Is mobility threat to data security?

BANGALORE: On the other side of the coin are the IT professionals who are challenged with the difficult task of keeping the virtual office secure and stable. From their perspective, every mobile device is a potential network security leak to be plugged and a potential data theft liability, especially since users are known to keep highly sensitive information like e-mails, SMS, contacts GPS tracks etc. on their devices.

A survey by InsightExpress found that the majority of smart phone users (55.7 percent) store confidential personal, business or client data on their devices (Source: Enterprise Networks and Servers) - thereby increasing the risk of this information falling into the wrong hands when the device is stolen.

Building a more secure deployment of mobile devices is crucial, but must also be balanced with providing a seamless and intuitive user experience which is a challenge that enterprises and IT vendors have to together address.

Here, it is important to understand that both the software used in any mobile computing device as well as the backend infrastructure play critical roles in addressing the security concerns and protecting confidential information. It is imperative that IT vendors posses a long-term security vision and a well chalked out security technology roadmap.

Microsoft has made security a key focus area under its trustworthy computing initiative, with a vision to provide the most secure products. Windows Mobile 6 – its latest mobile operating software, has both in built security features at the device level as well as those that offer users additional control over data.

The former includes features such as PIN authentication, password protection and storage card encryption (which can encrypt all data on the handheld i.e change it into a format that cannot be read without the encryption key) to prevent unauthorized access. The latter includes features that enable users to immediately erase data from a remote location, if the device is misplaced/ or stolen.

Enterprises on their part have to ensure that they have the right infrastructure in place and that their employees are well aware of the security measures they should adopt to guarantee security of data.

Let us first look at the mobile communication architecture that plays a key role in enterprise mobility. There are primarily three layers to consider when planning or upgrading a mobile deployment: the device, the message server and the network.

Device level security

At the device level, key challenges include allowing only authorized access to the device and preventing unauthorized applications such as viruses or spyware from being installed or accessing critical parts of the device. Besides password protection PIN authentication, password protection and storage card encryption, management role definition, application access tiers, code signing settings, security settings, and security certificates combine to help achieve device-level protection.

Vulnerability at the messaging server

Direct synchronization between the messaging server and the mobile device increases data security. On the other hand the presence of an additional middleware server means that data travels through additional links (Middleware server or Network Operations Center (NOC)), sometimes located in different continents, before it can reach the mobile device, thus increasing risk.

Here again architecturally, Windows Mobile powered devices have the greatest advantage, because the absence of a middleware server reduces the element of risk. Windows Exchange server + Winmobile architecture ensures that the data stays within the company’s firewall thus making it secure.

Protecting network layer

Server security practices are key, but protecting the network layer is also critical. By configuring the corporate network according to best practices and implementing strong security protocols, enterprises can help prevent damage to the network. By using standard Internet security protocols and firewalls, customized solutions can be designed to cater to individual requirements on diverse parameters such as performance, stability, and security.

In addition, built-in features like Information Rights management (IRM) support for office documents also allows administrators to specify access permission to documents, workbooks, and presentations.

It is equally important that the user understands what security features are inbuilt into the device and takes the right measures to protect confidential data.

According to a recent survey, 74.6 per cent of handheld or smartphone users either do not have or do not know about the security protection on their devices. The product manual is a mine of information in this regard, and the enterprise can help by crafting FAQs that incorporate details of customization of security and other features to make it easy for the user.

Addressing security concerns at these multiple layers can help address the top three major areas for data protection which are leaks of confidential data during mail exchange, loss of data with loss of device and unauthorized access of the device.

It is thus imperative for both the smartphone user and the enterprise to carefully study the risk exposures and invest in an OS and add on features that minimize data security threats. Reassured on this front, mobile workers will be able to concentrate on being more productive without worrying about any security related risks of modern technology.

(The author is director of Mobile Communications Business at Microsoft India. He is credited with setting-up the Windows mobile and mobility division for Microsoft in India)