Mobile client security

As more companies employ a mobile workforce, security becomes a critical factor. Organizations are no longer looking for access mechanisms; they are looking for ways to secure the data over the multitudes of access options. In this tip, Robbie Harrell explores the secure access options available for mobile devices such as PDAs.

More and more devices are supporting data capabilities, and more and more providers, whether voice (such as Cingular, Verizon and Sprint) or data (Wi-Fi hotspots), allow access almost anywhere. As more and more environments move toward evaluating the potential of mobility solutions, security becomes a critical factor for organizations focused on ensuring data integrity. Organizations are no longer looking for access mechanisms; they are looking for ways to secure the data over the multitudes of access options.

The issue with ever-expanding mobility capabilities is that security is not fully baked into the devices -- because of the operating systems that run on the clients themselves. If the client is a PC running Windows, security can be enabled in a pretty straightforward manner using an IPsec VPN. But what if the end client is a phone or a personal digital assistant (PDA)? How can these items be secured in a manner that ensures data integrity and offers compliance with the many federal regulations such as SOX and HIPAA? The flexibility and capabilities these types of clients can offer employees is significant, but if the device cannot securely transmit data, it can become a liability.

So what to do? Even though the clients (phones and PDAs) do not run Windows, there are options for securing the data. First and foremost, it is imperative to standardize on the clients that your organization will support. If they all ran Windows, you could basically support them all with the traditional IPsec VPN solution, but until that time comes, you will have to put a stake in the ground as to what you will support. This could mean revamping the entire corporate cellular/wireless policy -- but that is not recommended.

The odds are that if your organization is large, you already have a corporate cell phone policy with one of the major carriers. If this is the case, you will want to evaluate the capabilities of the carrier's phones and PDAs to support some form of encryption capabilities. BlackBerry is a great example of this because it provides a solution that allows clients to set up a VPN tunnel to a BlackBerry server. The great thing about BlackBerry is that it is supported by Sprint, Cingular, Verizon, T-Mobile, and a host of other cellular carriers. In all likelihood, you can maintain your current carrier and just overlay a BlackBerry solution on your existing service.

In addition to BlackBerry services, there is also the ability to connect to the user's PC or laptop to synchronize data and check calendars and e-mail remotely. This solution provides a mechanism for individuals to work remotely in a secure fashion using their phones.

In this scenario, the user's phone is connected to the cellular network and establishes a secure tunnel with the PC via software installed on the PC, which must have Internet access. This solution can be very cost effective and easy to maintain because no equipment needs to be installed and supported by the organization (unlike the BlackBerry solution). Examples of this type of service are Cingular's Xpress Mail Personal Edition and Sprint PCS Business Connection Personal Edition. Both of these are designed for individual use, but both also provide business use that is similar to BlackBerry.

As you can see, secure communication methods from a mobile client are gaining traction in today's market. As more and more clients begin to support Windows, you will be able to leverage any installed IPsec VPN solution that you may already have. Until that time, some of the other options are cost effective and very easy to use.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.

This was last published in May 2006

Dig Deeper on Wireless LAN (WLAN)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.