Securing the Mobile User

lady-on-laptop.jpgWorking while on the move opens up both users and the office network to all sorts of threats and dangers. We look at ways of combating those threats.

The popularity of mobile working continues to grow in the UK, but many firms are still concerned about the security implications of investing in mobile devices for employees, according to new research released by Sony Ericsson.

The survey found that over half of the workforce now works away from the office at some point during the week and a further half said that this had increased in the last year. However, while 82 percent of medium and large enterprises said they are prepared to invest in mobile devices for their staff to improve productivity, efficiency and employee motivation, roughly the same percentage said they have data and security concerns.

In addition the majority of European firms list security as their top IT priority this year, according to a new survey by analyst Forrester of over 1,000 IT decision makers in small to medium-sized enterprises (SMBs).

For the mobile user and the person who has to administer that user, there are a number of things to consider when it comes to security. There’s the physical security of the device, the data that’s stored on the device and the need to protect the user from viruses via the Internet, email, CDs/DVDs or USB memory keys. There is also the issue of ensuring security when the user connects back to the office network.

Connecting to the network

One of the biggest concerns for an IT Manager with mobile users is identifying those users that have a legitimate right to connect to the office network and those who are trying to slip in under cover of a legitimate user. In the past, it was possible to synchronise users in the office then synchronise their data when they returned. However, data changes so fast that it is impossible to do things this way.

Users need to be able to access the data and the applications that they need in the office while they’re on the road. The only way to do this is by remote access to the office network. Unfortunately, as soon as you open up the network to outside users you run the risk of a hacker or an intruder getting access to your system.

There are two different threats when you open up your network to the outside world; someone can steal the password and get into your network, or someone can eavesdrop on the connection and take the data without you or anyone else knowing, particularly if you’re using a wireless connection in a shared space like a restaurant, coffee bar or airport lounge.

VPN

The Internet is a fantastic means of communication. However, it’s a public network and any information that passes on it is open for anyone to see. To create a private network you either need to encrypt the data or use an internet service provider (ISP) and routers that allow you to do multi-protocol label switching (MPLS) connections. Encrypting the data and producing a virtual private network (VPN) is the most practical, and cost effective, solution for most companies.

Microsoft’s Windows XP and Vista operating systems include the ability to set up a VPN connection. However, it is complicated and only really practical for a one-to-one connection. A dedicated device is far faster and much more effective for creating VPNs, the hardware is optimised to enable encryption and decryption so your device isn’t slowed down unduly, and you can have multiple VPNs open at any one time.

Most routers and ADSL modems come with some sort of VPN functionality, even the very cheapest ones, and most are simple to set up and administer.

Two-factor authentication

A major concern of the VPN system is the need for authentication and the reliance on passwords to enable authentication. Studies continue to point to the ineffectiveness of passwords for securing information. More than 60 percent of users, when given the ability to do so, continue to use the same passwords, according to Forrester Research.

Passwords can be easily stolen, frequently guessed and cracked. They are costly to manage and often forgotten. In addition, end-user frustration with passwords is becoming an increasing concern. Most users access their network in multiple ways and must remember different passwords that vary depending on how and from where they are logging onto the network.

Users already frustrated with having to remember multiple passwords are further challenged by being asked to change their passwords frequently or use passwords that are based on long, hard-to-remember strings of characters and numbers, and the cost of managing these systems is spiralling out of control. Productivity is affected each time a user gets locked out and has to call the help desk for assistance.

A solution comes in the form of two-factor authentication. Strong authentication dramatically enhances network protection by requiring users to present a strong proof of identity before being granted access to protected resources.Two-factor authentication involves a PIN number that can be issued by an application run on a mobile phone or PDA, or produced on a small dedicated piece of hardware that is no bigger than a USB key, and a piece of personal information, such as a user’s name or date of birth.

To make two-factor authentication work on a network, you need to add a solution that sits between the network and the user, and supply users with tokens. RSA, the security division of EMC, provides a quick fi t solution known as SecurID. There are two pieces to the solution; the RSA Authentication Manager, and the RSA SecurID tokens or RSA Security USB tokens.

The RSA Authentication Manager plugs into the network and handles the management and verifi cation of authentication requests and centrally administers authentication policies for the networks. The tokens produce a six-digit number that the user enters into the system along with their name to access the VPN and the network. RSA is currently working on three-factor authentication using biometric technology.

The three-factor authentication works by requiring you to supply the system with something you have (the biometric device), something you are (your fi ngerprint) and something you know (a PIN). Fingerprint readers can also be used to replace a PIN in two-factor authentication. RSA SecurID systems can also be used with BlackBerry devices. As well as enabling a BlackBerry handset to be used as an RSA SecurID authenticator, RIM is now also shipping the BlackBerry Enterprise Server software with integrated support for RSA SecurID.

Hardware theft

According to the latest Internet Security Threat Report from Symantec, businesses are not doing enough to protect against data losses from hardware theft. The report found that 54 percent of all data breaches that could facilitate identity theft were the result of the loss or theft of computers or data storage devices, while 28 percent could be put down to failures to implement security policies.

Nationwide Building Society could have easily and cheaply avoided the financial loss and reputation damage it suffered when one of its notebooks containing the details of nearly 11million customers was stolen. The organisation was fined £980,000 by the Financial Services Authority when the notebook was stolen from an employee’s home last year.

Businesses are responsible for safeguarding personal data held on their systems under data protection laws and other legislation. The most basic way to ensure that data is secure while a device is off site is to encrypt the information on the hard disk, so that if anyone does steal the device the data is completely protected. There are also various other routes you can take to prevent the device from being stolen.

Physical devices that lock your notebook down, such as Kensington cables, are a way of deterring opportunists but won’t deter a determined thief. There are also portable alarm systems, such as the Targus Defcon 1 which combines a stainless steel cable with motion sensor technology that emits a 110db alarm if someone tries to steal your case or cuts the cable.

Security is important to most businesses as the Forrester research mentioned at the start of this article pointed out, however it’s not something you should just do as a one off, it’s a constant spend. As Forrester analyst and research co-author Bill Nagel explains: “We’re trying to push people towards the idea of making security a proactive, business, process-based initiative, and if the spending levels out, it looks like people are listening to us.”For more information and advice on mobile security, contact your Account Manager or email security@equanet.co.uk