Questions surround smartphone security
- 22 August, 2005 14:15
Wireless vendors are rolling out a new generation of handheld computers called smartphones for corporate users, but many network executives say they won't consider them until the means to manage and secure them are clear.
For example, Nokia, which uses the Symbian operating system, recently made available the Nokia 9500 Communicator, a handheld with Wi-Fi and cellular support. This fall the company plans to ship a similar model, the 9300, without Wi-Fi. Nokia says they're the first smartphones it has designed specifically for corporate use. While Nokia created a VPN client, had Symantec develop anti-virus software and Pointsec for encryption for smartphones, users say that's not enough because wireless PDAs must support remote management to meet many corporate security policies.
"Few wireless PDAs meet our security requirements right out of the box," says Tamara Box, consultant with the U.S. Department of Veterans Affairs, which has seen rising use of wireless PDAs in the last year among healthcare staff.
She assisted in rolling out the department's Research in Motion BlackBerry and wireless handhelds based on Microsoft's Pocket PC and the Palm operating system. But to meet federal guidelines for use of wireless, she needed to find a way to make sure they could be remotely managed and wiped clean, that data would be encrypted using 140-2 government-approved encryption, and that some features, such as cameras, could be restricted. She ended up adding Trust Digital's Mobile Edge Security software designed for PDAs.
Hungary-based Laszlo Kovari, the IT security and audit manager for the Central Europe division of bottling company Pepsi Americas, is in a similar struggle to ensure that the wireless PDAs used in his region for sales forces follow the same corporate security guidelines set for laptops.
He says he added Trust Digital to the Palm Tungsten PDAs that salespeople use for the purposes of remote management and security. "You should be able to expect the same level of protection on a PDA as a PC to align these with corporate security policy," Kovari says.
"Device management is proving to be a difficult problem," says Haig Coulter, senior product manager at Nokia, noting there's no software designed for central management of the Nokia smartphones.
"It's a classic example of technology getting ahead of security," says Andrew Storm, information technology director at security firm nCircle, where employees are prohibited from transferring corporate data to wireless PDAs because of security concerns.
Storm says wireless PDAs - the BlackBerry is an exception - often lack central management and don't often have the security software the firm prefers, such as PGP encryption.
On the other hand, Mike Murray, director of vulnerability research at nCipher, likes the 4-G Palm LifeDrive he recently bought. It supports Bluetooth and Wi-Fi, and he wants to use it as an alternative to his laptop.
Another smartphone corporate contender is Motorola, which early next year expects to ship the Moto Q, based on the Windows Mobile 5.0 operating system, announced in May.
IDC analyst Kevin Burden says Microsoft has designed Mobile 5.0 to make it easier to get mail from Exchange Server 2003 to a wireless device than can be done with Microsoft's Pocket PC operating system for handhelds.
"They want to be able to compete with RIM with full management controls, including security policy," Burden says. However, Burden is skeptical that Mobile 5.0 will allow businesses to forgo using specialized wireless synchronization middleware, such as the Intellisync Afaria Server.
Until now, individuals bought most wireless handheld devices, which might have been used for business reasons but weren't necessarily managed by the IT department, Burden says.
Manufacturers of the new smartphones, which began to appear about a year ago, are attempting to entice organizations into buying in bulk. "This is where the next growth market is," he says.
In some organizations, particularly hospitals, wireless PDAs have become as important as desktop computers, because these mobile devices run critical applications.
Carla Maslakowski, vice president and CIO at Northeast Regional Medical Center outside of Houston, says the hospital's staff uses the PalmOne Treo 650 Smartphone running the Patientkeeper application to record patient data and diagnostic test results. Information is transmitted directly to the hospital's back-end database application, QuadraMed.
"We do lab and X-ray results and prescription and billing applications," Maslakowski says. "Security is an issue, and so is the memory capacity of the device," which the hospital is upgrading. Maslakowski says the Treo 650 is set up to use an encrypted link when doctors use them for remote access.
St. Luke's Family Health, in Boise, Idaho, has used the eClinicalWorks application on Toshiba Tablets for eight months so doctors can record patient data and send prescriptions electronically.
"I can add a digital signature . . . to the prescription," says Dr. Bill Crump, a physician who says use of the wireless PDA has helped the organization's efficiency.
Erik Goldof, IT systems manager at HoneyBaked Ham in Norcross, Ga., says his firm is open to the idea of corporate purchases of smartphones, but the security and management to control them have to be there from the start. "They're very portable and can easily be misplaced," Goldof says.