- Where do I start when securing mobile devices?
- Who is responsible for device security?
- What security do mobile devices need?
- For the mobile devices I do need, isn’t password protection sufficient?
- So how do I secure the data itself?
- How do I manage passwords and encryption across the devices?
- I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
- Are there other risks I should watch out for?
- What does mobile security cost to implement?
Are there other risks I should watch out for?
A new generation of data storage devices has created new security risks. USB “thumb” drives, iPods, recordable CDs and DVDs, and the iPod (with iTunes’ Enable Disk Mode feature) all make it easy for employees to copy data from a secured device to an unsecured medium that’s easily hidden, lost or stolen. Vendors are only starting to extend protection such as encryption and password protection to these inexpensive media, leaving a big hole in your protection.
Until your software vendors have appropriate tools to cover these risks, you may need to set policies banning their use, and discouraging their use by, for example, configuring your computers not to support USB storage devices and not supporting writable media. An easy step is not to buy computers with writable CD or DVD drives. Blocking the use of USB storage devices is harder, typically requiring adjustments to the Windows XP registry. (The forthcoming Windows Vista Server is expected to let you set such USB usage permissions as policies that can be enforced across all Vista clients.) One sure way to block their use is to pour glue in the USB ports, but that also means your users can’t connect other external USB components such as mice or keyboards.
What does mobile security cost to implement?
Costs vary based on what you’re protecting and on the number of seats being protected, but you can expect to spend between $US50 and $US100 per device to bring in encryption, password management and other security management features onto laptops — assuming you have a management platform already in place for your PCs. You’ll also pay more for antimalware licenses if you’re not already deploying them on your laptops. For example, the Lincoln Health System Network of hospitals estimates that encryption costs about $US60 per laptop, while the Pacific Northwest National Laboratory spends about $US75 each. (The lab spends an additional $US100 per laptop using hardware-based second-factor authentication tokens.) Maintenance and ongoing licensing costs typically are about 25 percent of the license cost. Services such as the Computrace tracking service that can lock down or wipe the contents of missing laptops cost about $US100 per year per laptop.
Costs of managing handhelds vary considerably. While the software typically runs $US20 to $US50 per device, many handhelds cannot be remotely managed, so you have to account for the hands-on IT installation and update costs, which depend on how you provision such help-desk and support services and how diligently you update your mobile devices. For handheld devices that can be managed with your existing management tools, the costs typically match those for your PCs.