Log in

View Full Version : Analysts Say Windows Mobile 5.0 Fails to Deliver Adequate Security


Darius Wey
06-12-2005, 02:00 PM
<div class='os_post_top_link'><a href='http://www.gartner.com/DisplayDocument?doc_cd=129022' target='_blank'>http://www.gartner.com/DisplayDocum...t?doc_cd=129022</a><br /><br /></div><img src="http://www.pocketpcthoughts.com/images/web/2003/wey-20050612-WinMob.jpg" /><br /><br />Windows Mobile 5.0 and the recently-announced MSFP pack a punch when it comes to security enhancements, but a pair from Gartner beg to differ (again). In a <a href="http://www.gartner.com/DisplayDocument?doc_cd=129022">June 9 report</a>, the pair claim that the security improvements <i>"are insufficient and do not meet basic enterprise security needs,"</i> and that MSFP <i>"does not go far enough with security for enterprise-wide deployment."</i> In a <a href="http://www.gartner.com/DisplayDocument?doc_cd=128197">later report dated June 10</a>, Gartner claims that MSFP will make mobile e-mail <i>"a good enough solution for some organisations"</i> (but obviously not suitable for enterprise-wide deployment). It seems that the message Gartner tries to convey here is that Windows Mobile 5.0 only offers a <u>basic</u> security solution. But in these reports, they appear to have stupidly adopted the same old critical attitude that saw them attack the Pocket PC platform back in 2002, so these reports may well be clouded with elements of bias. Biased or not, I guess the bottom line here is whether they're right? You decide.

surur
06-12-2005, 02:31 PM
It seems their objections are primarily that storage cards are not protected in any way. They have a point, but the solution (encryption of the card) would make things a lot more complicated e.g. you wont be able to use any random card reader to copy documents from a desktop. There are of course 3rd party solutions, but they argue that this should be built in.

With increasing ROM sizes this can become less of an issue if people can remember to keep sensitive documents in BIS. I also dont know if WM has a policy enforcement built in to ensure this happens.

Surur

Philip Colmer
06-12-2005, 04:24 PM
There are still shortcomings in this platform compared to, say, RIM. For example, the RIM management software allows you to explicitly manage the devices that are used to access the email. This cannot be done with the MS platform - you can only control which user accounts are permitted to remotely access email. That isn't the same thing.

Also, the RIM software allows you to deploy settings, etc, to the device. The MS version allows you to enforce a password policy, but that is about it. It doesn't let you set the user name, company name, etc. (The list is longer but this is off the top of my head).

The RIM software lets you see when the device was last "seen". This was useful for me recently when I was trying to diagnose reports from users that they weren't getting updates via their BB devices.

I'm not knocking the MS platform here - I think that this release is a significant improvement over the last attempt. It delivers sort-of push email without the need for SMS messages (at last!) and it also delivers a remote device wipe command.

The security and management of the devices does still need improving, though. Part of the problem is that I don't think that either MS or the manufacturers are thinking of these as enterprise devices.

--Philip

Beavis
06-12-2005, 04:48 PM
In other news....

Gartner IDs 'Over-Hyped' Security Threats


http://www.techweb.com/wire/security/164301646

tthiel
06-12-2005, 05:58 PM
The only thing "stupid" about this is your statement that it's stupid. Do you have any idea what organizations have to deal with regarding security? If you did you wouldn't have made this comment.

Darius Wey
06-12-2005, 06:02 PM
The only thing "stupid" about this is your statement that it's stupid. Do you have any idea what organizations have to deal with regarding security? If you did you wouldn't have made this comment.

Uh... are you talking to me? :|

LPC
06-12-2005, 06:12 PM
Love reports like this ... as of course security is a consideration for most of us when buying PDAs !!!

If ya going to alow your staff to carry data around on a handheld locking that down is near impossbile at the momment on any platform.

Gerard
06-12-2005, 08:13 PM
Why is Gartner so very full of crap? They're all over WM5.0 for being un-secure lost/stolen devices/cards are concerned... but then with VoIP they are apparently quite relaxed:

"On the use of wireless Internet access through Wi-Fi, Gartner said enterprise can equip and educate mobile workers with the tools and knowledge to mitigate the threats and increase productivity via hot spot usage."

So, workforce education is relevant with wireless data transfer (something any newb should be told immediately is NEVER use a 'hot spot' for banking or other security-critical internet work), says the great and wise Gartner team. But an SD card, that's scary. A basement-dwelling European script kiddie hacks into 90+ US governments networks and does a pile of damage, using downloadable toys any nerd could use, BECAUSE OF WIRED CONNECTIONS. The US government is less inherently secure than any SD or CF card... UNLESS it happens to be in a wired or wirelessly connected device on a public network.

