Tuesday, June 22, 2010

Could Mobile Devices Be Exposing Your Network?

Wireless broadband, from wi-fi to 3G and now even 4G network availability, has made mobilized more than just communication. Mobile phones equip more than phone calls. Many mobile devices today are powerful and useful hand-held computers. But the question is: are they secured like one?

First, let's begin by understanding the risk. A few months ago, I downloaded an inexpensive app to my iPhone phone called "FTP On The Go." Within minutes, I had bookmarked my company's FTP server, complete with a saved username and password. Moreover, I have been using QuickOffice to access my company docs, emails, spreadsheets, quotes, etc. while traveling or just stuck in traffic. So, what happens when my iPhone gets stolen or lost? Sure, a thug on the subway probably has little interest in our company data, but what if I accidentally left this tiny little data gateway lying on a table at an industry conference?

Of course, even acknowledging the risk, most of us aren't stricken with fear because we've been down this road before. When laptops entered the scene, IT departments everywhere were in a fit to figure out how to secure the devices. Fortunately, Microsoft's user-level security features were actually quite useful. Laptops were password protected and everyone rested easy. So, can't these mobile devils be controlled with the same means?

Let's take the iPhone, and it's cousin the iPad, as examples. The PCI-DSS demands password security with a minimum of 6 characters. Ever type in the password on an iPhone? It's 4-characters max and numerical only. That is assuming, of course, that users have activated the password security on their iPhones. Mine, for example, is privately owned and my IT staff has never even seen it, let alone mandated it's secure use. With nothing more than the usernames and passwords that I have been granted for access to my company's systems, I have downloaded the applications I need to create a mobile workplace for myself--or perhaps a mobile security breach for my company.

And, physical security aside, what level of data security can mobile devices ensure? Whereas Accel Networks' fixed wireless broadband can be provisioned with Layer 2 security, what of the mobile broadband devices?

Here are some policies to consider as the mobile broadband users in your company will, undoubtedly, continue to grow:

If any company data is to be retrieved, including simple pop3 email, the phone's password security--albeit lacking PCI-DSS requirements--should be employed.
Saving of passwords on the phone's applications for accessing any secure sites, including FTP, remote desktop, or similar applications should be prohibited.
When accessing secure data, 3G networks or security-enabled wi-fi should be required.

What are some other policies your company has instituted in order to protect itself from the unmitigated risk of mobile broadband?

Labels: 3G, Fixed Wireless Broadband, iPhone, Layer 2, mobile broadband, PCI-DSS