Caroline Ikomi, Check Point: What’s the best approach to protecting the business data on mobile computing devices?
November 2007 by Caroline Ikomi, technical manager, Check Point
Newton’s first law of motion states that a moving body will want to keep moving. The same law also seems to apply to business data, and the problem is trying to stop that mobile data moving further than you want it to.
It’s an issue that has caught out a number of very high-profile organisations, from the Nationwide Building Society to MI5. Both have suffered embarrassing losses of laptops, with the potential for damaging data leaks.
What’s more, the problem is growing. In the 2006 FBI security survey in America, theft of laptops and mobile devices was second only to viruses as the most common type of attack detected over the previous year. Nearly 50% of respondents had suffered, with an average loss over $30,000 USD.
So how should mobile data security be addressed? Broadly, this means looking at three key issues.
The first issue is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. The second is auditing and controlling data transfer and access to removable media, for example USB keys or iPods. The final issue is control of the security policy running on the user’s endpoint device – irrespective of type of device. Let’s now look at each of these separately.
Disk Encryption: full-disk or file?
Encryption boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built in – in common with Linux and the Macintosh operating system. While these methods mean that anything stored in specific folders or directories is encrypted automatically, there is a significant security flaw. They rely on users putting files in the encrypted folders themselves.
That’s fine in theory, but do you really want to rely on users knowing what is sensitive information, and to place it into the appropriate folder? Even for the sharpest end-users, the issue is further complicated by popular applications such as Outlook and Web browsers, which scatter attachments across file systems, often in obscure places. Folder-level encryption helps only if the IT department can tightly control all files and applications.
So file encryption is only as good as your end-users’ level of interest or knowledge.
The key advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and also cannot interfere with it.
Security in hand
So far, so good – but what about PDAs and smart phones? Because these devices vary in operating system – from Symbian, Pocket PC and Windows Mobile to Palm – and architecture, an easy security solution is harder to define than for Intel PC platforms.
Key concerns for handheld device security include a rigorous audit of all the devices being used within the enterprise, and then a single encryption solution to cover as many of the platforms as possible. If the handheld device is not authorised, the default approach should be to not allow connection to the corporate network or storage of sensitive data. And as with full disk encryption on laptops, the solution chosen should encrypt data automatically with no user intervention, giving ease of use with control and enforceability.
Data Leakage: Audit and Control of removable media
Unfortunately, full-disk encryption is not a magic shield against all types of security threat to portable devices. The hard drive is only one storage medium in use on a typical laptop. This brings us to the second area for endpoint security: management and control of data leakage.
Endpoint security should ensure that the organisation is able to avoid data leaks onto peripheral devices such as USB drives and portable storage media – such as mp3 players and digital cameras.
The starting point for protection against leaks via these USB devices is to include them in the business acceptable usage policy (AUP) and to educate users on the importance of following policy – which will include the business risks of breaching policies.
However, policies alone are not enough. They should be backed up and enforced by port control solutions, which can automatically block a USB device that does not comply with the corporate security policy or prevent the transfer of certain files or file types.
An example of a corporate security policy could include allowing encrypted USB devices – but not an iPod or mobile phone – from an authorised user. Once the data is encrypted on an authorised device it must be accessible to the organisation if required through central administration of the system.
At the end(point)
This leads us to the third area of endpoint security: protecting the data on the machine from software threats such as application-level attacks or malicious code.
Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the corporate network. The endpoint security client should also ensure that the laptop is running the appropriate software patches and include a Virtual Private Networking (VPN) client for secure transfer of corporate information back to the corporate infrastructure. And it’s essential that this is managed centrally.
Other key points that should form part of the endpoint security plan are:
• Client lockdown, to prevent mobile users and attackers from disabling endpoint security or enforcement of network access policy.
• Inbound threats: laptop PC ports should only be opened for authorised network traffic and should block network intrusion attempts.
• Preventing unauthorised applications and malicious code from capturing and sending enterprise data outbound to hackers
• Email protection: quarantining suspicious email attachments and inappropriate email – whether by network-based software or an in-the-cloud service
Load and lock
In conclusion, some industry observers question the need to have any sensitive data on mobile computing devices. It’s an interesting point – but the data is already out there, and now that it has started to move, it’s going to keep on moving.
So the only effective solution is to ensure that data loaded onto mobile devices is kept locked up.