Recognizing the growing popularity of mobile computing devices such as handheld computers, personal digital assistants (PDAs) and smart phones, companies are rolling out a host of new products to secure data and communications on portable devices. From disposable soft tokens, to virtual private network (VPN) software for PDAs, to security management software for mobile devices, security companies are catching up to and cracking down on mobile users.
In September alone, Trust Digital LLC, RSA Security Inc. and ION Networks Inc. announced security products targeted at users of cell phones, PDAs, and other mobile devices.
"Companies have more mobile workers than ever, and they want to give (those workers) all the tools they need to do their job effectively," said Laura Koetzle, an analyst at Forrester Research Inc., in Cambridge, Massachusetts.
However, much of the infrastructure that enables mobile computing is inherently insecure, according to Koetzle, who notes that the 802.11b wireless protocol and encryption technology such as wired equivalent privacy (WEP) used by laptops and handheld devices have proven easy to exploit.
For companies like Trust Digital LLC of Fairfax, Virginia, concerns such as those raised by Koetzle coupled with the rapid adoption of portable computing devices in information-sensitive sectors like the federal government and the health care industry has meant increased demand for their line of data security solutions for portable devices such as PDAs and smart phones.
"In the last 12 months, we've seen tremendous growth in the use of PDA devices and the ways in which they are being rolled into enterprise networking environment," said Kevin Shahbazi, vice president of marketing at Trust Digital, which last week announced the release of PDASecure, VPN software that can be run on PDAs using Microsoft Corp.'s Pocket PC and Palm Inc.'s PalmOS operating systems and comes with a per-device licensing fee of US$40 per year.
According to Shahbazi, the small size of PDAs and their role as tools of convenience present unique problems for security software makers like Trust Digital that are targeting the PDA market.
"The biggest fears of the CIOs we speak with is that (employees) will lose (portable) devices or never invoke passwords and security on them," said Shahbazi.
The trick, say Shahbazi and others, is to make security both compulsory and transparent to the mobile computing user.
"The average end user doesn't want to know about the idiosyncrasies of VPN. They want to connect to a remote application, see that the tunnel is secure, then go ahead and send information," said Shahbazi.
"There's a definite trade-off between wanting to provide customers with peace of mind and not wanting to make (security) such an imposition in the way they do things that they'll say, 'Oh forget it'," said Charles Golvin, a senior analyst at Forrester Research.
The same themes can be seen in the growing number of configuration management software solutions that are being marketed to organizations -- from public utilities and police forces to vending machine operators and insurance companies -- with mobile workforces that rely on mobile computing devices.
Mobile Automation Inc.'s new Mobile Life Cycle Management Suite uses a software agent installed on the portable device to enable IT administrators to push software updates, applications, and configuration changes from a central server out to mobile devices over a secure connection, according to Doug Neal, chief executive officer and co-founder of Mobile Automation of Santa Monica, California.
According to Neal, his company's software fills what was a gaping security hole for many companies with mobile workforces.
"Commonly, companies would have to manually maintain (mobile) devices...send technicians out into the field, or wait until the quarterly sales meeting for everyone (with a mobile device) to be in one place, or send out a CD and leave it up to users to maintain their own devices, " said Neal.
Despite the attention being given to securing communications from portable devices, however, some see the recent spate of new product announcements as a natural step in the evolution of corporate networks from static, wired to mobile and wireless entities.
"There's a lot of noise in the discussion (about security for portable devices)," said Forrester's Golvin.
"There are certainly security issues -- 802.11b, which has been broken and proven to be for an enterprise a completely inadequate defense mechanism, for example. But if you look at the wireless LAN issue, its no different from other network security issues. Companies don't just send proprietary information over their wired network unprotected, nor should they send them over the air unprotected."
And, while some companies see portable devices as a security hole that needs to be plugged, others see them as a powerful tool in making networks and the Internet more secure.
Both RSA Security and ION Networksm unveiled disposable soft token technology in September that use portable devices to push out one-time secure software "tokens" that can be used by remote workers to log on to sensitive network infrastructure.
Like the smart cards they replace, soft tokens allow two-factor authentication -- users must be in possession of the portable device that will receive the secure token, and know a password associated with the token in order to log on to a secure network.
Unlike smart cards, however, soft tokens can be generated at almost no cost, cannot be lost or stolen, can carry policies that limit user access once logged on, and are deactivated after a single use, according to Kam Saifi, CEO of ION Networks of Piscataway, New Jersey.
ION's Secure Soft Tokens software can be used with the PalmOS, Research in Motion Ltd. Blackberry and Microsoft operating systems. Soft Token licenses are available to customers using ION's Secure PRIISMS Administrator Portal software at a cost of between $200 and $400 for each network access point that is being secured using the software. Customers are then entitled to an unlimited number of tokens for use connecting to that network access point.
RSA's RSA Mobile product also supports a wide range of mobile platforms and is targeted towards larger organizations. RSA Mobile comes with a per device licensing fee ranging from $5 to $10 per year and is sold in packages starting at 100,000 licenses. The price includes the cost of the RSA Mobile Server software.
Analysts agree, the emergence of soft token technology such as RSA's and ION's highlight some of the promise of portable computing devices when it comes to spreading awareness of network security issues.
"These solutions use a channel that is widely available, (soft tokens technology) is something that's fairly simple to explain, and it requires a behavioral change to consumer--but not that much of a change," said Golvin.