 |
|
|
| > |
QUESTION POSED ON: 15 May 2003
My company doesn't provide its employees with PDAs, but a lot of the
sales guys have their own BlackBerrys. There's been some concern about
their accessing corporate data on their BlackBerrys. How much should we
worry about this, and what steps should we take to minimize the risk?
|
|
| > |
EXPERT RESPONSE
The growing base of handheld devices within the enterprise, be they RIM
Blackberrys, Palms, Pocket PCs or even Java-based mobile phones, is
creating a new set of concerns for security professionals in nearly all
industries. Corporate data on handheld devices is an issue certainly worth
worry about because corporate data needs to be protected no matter where it
resides and the physicality's of handheld devices means they are more
easily lost than other mobile clients such as laptop computers.
Traditionally, the smaller the device, the more it moves and the more
susceptible it is theft or being misplaced.
Filling the security holes is complicated for enterprises that support
handheld devices and nearly impossible for organizations that choose not to
support them. In the context of a situation where devices are the personal
property of employees, it is challenging to enforce some of the simplest
but vital functions involving systems containing sensitive data, such as
standard software installations, access rights, asset management, etc.
Also, without the management responsibility that comes with clear corporate
ownership, IT departments end up responding to mostly break/fix scenarios
and problems that are anything but reasonably predictable, which eats away
at IT productivity.
This is, however, a very common scenario for corporations in the face of
pressures from a tight economy. The majority of enterprises continue to
scrutinize the value of mobile solutions and the utility of handheld
devices beyond their personal information management heritage. With only
27% of the U.S. device shipment in 2002 being purchased with enterprise
funds, which is expected to grow to just 45% in 2006, the threats that come
from individually owned handheld device will continue to plague security
professionals for the foreseeable future. With that said, however,
corporations can work to enforce a variety of policies to help minimize the
threats, such as:
- The installation of synchronization software on corporate systems must be
approved by management prior to use.
- Data encryption and/or password access controls must be used on devices
that hold corporate data. Passwords must be used to power-on the device and
to enable data transfers to and from the corporate network and the PDA.
- Network systems passwords are not allowed to be stored on PDAs.
- PDAs should be configured to power-off after a set period of inactivity,
and a password should be required to re-power the device.
- PDAs should not be allowed to hold simultaneous connections with the
corporate network and non-corporate networks such as the Internet.
Handheld devices that sync to corporate systems are subject to asset audits
regardless of whether they are personally owned.
- Mandate centralized synchronization, prohibit synchronization to local
desktops.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
