Mobile Security policies

In general, there are two key components to any mobile computing policy: acceptable use, and security. Both of these policies need to be written and distributed per your organization's practices, and it's a good idea to get sign-off from anyone who will be issued a mobile computer or similar device. Putting both into action requires customization to the needs of your particular enterprise, industry, and regulatory environment, but the broad requirements for each are as follows:

• Acceptable Use: We always recommend that it be clear that the mobile computer belongs to the company, not the user. Any software loaded on the machine must be so loaded by an appropriate IT person; users may not install software themselves. Centralized management tools are essential with more than about ten PCs, but such are widely available and, in general, easy to use. Users must be cautioned about changing key system settings, primarily with respect to security, but also any others that might compromise integrity. Virus, spyware, and firewall settings must all be centrally controlled and monitored. It is recommend that a company-issued computer be used only for company business, and that personal files must never be stored on the machine.
  
  Users must be cautioned to connect only to authorized networks, although the use of firewalls and VPNs somewhat lowers the risk associated with using intermediary networks, like public-access wireless LANs and networks located in hotels and other public facilities. It is useful to reinforce the message of downloading ActiveX controls and similar potential dangers. One problem we clearly still have as an industry is that the computer is still too much of, well, a computer, and ease-of-use is still an abstract theoretical concept for too many users. It is still too easy to make a mistake and end up with a corrupted configuration. There is some hope that future operating systems (i.e., Windows Vista) will improve this situation, but I'm not counting on it. I suggest a written user's guide that explains policies in terms of operational procedures, as well as a Help Desk and occasional refresher classes in how to use the computer and key software.



• Security: We need to begin with a good security policy, which is simply a document that describes what information needs to be protected, who will have access to it and under what circumstance, what techniques will be used to protect it, and what to do in the event of compromise. There are two key technical elements here: encryption and authentication. All sensitive data stored on any mobile computer must be encrypted – no exceptions. And users must authenticate when accessing this data, at a minimum with a password, and ideally with two-factor encryption (a hardware token, biometrics, etc.). VPNs are quite effective in securing communications channels, be they wired or wireless – no sensitive data must ever appear in the clear, anywhere, except to an authorized user. Do not, however, rely on 802.11/Wi-Fi encryption and authentication alone. They secure only the wireless airlink; the VPN provides end-to-end encryption. Ditto, by the way, for wireless-WAN links.

The key to success in enforcing policies isn't, however, in technology; rather, it's in developing a culture of compliance. Think along the lines of those "loose lips sink ships" posters from World War II. Mobile computing isn't all that different from the desktop in that key respect.