Are Your Corporate Secrets Safe on Handhelds?

Novell Cool Solutions: Feature

Reader Rating from 2 ratings

Digg This - Slashdot This

Posted: 11 Apr 2003

Securing Your Mobile Workforce

As handhelds infiltrate your enterprise, either through individual purchases or corporate deployments, they leave IT struggling to secure the corporate data they carry. Are you aware of all the handheld devices in your enterprise -- even those birthday gifts your users brought in from home? Do you know if the users of those handhelds have configured a password for their devices? Are your corporate secrets truly secure on handhelds?

In this article we'll examine the security issues surrounding handheld computing and take a look at how one product in the handheld management space, Novell® ZENworks® for Handhelds, can be used to help you meet the security challenges presented by handhelds in your organization.

Planes, Trains, and Automobiles

According to research by leading industry analysts, "Approximately 250,000 handheld devices were left behind or lost in U.S. airports in 2001." Note that this estimate does not include the number of devices lost in cabs, trains, hotels, and restaurants! "As the proliferation of PDAs with cellular phone and wireless features increases, so will the opportunities for such losses. Whether a PDA only stores calendar and e-mail information or an organization's sensitive data, losing control of the PDA and the data it contains can pose serious threats to an enterprise."

Entrusting users to configure passwords on handheld devices, which are often personal purchases, results in hit-and-miss password coverage, and devices are left unprotected. Centralized, automated enforcement of password policy is needed to protect the corporate data stored on handheld devices from unauthorized access.

Protecting corporate data on handhelds from loss is another key management issue. Users very rarely back up their data. Synchronization takes care of e-mail, contacts, and calendars, but other files are left unprotected, exposing the company to data loss when devices are misplaced or damaged.

Real World Security Concerns

Handheld security is a key issue in the health and medical industry. The Health Insurance Portability and Accountability Act (HIPAA), a 1996 government regulation, establishes standards for the security and privacy of patient data in electronic health care transactions. To conform to HIPAA regulations, strong password protection on handhelds carried by physicians, nurses, and other clinical workers is essential. Without password enforcement, unsecured patient data could be left exposed on a handheld lost in the hospital or on the road by traveling health care workers.

Similarly, in the legal field, confidentiality of client information is imperative. Beyond password protection for handhelds, the ability to wipe the data from lost devices is required. When client data is contained on a lawyer's misplaced BlackBerry wireless pager, administrators need the ability to select that device and instruct it to lock out all users immediately to protect the data. When confidential client information is stored on a PDA running the Palm or Pocket PC operating systems, the ability to remotely "self destruct" the device based on a number of incorrect password attempts is key, whether that means deleting all of a handheld's files or remotely performing a hard reset.

Regardless of your industry, handheld security is a critical issue. Mission critical data, including e-mail, confidential corporate information, and client data, must be kept secure.

Share the handheld security challenges unique to your company or your industry at zwmag@novell.com

Novell ZENworks for Handhelds

Novell's ZENworks for Handhelds provides automated management for handhelds to strengthen security, reduce high ownership costs, and increase user productivity. Tightly integrated with Novell's ZENworks product family through the directory and a shared console, ZENworks for Handhelds is part of a comprehensive management solution spanning your server, desktop, laptop and handheld management needs.

With ZENworks for Handhelds, you can extend the same basic management services to handhelds that you have extended to desktops in the past, including:

Software and Content Distribution. Automated distribution and updates for applications and content to increase user productivity and reduce administrative costs

Security Management. Centralized enforcement of password requirements to strengthen corporate security along with self destruct capabilities

Hardware and Software Inventory. Automated collection of hardware and software inventory to improve IT efficiency in troubleshooting, upgrade planning, and license compliance monitoring

Configuration Management. Deployment and lockdown of standardized applications, buttons, and configuration settings to reduce support costs and provide a consistent user experience

File Retrieval. Protection of handheld data on the network to prevent costly data loss

Queries and Reports. Pre-defined and custom reports regarding devices, applications, and policies to simplify analysis and export information to other applications

With ZENworks for Handhelds, IT can centrally enforce the use of passwords, deploy standard images and content, update applications, identify lost devices, lockdown configurations, and monitor license compliance for Palm, Windows CE, Pocket PC, and RIM Blackberry devices. Designed to address the unique characteristics of mobile computing, ZENworks for Handhelds optimizes sporadic, low-bandwidth connectivity using techniques such as compression, checkpoint restart, delta technology, and configurable bandwidth usage.

