05-01-2004, 06:00 PM
|
|
Swami
Join Date: Feb 2004
Posts: 4,303
|
|
Corporate PDAs & Security. What Security?
Mobilemag have posted a interesting article about PDA security: "PDAs have become a daily productivity tool for millions of business users. A new study of PDA users, however, points to a significant risk to companies, as large numbers of employees store company-sensitive information on the small, easily lost or stolen devices with virtually no security protection of any kind."
You don't say? Is the term 'Secure Corporate PDA' an oxymoron? :? I am always surprised by the number of folks that don't secure the information on their PDAs, but according to this survey, I shouldn't be��.
"Among the study's key findings:
- Half of all respondents did not have any kind of security features on their PDAs other than standard power-on password protection;
- 81% of respondents carry "somewhat valuable" or "extremely valuable" information on their PDA;
- 24% of respondents have experienced a loss or theft of at least one of their PDAs;
- 38% access their corporate networks or multiple networks using their device; and
- 60% of all executive-level respondents say their business would be "somewhat" or "extremely" affected if the data on company-issued PDAs were lost."
How does this tally with your attitude to PDA security? Have you had a PDA lost or stolen, do you store company sensitive information on your device? Do you use the built in Pocket Pc security, a more secure add-in program or none at all? Enquiring minds want to know. :wink:
|
| |
|
|
|
05-01-2004, 07:59 PM
|
|
Pontificator
Join Date: Feb 2004
Posts: 1,097
|
|
I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.
__________________
Please see www.grlt.com "Tech with a twist of lime!"
The Midlands Hybrid Club MidlandsHybrid.com
Current: Kacey's Wing, T-mo Wing Past: GCM_T, T-Mobile MDA |
| |
|
|
|
05-01-2004, 09:10 PM
|
|
Sage
Join Date: Mar 2004
Posts: 734
|
|
My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device. As such, I do keep my schedule on it, and I do have the odd school document - but no phone numbers except my own, no mail addresses except my own, no passwords, credit card or bank account info. Nothing. I feel totally secure and comfortable handing my PDA to someone. Hell, I don't even have a password on it. If it gets nicked or I lose it for real, then it's lost all the same.
Having said that, this survey shows that people in general know ****-all about security. Imagine a doctor who keeps patient info on it. Would you like that device falling in the wrong hands? Or how a relative, wife, girlfriend who carelessly wrote down your bank account details / email / birthdate / ICQ on their PDA?.... I would feel very uncomfortable, knowing that sort of info is unprotected, sitting in someone's non-secure PDA out in the open...
|
| |
|
|
|
05-01-2004, 10:44 PM
|
|
Pontificator
Join Date: Jul 2003
Posts: 1,264
|
|
I've been writing this up as an issue in audits for nearly three years now. Of course, even after I write them up, they don't really do anything to fix this issue.
|
| |
|
|
|
05-02-2004, 12:34 AM
|
|
Ponderer
Join Date: Apr 2004
Posts: 106
|
|
Quote:
|
Originally Posted by ckacey
I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.
|
More correctly, if the device has a lower security rating than the document, it isn't capable of accessing the document. If that's not the case, then the person who designed the system, or at least the security aspects of the system, violated several NSA regulations to the contrary. When it comes to military computers, the rules quite a bit less flexible.
Quote:
|
Originally Posted by bjornkeizers
My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device.
|
The way I see it, that's a somewhat naive way of looking at it (please don't take offense at this, none was meant). By and large, the same people who won't store credit card information on their PDA, where it can be encrypted and locked behind several types of password or biometric security, will gladly carry those same credit card numbers in their wallet with no security whatsoever.
My point here, is that we carry around information every day that we wouldn't want to fall in the wrong hands. Our address, social security number, credit card numbers, etc. are usually kept in our pockets or purses somewhere with no thought of security. Given the choice, I'd much rather migrate this information to my PDA, where it can be at least somewhat secured. My PDA does contain all of my credit card numbers, which enables me to only carry around the one or two I use on a daily basis, while giving me access to the rest, in case of an emergency. The end result is that I've actually lessened the chances of this information being compromised.
