By Robert Scheier | Jul 28, 2009

5 comments

Facebook

LinkedIn

Digg

Are all those handheld devices your users keep dragging into the office the Next Big Security Threat? Or are they just smaller, less-capable versions of notebook computers that you can afford to pretty much ignore?

Gartner Inc.'s Vice President of Mobile Computing Ken Dulaney argues that Palms, BlackBerry mobile e-mail devices and Web-enabled mobile phones are opening dangerous back doors into your corporate networks -- and now is the time to start combating the threat. SearchSecurity columnist Robert L. Scheier asked Dulaney to outline the threat of personal digital assistants (PDAs) and Gartner's recommended response.

Q: Who buys and controls these devices -- the company or the users?

A: We don't believe any employer has control over these devices. They're too cheap; they're too accessible. If they [the employer] think they've been able to control it, they just don't know what's going on. People see them in the store or get them as Christmas gifts.

Q: Why is this a security threat?

A: When the firewall industry appeared, it was an attempt to put a line of delineation between the enterprise and what it needs to control, and unknown parties who wanted access to that data. Today we have a hole -- just as significant if not bigger -- at the back of the company, with all these PDAs, which are a combination of business and personal devices.

Q: How do these devices get to corporate data?

A: If you buy a Palm Pilot today, you get, with the device, enough software to be able to link to Lotus Notes, or Outlook Express . . . within a day. These are synched through the [user's] desktop PC. It's often a dual-step process: You sync to your PC from your server, and/or at least have an online connection, and then sync to your PDA. Once a user puts software from the [PDA] box on their PC, they basically create an open hole into the enterprise.

Q: Why is this a big threat, if the user is only sending data to their PDA, which is already on their notebook or desktop?

A: Notebook computers, because of their price, have traditionally been bought by the enterprise and would therefore be considered part of the network domain. PDAs are generally owned by consumers and used in business. The real issue here is one of discipline. Because the notebook is owned by the company, they can demand [the enforcement of] security standards. But once it's personally owned, they lose those rights.

Q: Still, the user could just as easily copy the data to their notebook and walk out of the building with it.

A: The company would know that has occurred. The information is on a machine (the notebook), which is controlled by management utilities. But [on a PDA] the software that permits the information to flow out has been put there . . . by the individual. There's no management control.

Q: Just like there's no management control over what I download to a floppy?

A: Sure. These are also challenges that need to be met. But the PDA . . . can so quickly upload its information to the Internet and make it public. If you carry around a floppy, it's not the same thing as being able to connect yourself to a lot of other PDAs via infrared links. It's the electronic definition of a sexually transmitted disease. The key thing we're talking about is the separation of church and state -- what's personal and what's enterprise -- is now fuzzier. The definition of ownership -- that's the big issue -- and the degree of exposure.

5 comments

Facebook

LinkedIn

Digg