Portable device security: mobile madness
“We're on the road a lot — we're a very mobile company, relying heavily on smart phones and laptop PCs to send and receive mail or access client-related information,” says Fred Danback, Integro's chief information officer.
Whether they're at the office of a client or at one of the industry's major insurance carriers, the brokers at Integro require access to email and other information critical to finding and procuring precisely the right insurance policy for its clients.
“About 80 percent of the organization have laptops, and 80 percent have BlackBerrys,” says Danback, the man responsible for securing the confidential data stored on those mobile devices. “If we put the personal information of high-net-worth individuals in email, and it's unencrypted, we could be disclosing a lot of confidential information.”
As a result, Danback has taken a two-pronged approach to ensuring the data on Integro's mobile devices remains confidential should they be lost or stolen. Like many CIOs dealing with a mobile workforce, he's turned to strong authentication and encryption — the backbone technologies for securing mobile devices — to ensure that the data stored on Integro's smart phones and laptops remains private no matter who's hands it falls into.
“It's important that we protect the confidentiality of our clients,” he says.
With a mixture of Fortune 500 and extremely wealthy individuals with what Danback calls “complex, high-risk” insurance needs — such as insuring an international corporation's operations in a politically unstable country or providing a concert-cancellation policy for a star singer — Integro can't afford to play loose with customer information.
The brokers at the 400-employee Integro work in virtual teams across five countries (corporate headquarters is in New York), identifying risks that companies and wealthy individuals are exposed to, then finding insurance polices to mitigate those risks, says Danback. As liaison between their clients and the major insurance providers, the company's brokers collect volumes of information about both — proprietary policy data on the one side, credit card and Social Security numbers on the other — that's stored on their mobile devices.
“We try to minimize the amount of information stored on individual devices,” Danback says. In reality, of course, email messages containing confidential information of the company's clients wind up on the brokers' laptops and BlackBerrys.
As a result, Integro enforces strong authentication and encryption for all its mobile devices. Brokers' mobile device passwords are 12 characters, including at least one capital letter and one number, he says.
Moreover, anything of a confidential nature is encrypted using technology from Voltage Security. “We can encrypt by rules or encrypt manually,” he says, adding that with rule-based encryption, if anything in the subject field is confidential, it's automatically encrypted.
A plug-in from Voltage works with Integro's Exchange email server to provide the manual encryption capability. With the plug-in, when a broker types two pound symbols into the email message's subject field, everything sent to the server is encrypted.
Matching encryption with the strong Windows ID authentication prevents unauthorized Integro employees from reading confidential messages, according to Danback. If a system administrator were to log into a broker's email account, for instance, the admin could open the email, but can't see anything, says Danback.
Integro's experience personifies the challenges facing security professionals as they integrate mobile devices into their IT infrastructure, notes Jack Gold, an analyst at market research firm J. Gold Associates based in Northborough, Mass.
“The single biggest challenge is assessing the wide variety of [mobile devices] out there and their peculiar vulnerabilities because not all devices are created equal. Securing data on a notebook is different from securing it on a BlackBerry or Treo, and the amount and type of data stored is different. Everything is encrypted on a BlackBerry, and hard to get to. But you don't know if data on a notebook or Palm Treo is protected. So, what an enterprise needs to think about as it tries to secure a wide variety of mobile devices are the peculiarities of each device, what kinds of data they store, and how they store it.”
This assessment takes some work for a couple of reasons.
“Mobility is a moving target,” Gold says. “You have to look at not only what's in the organization today, but you have to figure out what your customers are going to be using in a couple of years.”
How enterprises perceive and secure their mobile devices has changed dramatically in the past year, notes Nick Selby, a senior analyst and director in the enterprise security practice at The 451 Group. “We've seen an inflection point where notebooks and laptops outnumber desktop PCs. The explosion of smart phones and other internet-capable mobile devices means we can't really draw a line between mobile and enterprise devices. They all have similar capabilities, whether they're inside or outside a corporate setting,” he says.
Consequently, there has been a shift from products that merely secure mobile devices to products that offer enterprise security, he says.
“What we're talking about is protection of data on drives and protection of data in motion, and preventing unauthorized devices being attached to a managed machine,” he says.
At the same time, enterprises have made a change in architecture, he says. They've gone from the concept of having all their devices inside a single ‘red circle' that's safe, to having an untold number of small circles that protect various areas, such as servers, applications, subnets and mobile devices.
“It's become more about protecting information and not the infrastructure,” Selby emphasizes. Integro's Danback would agree with that.
According to Danback, Integro has done everything it can to make sure it is in compliance with California's disclosure law, which is all about protecting customer data.
“If we lose a device with confidential data, I don't have to report it because it's encrypted,” he says.
Another security issue that IT must solve is dealing with unauthorized mobile devices, such as Apple's iPhone, as well as the applications on them, says Todd Thiemann, director of device security marketing at Trend Micro. One report Thiemann cites indicates that about 20 percent of mobile devices used in enterprises are controlled by the enterprise, the remaining 80 percent are individually owned.
The iPhone is a prime example. It's now more of a consumer device today, but a lot of executives want it supported, he says. “Some companies will say ‘no,' but what if the CEO wants it?”
Moreover, employees with authorized user names and passwords can set up their own mobile devices to access the corporate network on their own, says Matt Capoccia, vice president of customer solutions for security vendor KoolSpan. That complicates things for enterprise security departments, he believes. — Jim Carr
From the - February 2008 Issue of SCMagazine »