What’s the best approach to protecting the confidential data on mobile devices? We asked Check Point’s technical director, Caroline Ikomi, to give us her thoughts:
Newton’s first law of motion states that a moving body will want to keep moving. The same law also seems to apply to confidential data. The problem is trying to stop that data getting mobile and moving further than you want it to.
Data on the move is an issue that has caught out a number of very high-profile organisations, including HMRC, the DVLA, Nationwide Building Society and MI5. All have suffered embarrassing losses of laptops or CDs, with the potential for damaging data leaks.
And these losses could become more than just embarrassing. In the NHS, doctors who have laptops containing patients’ records stolen could end up in court. Richard Thomas, the Information Commissioner, said in mid-November that a “blatant breach of fundamental observation” should attract criminal penalties, to enforce compliance with data protection laws. This bullish attitude can only harden further in the public sector following the massive loss of child benefit data by HMRC.
So how should you address mobile data security? Broadly, this means looking at three key issues.
The first is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is auditing and controlling data transfer and access to removable media, for example USB keys, iPods or CDs. The final issue is control of the security policy running on the user’s endpoint device – irrespective of type of device. Let’s look at each of these issues in turn.
Disk Encryption: full-disk or file?
Encryption for laptops boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built. While this means that anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders themselves.
That’s fine in theory, but do you really want to rely on others deciding what is sensitive information, and to place it into the appropriate folder? Even for the sharpest end-users, the issue is further complicated by popular software such as Outlook and Web browsers, which scatter attachments across disks, often in obscure places. Folder-level encryption helps only if you can tightly control all files and applications.
The key advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and also cannot interfere with it.
Security in hand
So far, so good – but what about PDAs and smart phones? Because these devices vary in operating system – from Symbian, Pocket PC and Windows Mobile to Palm – and architecture, an easy security solution is harder to define than for PC platforms.
Key to handheld device security is a rigorous audit of all the devices being used within the organisation, and then a single encryption solution to cover as many of the devices as possible. If the handheld device is not authorised, it should not be allowed to connect to the main network, or to store sensitive data. And as with full disk encryption on laptops, the solution chosen should encrypt data automatically with no user intervention, giving ease of use with control and enforceability.
Data Leakage: audit and control of removable media
Unfortunately, full-disk encryption is not a magic shield against all types of security threat to portable devices. The hard drive is only one storage medium on a typical laptop. This brings us to the second area for endpoint security: management and control of data leakage.
Endpoint security should ensure that the organisation is able to avoid data leaking onto peripheral devices such as CD, DVD or USB drives and portable storage media, including mp3 players and digital cameras.
The starting point for protection against leaks via these USB devices is to include them in your acceptable usage policy (AUP) and to educate all users on the importance of following policy – and the risks of breaching that policy.
However, policies alone are not enough. They should be backed up and enforced by port control solutions, which can automatically block a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types.
An example of a security policy could include allowing encrypted USB devices – but not an iPod or mobile phone – from an authorised user. Once the data is encrypted on an authorised device it must be accessible to the organisation if required, through central administration of the system.
At the end(point)
This leads us to the third area of endpoint security: protecting the data on the machine from software threats such as application-level attacks or malicious code.
Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the central network. The endpoint security client should also ensure that the laptop is running the appropriate software patches and includes a Virtual Private Networking (VPN) function for secure transfer of corporate information back to the corporate infrastructure. And it’s essential that this is managed centrally.
Other key points that should form part of the endpoint security plan are:
· Client lockdown, to prevent mobile users and attackers from disabling endpoint security or enforcement of network access policy.
· Inbound threats: laptop PC ports should only be opened for authorised network traffic and should block network intrusion attempts.
· Preventing unauthorised applications and malicious code from capturing and sending sensitive data outbound to hackers
· Email protection: quarantining suspicious email attachments and inappropriate email – whether by software or an in-the-cloud service
Load and lock
In conclusion, some industry observers question the need to have any sensitive data on mobile computing devices. It’s an interesting point – but the data is already out there, and it’s going to keep on moving.
So the only effective solution is to ensure that data loaded onto mobile devices is kept locked down – for everyone’s sake.
-->
Posted by SecExtra on January 30th, 2008
