Mobile device security strategies

The iPhone 3G is crystallizing the security problems in integrating personal mobile devices with corporate resources. Learn what strategies and tools you can put in place to help customers address the increasing infiltration of mobile devices.

By Heather Clancy, Contributor

Whether or not Apple really sold 1 million iPhone 3G models during its first weekend on sale, as the company reported, the extended hoopla over its very existence marks a turning point for the smartphone category.

That's because, like the BlackBerry before it, the iPhone 3G is a bona fide mobile device status symbol. This has prompted much soul-searching both on the part of business users who bought it for personal reasons but would now love to take advantage of its built-in support for Microsoft Exchange synchronization and Cisco VPN software, and on the part of corporate America, which is grappling with the security implications of that integration.'s Tech Watch series
Expert opinions on emerging technologies

"If you are a small business or an independent consultant, converged devices like the iPhone are really a great tool," said Alex Zaltsman, cofounder of Exigent Technologies, a value-added reseller (VAR) in Morristown, N.J., and a developer who plans an iPhone application. "Not so much for email," he said, "but for the ability to access business applications."

One specific security risk associated with the iPhone 2.0 platform is its ability to connect directly to Exchange servers to collect email, he said. When configured properly, Zaltsman said, Exchange connectivity isn't a risk but creates more complexity from the VAR's point of view. Indeed, he said that more solution providers need to consider supporting mobile device access during server deployment instead of dealing with it as an afterthought.

Of course, the iPhone is not the most widely used smartphone attempting to infiltrate corporate networks. Approximately 7.3 million units were sold in North America during the first quarter of this year, up 106% from the year-earlier period, according to research firm Gartner. The U.S. market leader was Research in Motion, developer of the BlackBerry line, followed by Apple, which propelled itself into second place even before the iPhone update was released last month.

What you're up against
Generally speaking, there are several areas of risk associated with allowing mobile devices such as iPhones, BlackBerrys or Windows smartphones to tap into a corporate network, according to security VARs and developers. Solution providers should concern themselves with the following: providing a way to encrypt data or information stored on the device, which will mask it or wipe it out if the phone is lost or stolen, and safeguarding the transmission of data between the network and the device. Viruses, trojans and other malware are currently a lesser concern, as there are only about 400 to 450 in existence, but that's sure to change as the installed base of these devices grows, experts say.

The simple reason that many mobile devices are so vulnerable to security breaches is that they are programmable, according to VARs and analysts. As their adoption grows, more IT managers are worrying about how to incorporate them into their broader IT infrastructure -- especially since so many are procured personally. In a recently released survey, the Computing Technology Industry Association (CompTIA) reported that 50% of respondents believe that handhelds are a much greater threat to network security now than they were a year ago. While close to three-quarters of those same respondents allow employees to use these devices to access corporate data, few have any security policy, the survey found.

"The threats associated with PDAs are the same as with notebooks and desktops connecting remotely to the corporate network," said David Dadian, CEO of, a Ho-Ho-Kus, N.J., VAR and managed services provider. "Viruses, malware, spyware, data loss/leakage, wireless vulnerabilities and physical security, the theft of the device or devices -- that's what you're up against," he said.

Jim Carroll, executive vice president of Global Wireless Services for Rivermine, a managed services provider in Fairfax, Va., said his company advises clients not to allow personal smartphones to receive or send data from the corporate network.

"Users may download content from the Internet or connect to their personal laptops and infect their handheld device," Carroll said. "These viruses can then be passed to their corporate network when they connect to their company laptop or Exchange server. For the enterprise that is doing a good job managing the security profiles of their network, and of their corporate handheld devices, this risk is minimal. The real threat comes from confidential data loss. Files attached to emails that are received daily by users accessing their corporate emails through their handheld devices are vulnerable."

But that doesn't mean Rivermine frowns on converged mobile devices as a productivity tool. To accommodate them, the company works with clients to establish security policies and to move mobile devices to "corporate-liable" accounts. Rivermine CELLector wireless management software can be used to monitor usage and convert personal devices to corporate accounts. "BlackBerry's devices and services were designed with data transfer in mind from the onset. For this reason, we still feel that they do the best job with security, but other vendors and services are close behind on the security of their offerings," Carroll said.

VARs can prepare for converged mobile devices in two ways, said's Dadian: by advocating a network access control (NAC) strategy for their clients, and by guiding their accounts to embrace mobile platforms that have been properly vetted according to the needs of the customer and therefore managed more easily. That doesn't mean his company recommends one converged device over others; rather, it works with each account to identify the most appropriate products. "This allows for much easier management across the board -- security, network access, troubleshooting issues and replacement," Dadian said.

The concern that a company should have over mobile device access will vary according to the industry it represents, according to Sean Ryan, research analyst covering mobile enterprise products for IDC. That's why a VAR might want to think about converged devices in the vertical sense and apply mobile policy and security to segments such as financial services or healthcare, where the consequences of a breach are much more severe.

Aside from management policies, there are a growing number of tools that solution providers can include in their mobile toolkits, Ryan said.

One company that has his attention is Bluefire, maker of the Bluefire Mobile Defender software for Windows Mobile. OEMs such as Symantec, Lenovo, Motorola/Symbol and Palm are embedding Bluefire's technology. In addition, Bluefire integrates with applications such as field service suites from Dexterra.

Ryan is also watching Trust Digital, which provides an enterprise mobile management platform for smartphones and personal digital assistants.

Managed services offer another approach. One of the best-known security options is Motorola Good Technology, a service that extends Lotus Domino and Microsoft Outlook email services as well as certain corporate Web applications to mobile devices. 4SmartPhone has a similar offering that supports Windows mobile devices, BlackBerrys or iPhones; it delivers encrypted information to these mobile devices and also provides a remote wipe feature that can be used to erase the data on a device if it is lost or stolen. Smobile Security Shield will support a broad range of smartphone platforms, including the BlackBerry and iPhone, plus Windows, Symbian and the Google Android technology.

If you're looking to keep working with security application developers that you might already represent on the desktop or server, several well-known players have introduced mobile device security products. Among them are McAfee VirusScan Mobile, which just went into beta on the iPhone; F-Secure Mobile Security, which recently shipped for Windows Mobile; Symantec Mobile Security Suite for Windows Mobile, which focuses on enterprise style management; and Trend Micro Mobile Security 5.0.

About the author
Heather Clancy is an award-winning business journalist and consultant on high-tech channel communications with SWOT Management Group. She can be reached at [email protected]

Dig Deeper on Wireless networks technology and services