Case Study: Fielding Service Calls Securely

Securing common, Internet-connected, mobile devices requires a new approach. Schindler Elevator Corp. found one.

How security times change. In the late 1990s, when early adopters of mobile (and wireless mobile) technology relied on proprietary networks and applications. From a security standpoint, companies got baked-in security: an attacker would have to steal a wireless device or unravel the obscure wireless network’s protocol to attack or steal information—perhaps a package tracking number.

Schindler Elevator Corp., based in Morristown, NJ, was just such an early adopter. In 1997, Schindler issued mobile phones and wireless terminals to its more than 2,000 service technicians. The terminals tied into Schindler’s SAP ERP application via a proprietary network, and allowed field personnel to order spare parts; users could upload information from the terminal to a centralized computer to troubleshoot elevator problems. The immediate benefits of the wireless technology were improved availability of real-time information; it also allowed the company to eliminate its old, manual, intensive, paper-driven process.

Fast forward to 2003. By and large, the Internet is less expensive than proprietary networks for transmitting data. Palm Pilot-era devices formerly used in the field don’t cut it anymore. Common, off-the-shelf wireless devices can run off-the-shelf field force automation or customer relationship management software. Instead of relaying elevator diagnostics back to a central server, the machines can run diagnostic software locally, plus carry whole service manuals.

The only problem: securing these common, Internet-connected, mobile devices requires a new approach. Simple passwords, unencrypted memory, and “security by obscurity” aren’t good enough anymore.

When updating a mobile security plan, of course experience helps, says David Butts, CIO of Schindler Elevator. “As veterans of mobile and wireless computing, we understand the security issues inherent in standard operating platforms and the public Internet, as well as the issues that hinder technicians [and their] productivity in the field.”

To take advantage of their cost savings and information-carrying capabilities, the company upgraded its field technicians’ technology last year, eschewing two devices for just one. Technicians get a mobile phone—either a Samsung SPH i700 or a Siemens SX56—running Microsoft’s Pocket PC (Phone Edition) operating system. With the addition of memory cards, technicians now get access to operating manuals, more detailed work instructions, and increased customer information.

Of course, Schindler needed to secure the devices, which contain not only proprietary information, but now link via the Internet to Schindler’s SAP software. The company also wanted security to be easy to manage.

Ultimately, Schindler chose Credant Technologies’ Mobile Guardian. “It not only provides centrally-managed, policy-based security and management for many different types of mobile devices, but continues to work when a technician loses connectivity,” notes Butts. The device’s removable, Secure Digital (SD) card contains all sensitive information. To access it, the technician must first pass authentication. The same goes if the device fails: The technician can pop the SD card into a new device—saving time over having to recover the original device and data—but must also authenticate to access any data. Mobile Guardian also allows field technicians to also reset their own passwords, saving security managers’ time.

To keep the mobile devices usable, and useful, the software also allows them to place and receive phone calls without having to enter security information. Butts says technicians lose less time when accessing enterprise applications: a strong password—single sign-on—and device encryption replaces the need to enter passwords for each individual application.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.