Do You Trust Your Storage to Mitigate Mobile-Device Threats?

Increasing numbers of mobile users and poor laptop security management creates a growing risk; a new specification pushes trusted-storage applications

When it comes to security breaches, many organizations worry about malicious attackers operating both inside and outside the network perimeter.

Non-malicious employees, however, are also a potent security threat. According to a new survey of 500 enterprise IT managers in the United States, France, Germany, and the United Kingdom, mobile users are introducing viruses, worms, and malware onto the corporate network, especially when the antivirus and anti-spyware signatures on their PCs are outdated. The survey was conducted by Dynamic Markets for security software maker LANDesk Software Ltd. in Salt Lake City.

Overall, one-third of surveyed IT managers say their company faces one or more of the following problems: unauthorized mobile devices, including laptops, connecting to the network; users who alter (for the worse) or just disable their PC’s security settings; and PCs with out-of-date patches and antivirus signatures. For 66 percent of companies, one or more of these problems have directly caused network breaches.

To counter the threat from mobile users, companies will need improved security policies and procedures. For example, at almost half of organizations, the IT department currently manages security settings on users’ laptops manually, and only when users return to a corporate location. Until then, mobile PCs pose a risk to other users connected to the LAN. One quarter of organizations also ask users to install security patches themselves—no guarantees there—though almost 40 percent of them do at least employ a secure VPN for the purpose. Meanwhile, 12 percent of companies only overhaul their mobile devices’ security “every now and then,” while 4 percent say they don’t make any special laptop security efforts.

Ignoring the problem won’t help, since mobile-security issues will grow more acute as the number of mobile employees increases. Indeed, while 88 percent of organizations already have mobile workers—people who remotely connect to the corporate LAN—one-third of organizations note their mobile-worker ranks are swelling.

To help, “companies can take proactive measures to protect themselves,” notes Dave Taylor, vice president of worldwide marketing for LANDesk Software Ltd. One effective defense, for example, is “setting a corporate security policy for mobile devices,” then enforcing it with network-access-control software or hardware able to intercept and clean devices before they’re granted full network access.

Toward Trusted Storage

To paraphrase the old Steve Martin routine on cats: How many people have storage? Do you trust it?

Changes are on the way to help make storage devices more secure—and trustworthy. In particular, the Trusted Computing Group (TCG) released an update for its Trusted Platform Module 1.2 software specification to help developers create trusted-storage applications. In a press release, TCG says the specification should be finalized by July 2006, and that it’s working “with storage industry standards bodies to ensure the appropriate commands are supported in SCSI and ATA interfaces and protocols.”

Why implement trusted storage? TCG says the framework “will help ensure that permanent storage devices such as hard disk drives, flash memory drives, optical drives, and digital tape drives are trustworthy, to prevent data misuse, theft, or loss.”

TCG identifies seven applications for trusted storage:

  1. Creating a trusted relationship between storage device and host
  2. Protecting storage used for sensitive data
  3. Enabling storage-device locking and encryption, to secure storage devices and encrypt stored data at rest
  4. Logging changes to a storage environment, for forensic purposes
  5. Offering storage-related cryptographic services
  6. Restricting storage access and features for the exclusive use of specific applications
  7. Securing firmware downloads

Note only PCs containing a Trusted Platform Module (TPM) chip will work with this or any other TCG framework. While only high-end business laptops initially shipped with the chips installed, that has been changing. This year, for example, TCG estimates more than 50 million computers will ship with a TPM chip built in.

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.