c eld application that an organization requires. DEVICE FEATURE DISABLEMENT In order to limit security risks, IT administrators want the ability to control a wide variety of mobile device features. For example, to prevent hackers from penetrating a mobile device using a man-in-the-middle attack, an organization may want to disable Wi-Fi capability. Typically, IT administrators would want control over the following device capability categories:" Data transfer HotSync, ActiveSync, IrDA or Bluetooth. Alternatively, when the device is locked, data synchronization mechanisms such as HotSync and IrDA could be disabled automatically. " Data storage SD cards." Multimedia Cameras, microphones and speakers.Untitled Document10 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007Regulatory RequirementsThree major industries are early drivers of mobile device security: healthcare, nancial services and government. Each of these industries is required by law to safeguard and maintain patient, consumer and/or nancial and operational information. Recent regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) and Sarbanes-Oxley (SOX) act have mandated strict security and permissions control of sensitive information and have established serious penalties against violations. While the healthcare industry has been a technology laggard in the past, it has been a leader in the adoption of mobile device security. Similarly, the GLB Act has driven banks, insurance companies, brokerage houses and other nancial institutions to deploy mobile device security along with wireless applications. Audit trails, device access management and data encryption will play key roles in security best-practice management for these organizations. HEALTHCAREFINANCIALCONSUMER PRIVACYHIPAA (US)Health Insurance Portability and Accountability Act Mandates the protection of patient records containing individually identi able health informationSOX (US)Sarbanes-Oxley Public Company Accounting Reform and Investor Protection ActMandates reforms regarding corporate nancial responsibility; sets higher requirements on the control of con dential corporate nancial information95/46/EC (EU)European Union Directive 95/46/ECProtects individuals with regard to the processing of personal data and the free movement of such dataDPA (UK)Data Protection ActEnsures that personal data processing is carried out with appropriate security for the rights of data subjects; requires consent prior to disclosure of personal data to a third partyGLBA (US)Gramm-Leach-Bliley ActProtects personal nancial information held by nancial institutionsSB 1386 (US)California Senate Bill 1386Requires any organization that conducts business in California and owns or licenses computerized personal information to disclose any security breach to any resident whose personal information was or is believed to have been disclosedPIPEDA (Canada)Personal Information Protection and Electronic Documents Act Establishes privacy principles, such as providing adequate security for the protection of personal information collected, used or disclosed in the course of commercial activitiesUntitled Document11 Mobile Device SecurityMotorola Good Technology GroupPhone: 866-7-BE-GOODOnline: www.motorola.com/goodMobile Device Security2007ConclusionMobile devices represent a tremendous productivity advantage for today s mobile worker. The small size, large storage capacity and network connectivity of these devices, however, make unprotected mobile devices susceptible to loss, theft and misuse. As a result, unsecured devices can pose a risk to the entire enterprise. Before mobile device use becomes ubiquitous, intelligent organizations are developing comprehensive security plans to protect both the enterprise and the device. In order to adequately secure the device from misuse or attack and to meet regulatory requirements, IT organizations must give consideration to the wireless and centralized deployment of device security policies. These policies include measures regarding authentication, data erase, encryption, application launch controls and device feature disablement. Further, compliance management is required to ensure that devices stay within enterprise security requirements over time.When mobile device security solutions are fully integrated with e-mail/PIM solutions; are centrally managed; and are capable of wireless deployment, updating and compliance, they can provide the level of security that enterprises require. Good Technology, Inc. 2001-2007 . All rights reserved. Good, Good Technology, the Good logo, Good Mobile Messaging, Good Mobile Intranet, Good Management Console and Good Monitoring Portal are trademarks of Good Technology, Inc. All other trademarks are property of their respec-tive owners. Screen image simulated. Palm and Treo are among the trademarks or registered trademarks owned by or licensed to Palm, Inc. Third party software sold separately. Requires wireless data services and ISP sold separately. Symbian and all Symbian-based marks and logos are trademarks of Symbian Limited. Rev. 033107