IDG Accelerate: Technology Driving Business Performance. Sponsored by AMD - Smarter Choice.

  1. Enterprise Home
  2. News & Articles
  3. Analysis and Q&A
  4. Reviews
  5. Knowledge Centers
    1. Virtualization
    2. Modernization/Infrastructure
    3. Green IT
    4. IT Staffing/HR
    5. Mobility
    6. Operating Environments/Storage
    7. Performance
    8. ROI and Business Impact
    9. Security
    10. Managing IT
  6. Research
  7. Business Advice
  8. White Papers
  9. Case Studies/Best Practices
  10. Video/Webcasts
  11. How-To Tutorials
  1. Events
  2. RSS
  3. AMD Accelerate Magazine
  4. About Sponsors
  1. Subscribe
    1. eNewsletters
    2. AMD Accelerate Magazine
Enterprise

October 8, 2008

IDC: Optimizing Security in Mobile Environments

By Chris Christiansen, IDC Program Vice President, Security Products and Services

Email to a friend

IDC Chris C.

October 2008

Although the mobile computing and communications world hasn't yet been hit by the volume of malicious viruses and worms that commonly attack wired networks and desktops, the demand for mobile security solutions is real. This demand is being driven not by mobile malware but by the need to protect sensitive information on mobile devices and laptops. The growing number of mobile devices that permit users to carry sensitive information outside an organization's boundaries is creating a complex challenge. Protecting sensitive or otherwise classified information on mobile laptops and other devices has rapidly moved up the priority list of many IT departments.

The following questions were posed by AMD to Chris Christiansen, program vice president of IDC's Security Products and Services research, on behalf of AMD's customers.

Q.    What's behind the increasing need for mobile security, and how can the impact of stolen mobile devices be minimized?


A.    The first step is obvious, but not always taken — use the password security in the mobile device's operating system, and select a good password, that is, a nondictionary password. This means if you can find the word in a dictionary, don't use it for a password. There are several tools that can run a whole dictionary against the password file.
Also, encrypt your files and disk drive(s). Be sure, however, to have good key management and key recovery processes in place. In cases where an organization has thousands or tens of thousands of users, the key management system should be comprehensive enough to handle all those assets over several years' time.

Additionally, you want a system that can securely manage the attachment of third-party storage devices, especially USB thumb drives. A common scenario is when a user opens encrypted files and then, for whatever reason, needs to leave the machine unattended. Sometimes the person is in a public place and simply turns around to talk with someone. A thief who has been watching the scene grabs the machine while the owner's back is turned. We know of such incidents.
The real issue isn't that the mobile device was stolen but that it was completely unlocked and all the data exposed. Mitigate this risk by setting time limits on how long your files stay unlocked. You can also implement a policy where, when the lid is closed on a notebook, for example, the passwords are reset and you have to reauthenticate. Likewise, it's possible to use multiple levels of passwords or authentication.

Q.    What types of security can enterprises expect today from wireless network providers?

A.    There are at least two possible layers of security, and you should set user expectations for each layer appropriately. For a wireless WAN or LAN, you can have a layer of encryption that encrypts data moving between the air interface — i.e., between the device and the radio. This provides some protection from "man-in-the-middle" attacks and basic sniffing. What it doesn't necessarily provide is security for information traversing the broader network.

Typically an attacker will seek areas on a network where the information is not encrypted. In the case of a wireless WAN or LAN, the data might be encrypted at the link level or via the air interface. Once that data hits either the device or the wired network on the other side, it usually becomes unencrypted.

The trick is to basically rely on the link-level security for network reliability and then rely on a Layer 3 VPN to encrypt the data from end to end. Organizations are sometimes reluctant to add that second VPN because the network takes a performance hit. This would be considered necessary overhead, however, for most financial and other sensitive-information applications.

Q.    How can enterprises ensure data authenticity and integrity, as well as the speed of transition of their data?

A.    There are multiple ways of authenticating both users and data, but essentially you want to build much of the data authenticity and integrity into the application you're running on the network. And there are certain aspects of network information that might be useful in order to establish the secure connection between the device and the infrastructure. The question is, how much overhead must you introduce to ensure that you're talking to the actual person you think you're talking to, and vice versa?

A variety of different technologies can achieve this security, however, from cross-authentication technology to network access control, where the device is scanned first to make sure it hasn't been compromised in any way before even a modicum of communication with the network is allowed.

For sensitive applications that require data authenticity and integrity, the financial industry has set a fairly high bar for high-value transactions. Many financial systems have been designed with off-the-shelf technology to deliver thorough authentication as well as high integrity. A lot of business communications are essentially transactions, even if the audiences and content are different from industry to industry. From a security perspective, the security needs are comparable.

As for the speed of data transition, high volumes of encrypted data can introduce significant latency, particularly when the client computer is relatively low powered. But this issue seems to be resolving itself as greater processing power becomes standard. Even smart phones, for example, have recently acquired much greater processing capabilities to handle multimedia content.

Q.    How can mobile security be made transparent to users?

A.    One technique is to embed the security in the application, but also the application code itself must be written securely. Developers need to be trained to make security a priority from the beginning. Then, continuously test the application for security vulnerabilities in the code. Perform both white-box and black-box security testing — "white box" means you have access to the source code, and "black box" means you don't.

The key is that security testing should be part of all application development, not just security-oriented applications. The problem is that, increasingly, organizations are finding that many applications — especially Web-based applications — were never developed with security in mind. As a result, the code is riddled with vulnerabilities.
Security transparency is important, however, because even highly sensitive environments such as the military need to recognize human behavior. If you don't build convenience into the security and make it transparent, inevitably people will be tempted to go around it. The most common example in the commercial world is passwords and log-in names written on Post-it Notes attached to monitors. So it's important that security be not only convenient but also not so intrusive as to affect application performance.


ABOUT THIS ANALYST
Chris Christiansen is the program vice president for IDC's Security Products and Services group. He conducts in-depth primary research and provides insight and analysis on a variety of evolving security markets. Mr. Christiansen delivers critical market intelligence to technology vendors, IT professionals, and the financial community.

ABOUT THIS PUBLICATION

This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.

Copyright AND RESTRICTIONS

Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or gms@idc.com.
Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC GMS, visit www.idc.com/gms.

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

SPONSOR LINKS

April 11, 2008

Hit the Accelerator

AMD's Torrenza program encourages research and development around accelerated computing.

Copyright 2008 International Data Group and Advanced Micro Devices, Inc.
IDG Privacy Policy | AMD Privacy Policy