In-Depth

Best Practices: Handheld Security

Handheld security expert suggests best practices for organizations that support the devices

• By Mathew Schwartz
• 09/10/2003

Handheld computers are an evolving security threat. Where once the devices were widely ignored or blocked by IT and security managers, now more organizations have embraced them. Experts warn that organizations still largely ignore PDA security, and at their peril. At risk is not just the cost of a handheld computer, but also data—without additional security, information on most PDAs can be easily accessed by anyone. Square that with what one study says are the 250,000 PDAs that go missing or get stolen every year just at airports, and the reality looks a little bleak.

Of course PDA security adds to the price tag, but PDA use already comes with a hefty price. Research firm Gartner pegs the total cost of ownership (TCO) of handheld devices at $3,000 per year for organizations in the United States. Why not spend a little more to at least secure the devices? Such software is available from such companies as Trust Digital, Asynchrony Solutions (PDA Defense), Credant Technologies, and F-Secure.

To talk about the state of handheld security, and what organizations can do to protect insecure handhelds used in the enterprise, Security Strategies spoke with Bob Elfanbaum, co-founder and vice president of Asynchrony—a developer community that also sells software. Elfanbaum also authored “PDA Security: Incorporating Handhelds into the Enterprise,” published by McGraw-Hill.

How prevalent is PDA security in the enterprise?

At least in today’s market, I think a lot of the real enterprise security isn’t really happening by an organization that says we need to go out and secure our handhelds, but a lot of times it’s by an integrator that has a mobile application that has to ship with security.

Is losing a PDA a bigger threat than getting it hacked into?

It depends who you are; the military is a lot more worried about people trying to hack into it, especially on the battlefield. And at the executive level—this is more anecdotal—[people worry about] corporate espionage-type stuff. Enterprises definitely worry about the hacking aspect.

Do newer PDAs have better built-in security?

Some of the newer versions have a little better security, the older ones had totally inadequate security. In the next couple of years, there’s going to be pretty strong security at the OS level, and our role will be supplementing it and managing it for the enterprise, whereas today we are a security framework, because the devices don’t have sufficient security at the OS level, or management across multiple platforms.

What are PDA security best practices?

Clearly the first best practice is to have a policy. It’s not an ad hoc adoption of security in certain situations. It mirrors PCs: the first and critical best practice is to have a policy. And it might not even include PDA security. Maybe you assess risk and you don’t need to buy any PDA security right now because the risks aren’t there.

And then obviously once you establish a policy, the next best practice is to enforce the policy across all the devices. You don’t buy insurance based on new buildings, you buy insurance based upon all of the buildings you already own. It’s not an ad hoc implemented policy, it’s an enterprise-wide enforced policy.

Then there are certain key things, for example mandate that you password protect the device, mandate encryption on anything sensitive, and either educate users and/or have mandatory compliance.

Another best practice is to make sure you deploy [any product] in a way that people can use it. Don’t just throw it out there.

How do you know which data to encrypt? If you’re a healthcare provider, do you encrypt everything?

The medical industry is kind of a funny industry because you consistently have to battle on one hand the risk to the hospitals and the organizations that have that liability and HIPAA exposure, and on the other hand doctors struggle against anything that inconveniences them or costs them efficiency. There are statistics about the adoption rate of these devices in the 70 percent range for medical purposes. That’s why you really have to think out encryption versus risk tolerance.

So how would a hospital approach the problem?

A hospital would want to think out clearly any way in which exposure could creep in. The second thing is, it depends upon whether the doctor owns the device or the organization owns the device. If it's the organization, then they restrict the applications that are allowed to be on there. You lock it down, you say here’s what this thing is used for, here’s what we support. And it will probably lower support costs if the shareware programs that conflict with the medical software aren’t on the machine, too. You know, the military has the exact same issues here too.

Do users need to encrypt data that goes on the external memory cards?

Yes, because increasingly that’s part of the device; it’s almost more exposed than the device itself.

Symantec quietly discontinued its Norton anti-virus (AV) software for Palm. What does that say about the reality of threats to PDA security today?

The thing that held back AV software from being successful was the fact that there weren’t enough devices connected often and in real time to the Web. The only way you’re really going to get viruses on those devices was your e-mail attachments having viruses and the virus somehow getting in there. I just don’t think that’s very likely. But as these devices surf the Web and they get 802.11b, you’ll see the potential for viruses increase, as the pipes increase. So I think AV might have been too early; the risk wasn’t there.

Security is a little different. Even if you don’t put corporate data on the devices, if your network device guys put passwords on the network, the odds are that those passwords are on your Palm. The threat of loss of a PDA and damage to a corporation is real today, and it will increase as the bandwidth to, and the storage in, those devices increases.

So greater connectivity will drive PDA security?

It’s going to explode as the phones get smarter and the PDAs get more connected.

Talk about Asynchrony’s PDA Defense. What does it offer security administrators?

When you log onto your network, on your PC, at a company, you have to meet the security policies that your network administrator enforces—you have to have a password, you have to change your password sometimes, and so on. With PDAs being deployed in the enterprise, enterprises recognize PDAs are at the edge of the network and they want those protected in the same way, in order to protect corporate data.

For more information about PDA Defense, visit http://www.pdadefense.com/