Think about this, Mr. or Ms. IT manager: we occasionally talk about all of our assets walking out the door each evening. This saying most certainly refers to employees, who are clearly the most valuable assets any business has, of course. But there's another asset to consider in the era of mobile computing, and that's the data stored on the notebooks and other mobile computing devices. As we've recently seen from so many reported incidents regarding potentially compromised data on notebooks (can you imagine how many incidents were not reported?), the enterprise needs to take a very proactive look not just at the technologies of mobile computing, but also the policies regarding their use.
In general, there are two key components to any mobile computing policy: acceptable use, and security. Both of these policies need to be written and distributed per your organization's practices, and it's a good idea to get sign-off from anyone who will be issued a mobile computer or similar device. Putting both into action requires customization to the needs of your particular enterprise, industry, and regulatory environment, but the broad requirements for each are as follows:
- Acceptable Use: We always recommend that it be clear that the mobile computer belongs to the company, not the user. Any software loaded on the machine must be so loaded by an appropriate IT person; users may not install software themselves. Centralized management tools
- are essential with more than about ten PCs, but such are widely available and, in general, easy to use. Users must be cautioned about changing key system settings, primarily with respect to security, but also any others that might compromise integrity. Virus, spyware, and firewall settings must all be centrally controlled and monitored. I always recommend that a company-issued computer be used only for company business, and that personal files must never be stored on the machine.
Users must be cautioned to connect only to authorized networks, although the use of firewalls and VPNs somewhat lowers the risk associated with using intermediary networks, like public-access wireless LANs and networks located in hotels and other public facilities. But I still find it useful to reinforce the message of downloading ActiveX controls and similar potential dangers. One problem we clearly still have as an industry is that the computer is still too much of, well, a computer, and ease-of-use is still an abstract theoretical concept for too many users. It is still too easy to make a mistake and end up with a corrupted configuration. There is some hope that future operating systems (i.e., Windows Vista) will improve this situation, but I'm not counting on it. I suggest a written user's guide that explains policies in terms of operational procedures, as well as a Help Desk and occasional refresher classes in how to use the computer and key software.
- Security: As it turns out, so much work has been done on wireless and mobile security, in recent years, that the technologies required to implement good information security strategies are now plentiful and effective. But we also need to begin in every case with a good security policy, which is simply a document that describes what information needs to be protected, who will have access to it and under what circumstance, what techniques will be used to protect it, and what to do in the event of compromise. There are two key technical elements here: encryption and authentication. All sensitive data stored on any mobile computer must be encrypted – no exceptions. And users must authenticate when accessing this data, at a minimum with a password, and ideally with two-factor encryption (a hardware token, biometrics, etc.). VPNs are quite effective in securing communications channels, be they wired or wireless – no sensitive data must ever appear in the clear, anywhere, except to an authorized user. Do not, however, rely on 802.11/Wi-Fi encryption and authentication alone. They secure only the wireless airlink; the VPN provides end-to-end encryption. Ditto, by the way, for wireless-WAN links.
The key to success in enforcing policies isn't, however, in technology; rather, it's in developing a culture of compliance. Think along the lines of those "loose lips sink ships" posters from World War II. Mobile computing isn't all that different from the desktop in that key respect.
About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at firstname.lastname@example.org.
This was first published in August 2006