Tuesday, August 3, 2004
Got Any Secrets?
Posted by Andy Sjostrom in "ARTICLE" @ 11:00 AM
Microsoft Certified Professional Magazine has published an interesting article called "Protect Your PDAs, PDQ!" written by Roberta Bragg. The topic, that of keeping your PDA and the data it stores, safe is not unfamiliar but Roberta does a good job summarizing some of the most relevant aspects. Here are some quotes and my thoughts.
"Physical Protection
Handhelds should be physically secured. The level of security depends on the role the handhelds play and their location."
The challenge is to keep the "physical protection" as small and handy as possible. I would not want to carry around steel wires or heavy metal cases. Cases that make it easy to "wear" the device, for example attached to a belt, can be helpful.
"Access Control
All handhelds should use power-on passwords and/or devices and software designed to prevent unauthorized access and usage."
Since I started using my iPAQ Pocket PC 5550 I always my power-on password and use fingerprint authentication. Fast and secure!
"Protection from Malicious Code
Anti-virus protection should be extended to handhelds, along with the use of handheld-specific anti-virus programs and sound, enterprise-wide anti-virus action."
Not convinced on this one yet. I'll be looking out for the first couple of real attacks/viruses before I would feel that the extra hassle/expense is of any value.
"On-board Data Protection
Critical data should be erased if access control mechanisms are under attack or damaged. Sensitive data should be protected by encryption, and non-sensitive data should be optionally protected by encryption."
I've never seen any solution actually erase critical data due to an "attack". However, encryption is simple and transparent to use. There are many encryption products out there.
"Synching, Wireless Data Connections
Handhelds should be protected against unauthorized synching. “Beaming” or other data transfer via wireless means must be secured or disabled."
I wouldn't be too worried about being "beamed" and not knowing about it... However, recent reports regarding Bluetooth devices being sucked for contacts information indicate that wireless connectivity should be turned off if it is not actively used.
"External Connections and Protecting Data in Flight
External connections to company networks—via Internet, dial-up and other untrusted network—should only be allowed through an approved VPN or Secure Sockets Layer (SSL). LAN connections require authentication and other protection as determined by the application."
Very relevant statements. SSL rocks.
"Usage Definitions and Data Decisions
Handhelds used for business purposes should be owned and managed by the business. Handhelds should be used for business purposes only."
Owned and manages by the business, yes. Business purposes only, no. Companies that allow staff to use the device for non business purposes are rewarded by getting more skilled co-workers generating new ideas on how to use mobile technology even more efficiently.
"Awareness Training
All employees should be required to attend or otherwise meet awareness-training objectives that address both the security issues and company policies, as well as provide up-to-date education and information on best practices for handheld protection."
This is true from any and all perspectives! I am surprised to still meet even IT-consultants not knowing what Windows Update is... Be that is it may. Roberta's article did spur some thoughts!
"Physical Protection
Handhelds should be physically secured. The level of security depends on the role the handhelds play and their location."
The challenge is to keep the "physical protection" as small and handy as possible. I would not want to carry around steel wires or heavy metal cases. Cases that make it easy to "wear" the device, for example attached to a belt, can be helpful.
"Access Control
All handhelds should use power-on passwords and/or devices and software designed to prevent unauthorized access and usage."
Since I started using my iPAQ Pocket PC 5550 I always my power-on password and use fingerprint authentication. Fast and secure!
"Protection from Malicious Code
Anti-virus protection should be extended to handhelds, along with the use of handheld-specific anti-virus programs and sound, enterprise-wide anti-virus action."
Not convinced on this one yet. I'll be looking out for the first couple of real attacks/viruses before I would feel that the extra hassle/expense is of any value.
"On-board Data Protection
Critical data should be erased if access control mechanisms are under attack or damaged. Sensitive data should be protected by encryption, and non-sensitive data should be optionally protected by encryption."
I've never seen any solution actually erase critical data due to an "attack". However, encryption is simple and transparent to use. There are many encryption products out there.
"Synching, Wireless Data Connections
Handhelds should be protected against unauthorized synching. “Beaming” or other data transfer via wireless means must be secured or disabled."
I wouldn't be too worried about being "beamed" and not knowing about it... However, recent reports regarding Bluetooth devices being sucked for contacts information indicate that wireless connectivity should be turned off if it is not actively used.
"External Connections and Protecting Data in Flight
External connections to company networks—via Internet, dial-up and other untrusted network—should only be allowed through an approved VPN or Secure Sockets Layer (SSL). LAN connections require authentication and other protection as determined by the application."
Very relevant statements. SSL rocks.
"Usage Definitions and Data Decisions
Handhelds used for business purposes should be owned and managed by the business. Handhelds should be used for business purposes only."
Owned and manages by the business, yes. Business purposes only, no. Companies that allow staff to use the device for non business purposes are rewarded by getting more skilled co-workers generating new ideas on how to use mobile technology even more efficiently.
"Awareness Training
All employees should be required to attend or otherwise meet awareness-training objectives that address both the security issues and company policies, as well as provide up-to-date education and information on best practices for handheld protection."
This is true from any and all perspectives! I am surprised to still meet even IT-consultants not knowing what Windows Update is... Be that is it may. Roberta's article did spur some thoughts!