Granted, I would agree that migrating everything over to your PDA and not having any passwords or encryption methods protecting it provides for "one stop shopping" for any thief, but my PDA has biometric security (thumbprint), and my "secret" information is encrypted at the file level, with the application accessing it having password protection. This is much more security than my leather wallet offers.
|
| |
|
|
|
05-02-2004, 04:01 AM
|
|
Pontificator
Join Date: Mar 2004
Posts: 1,055
|
|
I take security seriously, but that doesn't mean I don't keep sensitive information on my Pocket PC. Any public information (such as phone numbers and addresses) are not password protected. However, any private information, like credit cards, procurement cards, insurance cards, etc are stored in eWallet in RAM. I feel safe using eWallet since it encrypts the wallet files.
However, any information that isn't publicly available or that can't go in eWallet doesn't ever go into my PDA.
|
| |
|
|
|
05-02-2004, 04:21 AM
|
|
Ponderer
Join Date: Feb 2003
Posts: 51
|
|
It has to be secure
I do keep company and private data on my PDA. I use the Ipaq H5555 biometric finger opton, a pin password, and Flex Wallet for encryption of data.
We push Flex Wallet tp all our employess for use on their PDA.
__________________
MCSE +Security*and IBM Advanced Cerified Systems Administrator HP Ipaq 2795, HP*Compaq 6715b Notebook, Socket Bluetooth GPS
|
| |
|
|
|
05-02-2004, 05:03 AM
|
|
Pontificator
Join Date: Feb 2004
Posts: 1,097
|
|
Quote:
|
Originally Posted by JT3
Quote:
|
Originally Posted by ckacey
I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.
|
More correctly, if the device has a lower security rating than the document, it isn't capable of accessing the document. If that's not the case, then the person who designed the system, or at least the security aspects of the system, violated several NSA regulations to the contrary. When it comes to military computers, the rules quite a bit less flexible. |
True, if the device dosen't respect the security levels it should be barred by the servers if it dosen't have clearance for a certain document, but the user can be punished for knowingly violating this is what I was reffering to because the scope of this article was in responce to the PPC (I didn't read the link so it truely only relates to the PPC).
__________________
Please see www.grlt.com "Tech with a twist of lime!"
The Midlands Hybrid Club MidlandsHybrid.com
Current: Kacey's Wing, T-mo Wing Past: GCM_T, T-Mobile MDA |
| |
|
|
|
05-02-2004, 09:28 AM
|
|
Sage
Join Date: Mar 2004
Posts: 734
|
|
Quote:
|
Originally Posted by JT3
Quote:
|
Originally Posted by bjornkeizers
My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device.
|
The way I see it, that's a somewhat naive way of looking at it (please don't take offense at this, none was meant). By and large, the same people who won't store credit card information on their PDA, where it can be encrypted and locked behind several types of password or biometric security, will gladly carry those same credit card numbers in their wallet with no security whatsoever. |
Well, *I* don't, but you're right - most people will still carry their plastic. But I can understand that - you never know when you'll need your card, and it doesn't do you much good if you left it at home. And if your wallet gets stolen, well, then you have a good excuse if something happens to your card info. But how do you explain to your credit card company that you kept your info on an unprotected PDA, knowing full well the risks of that?
You have a good point about all the other cards we carry - I only carry the ones that aren't sensitive or pose a security risk (I don't carry any ID, no credit cards, nothing except my ATM card, my OV card and a customer loyalty card of my favorite DVD pusher, and about $20 cash - that's really all you need.
|
| |
|
|
|
05-02-2004, 12:00 PM
|
|
Pontificator
Join Date: Feb 2004
Posts: 1,097
|
|
Quote:
|
Originally Posted by bjornkeizers
(I don't carry any ID ...
|
8O what if a cop pulls you over? or is that a dutch? thing?
__________________
Please see www.grlt.com "Tech with a twist of lime!"
The Midlands Hybrid Club MidlandsHybrid.com
Current: Kacey's Wing, T-mo Wing Past: GCM_T, T-Mobile MDA |
| |
|
|
|
|
|
Linear Mode
