Product Group Tests

Portable device security

by Peter Stephenson July 01, 2011
products

GROUP SUMMARY:

Portable devices of all types are a real security challenge. This is a relatively new category. That, of course, largely is because the devices they protect are a relatively new category. But mobile devices are exploding in the marketplace so we need a way to secure them.

Of all of the issues that bedevil us, this has got to be near the top of the list. Portable devices of all types are a real security challenge, but the worst are the mobile devices, such as smartphones and tablets. And, don't forget the other types of portable devices, such as USB flash and thumb drives and the like. Let's start there.

The tales are legion of people copying sensitive data onto a thumb drive, taking it home to work on, and then losing the drive and thus exposing information.There is now a whole category of not-so-high-tech that poses a real threat of data leakage. The answer, of course, is encryption, but that encryption must be integrated so tightly into the device that it cannot easily be undone by a data thief.

We saw a couple of these simple products this month and, while they don't have the pizzazz of some of the other tools we tested, they are competent and extremely important to our defense-in-depth approach to information protection. Coupled with various endpoint security tools that we discuss in the other Group Test, these simple little tools can perform services as important as other, more complicated, security tools. Bottom line: Don't forget these tools and don't forget how important they can be.

Now on to the big guys, figuratively - and physically - speaking. These are the tools that are intended to secure those troublesome mobile devices. This is a relatively new category. That, of course, largely is because the devices they protect are a relatively new category. But mobile devices are exploding in the marketplace so we need a way to secure them.

The key issue here is that these portable devices are much smaller and do not have 100 percent of the capabilities of full-blown computers. That means that they need their own specialized protection tools. The ones that we use for our laptops just won't do the trick.

As well, there are additional issues that we find with mobile devices that we do not find with traditional computers. For example, the smaller mobile devices are easier to steal or lose than full-size computers or, even, most laptops. While they can do much of what a full computer can do, they cannot do it all and often use applications - "apps" - to perform their functions.

One buys those apps online and, as a vendor once told me, app stores are the most efficient way of distributing malware known today. This is not shrink-wrapped software, folks. One may know absolutely nothing about the developer of the app. In fact, one probably doesn't, since there are a zillion of them and some are single individuals, not real companies.

Starting again with the little tools, select encrypted thumb drives that use solid, proven encryption. Make sure the user can move the thumb drive among computers without doing a full installation of an application on the new computer. The tool should work by itself. By that I mean one plugs it in, and it does what is needed to work in its new environment.

As to the mobile device security tools that address smartphones and the like, start by reading as many of the proliferating articles, sample policies and security white papers about what your mobile device policy should look like. Then, evaluate your organization in light of what you've learned. The next step is writing a policy that meets both the enterprise needs and the currently emerging best practices. The last step is to find a device or two that can enforce an entire policy, and then test them.

Some things that admins should be looking for are remote wipe, anti-malware protection, an inability for the user to remove protection, the device's equivalent of whole disk encryption using a standard algorithm, the ability to authenticate to the admin's enterprise, and compliance with the rest of the enterprise's security policies.

All of that said, these are pretty tall orders and I expect that we will see dramatic improvement in these products - and the emergence of others - when we revisit this important category next year.


Mike Stephenson contributed to this Group Test.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US