Filling the security holes is complicated for enterprises that support handheld devices and nearly impossible for organizations that choose not to support them. In the context of a situation where devices are the personal property of employees, it is challenging to enforce some of the simplest but vital functions involving systems containing sensitive data, such as standard software installations, access rights, asset management, etc. Also, without the management responsibility that comes with clear corporate ownership, IT departments end up responding to mostly break/fix scenarios and problems that are anything but reasonably predictable, which eats away at IT productivity.
This is, however, a very common scenario for corporations in the face of pressures from a tight economy. The majority of enterprises continue to scrutinize the value of mobile solutions and the utility of handheld devices beyond their personal information management heritage. With only 27% of the U.S. device shipment in 2002 being purchased with enterprise funds, which is expected to grow to just 45% in 2006, the threats that come from individually owned handheld device will continue to plague security professionals for the foreseeable future. With that said, however, corporations can work to enforce a variety of policies to help minimize the threats, such as:
- The installation of synchronization software on corporate systems must be approved by management prior to use.
- Data encryption and/or password access controls must be used on devices that hold corporate data. Passwords must be used to power-on the device and to enable data transfers to and from the corporate network and the PDA.
- Network systems passwords are not allowed to be stored on PDAs.
- PDAs should be configured to power-off after a set period of inactivity, and a password should be required to re-power the device.
- PDAs should not be allowed to hold simultaneous connections with the corporate network and non-corporate networks such as the Internet. Handheld devices that sync to corporate systems are subject to asset audits regardless of whether they are personally owned.
- Mandate centralized synchronization, prohibit synchronization to local desktops.
This was first published in May 2003