Securing your Handheld Workforce with ZENworks for Handhelds

Let's take a look at how ZENworks for Handhelds can be used to strengthen security for Pocket PC devices. We'll walk step by step through defining enhanced password requirements, enforcing that passwords are always configured, and setting the device to self destruct after a number of bad password attempts.

The "WinCE Security Policy" is used to define security policy for Pocket PC devices. To configure this policy:

1 -- Create a Handheld Package policy object.

Note: See the "ZENworks for Handhelds Installation and Administration Guide" for instructions on how to create policy objects. The "For more information" section below contains information on downloading this guide.)

2 -- In ConsoleOne, right-click the Handheld Package object, then click Properties.

3 -- On the Policies tab, click the down-arrow, then click WinCE.

4 -- Check the check box under the Enabled column for the WinCE Security policy. This both selects and enables the policy.

5 -- Click Properties to display the Security page.

6 -- Fill in the fields:

Require a Password to Be Set on the Handheld: Checking this box specifies that a password must be set on the Pocket PC at all times. If the user does not have a password set, he or she will be confronted with a dialog on the device and prompted to configure the password prior to gaining access to the device. The dialog on the handheld device by default looks like:

Note that you can replace the bitmap image that displays in the password prompt dialog box on the handheld with a bitmap image of your choosing.

Pocket PC Options: Filling in these fields allows you to specify enhanced security options for Pocket PCs. Note that the "Require a Password to Be Set on the Handheld" box must be checked in order for these options to be available.

Enable Enhanced Password Support: Select this option to specify enhanced password support settings for Pocket PCs. For Pocket PCs, ZENworks for Handhelds replaces the password applet if you select Enable Enhanced Password Support; users will see ZENworks for Handhelds password dialog boxes rather than the default dialog boxes.

Password Expires in _ Days: Check this box and specify the number of days that you want the password to expire in. When the specified number of days has expired, the user will be prompted to change the password for the Pocket PC.
Limit Grace Logons to _ Attempts: Check this box and specify the number of grace logon attempts you want to allow the user before he or she must change the password for the device. After the number of days in Password Expires in _ Days, the user will be prompted to change the password. The user can choose to ignore this prompt and keep the same password for the number of logon attempts you specify.
Require Unique Passwords: Check this box to require that the user enter a new password; he or she cannot reuse the previous eight passwords.
Minimum Password Length: Check this box and specify the minimum number of characters to allow for the password on the device. You should choose a number great enough to ensure adequate security, but small enough not to excessively burden the user.
Require Alphanumeric Mix: Check this box to require that the user use both letters and numbers in the password. To improve the security of a password, it should contain both letters (uppercase and lowercase) and numbers.

Pocket PC 2002 Options: These options allow you to specify how long the Pocket PC can be turned off before a password prompt will be displayed when the device is turned back on. For example, if you set this option to 5 minutes, and if you turn the device off and then back on within 5 minutes, no password is required to use the device. However, if more than 5 minutes passes between turning the device off and on again, the user must enter a password to use the device.

Display Password Prompt for Unused Devices Within: Check this box and choose a time limit from the drop-down list. This limit will represent the maximum amount of time that can elapse prior to a password prompt being displayed on unused devices.

7 -- Click on the Self-Destruct tab. (Note that "Enable enhanced password support" must be enabled on the security tab to use the self-destruct feature).

Bad Password attempts: Check this box and specify the number of bad password attempts to allow before activating the self-destruct feature.

Time since last connection: Check this box to specify the number of days ZENworks for Handhelds should wait since the last connection before activating the self destruct feature.

When the self-destruct policy is enforced due to too many bad password attempts or too much time since the last connection, all files in RAM and on storage cards will be erased and ZENworks for Handhelds will attempt to hard reset the device.

8 -- Click OK to save the policy.

Once you have finished configuring and enabling the security policy, you must associate the policy package with a handheld device, handheld group, or container object to make it take effect. By default the policy will be run when the handheld is cradled or connects to the ZENworks for Handhelds proxy service via IP. You can change the package so that it is enforced on a defined schedule.

The steps described above describe how to use ZENworks for Handhelds security policy to protect your handheld devices from unauthorized access. ZENworks for Handhelds file retrieval policy can be used to provide additional protection for your handheld data by backing it up to the network where it can be restored to a replacement device in case of loss or theft. Additional information on file retrieval policy can be found in the "ZENworks for Handhelds Installation and Administration Guide".

Next month

Each month we'll take a look at another handheld management challenge. Next month we'll discuss the issue of keeping corporate content up to date on far flung handheld devices. How can you make sure handheld users are acting with current information when they connect infrequently and over low bandwidth connection? We'll provide step by step instruction describing how you can keep content up to date automatically. Stay tuned!