Basically Gartner's head is up it's collective @$$. A little education goes a long way. Tell employees they'll be fired for losing their devices and storage cards and watch as losses suddenly stop. Tell them to use only secured connections for sensitive communications and to encrypt any sensitive data, or risk disciplinary measures. Resco Explorer and lessons in how to use encrypted ZIP or RXF formats - or something like F-Secure, or whatever - should be basic for any deployment of sensitive data and PPCs. Leaving it up to Microsoft is a joke, same as leaving it up to Palm or Blackberry or whatever cellphone. These are consumer electronics first, corporate devices second, and as such any expectation of no-brainer security is coming from a bizarre thought process such as only a leeching pretense of a consulting firm such as Gartner can display. Reminds me of Fraser Institute reports locally... a mouthpiece for what right-wing governments and profit-first, ethics-last companies want to hear... and as one journalist called it: "coin-operated consulting."

Jonathan1
06-12-2005, 08:49 PM
Basically Gartner's head is up it's collective @$$. A little education goes a long way. Tell employees they'll be fired for losing their devices and storage cards and watch as losses suddenly stop. Tell them to use only secured connections for sensitive communications and to encrypt any sensitive data, or risk disciplinary measures. Resco Explorer and lessons in how to use encrypted ZIP or RXF formats - or something like F-Secure, or whatever - should be basic for any deployment of sensitive data and PPCs. Leaving it up to Microsoft is a joke, same as leaving it up to Palm or Blackberry or whatever cellphone. These are consumer electronics first, corporate devices second, and as such any expectation of no-brainer security is coming from a bizarre thought process such as only a leeching pretense of a consulting firm such as Gartner can display. Reminds me of Fraser Institute reports locally... a mouthpiece for what right-wing governments and profit-first, ethics-last companies want to hear... and as one journalist called it: "coin-operated consulting."

Yah because every device that is stolen or lost was intentional. :roll: Get freaking real. Windows Mobile has never been the secure. It still sits in the realm of windows 9x type security. Where is the encrypted file system? where is the built in firewall? (That many companies require.) where is group policies that can be admined from AD. Etc, etc, etc. I think someone is a tad too much of a fanboi to realize that Windows Mobile is about as secure as Windows 9x.

As for the consumer / corp excuse. Thank GOD that MS doesn't treat the desktop/laptop market the same way. :roll: the fact is 90% of the feature in the Pocket PC is designed around the corp market. What you think home consumers use remote desktop on a day to day basis? Do you think home users use VPN? Do you think push mail addin for 2005 was for home users? Windows mobile is targeting the enterprise first. Consumers are a far second.

Gerard
06-12-2005, 11:22 PM
Windows Media Player is corporate-focused? Notes? Pocket Word? Pocket IE? Gimme a break. If they wanted to properly support corporate workers, 10MB of ROM would be tied up with a proper port of Word for starters. Ditto for Excel. And File Explorer, seriously, could they have made a more Palm-ish, joe-consumer file manager? Where's the native database application? No PPC previously sold has VPN as native, so suddenly it becomes 90% corporate-focused with WM5 because suddenly it's there? Don't try to tell me the buggy Terminal Services thing counts...

ombu
06-13-2005, 01:19 AM
Just some contrast here. (http://software.silicon.com/os/0,39024651,39130995,00.htm)

Regards.

ombu
06-13-2005, 01:26 AM
No PPC previously sold has VPN as native
Well, maybe I'm wrong and if so just let me know, but running WM2003 on an iPaq 2210 I can quickly create a VPN conn from the conn configuration panel...

Regards.

Kevin Daly
06-13-2005, 08:58 AM
Why is Gartner so very full of crap?

Because consultants like Gartner are generally full of crap. The Suited Ones spawned from the accounting industry are the worst virus in modern IT, especially since corporate types tend to hang on their every word as if they were Moses fresh down from Mt. Sinai.

Gerard
06-13-2005, 10:47 AM
Another sad (if triflingly so) outcome is that periodically Craig1959/JackAubrey feels compelled to quote Gartner in forums, as support for one of his "the PDA is dead because it doesn't open my car door" posts. The other day there was a session of Gartner-bashing on Slashdot which might have choked Gartner 'fanboi' types royally. That was fun. Oh well, guess we're stuck with these jokers until they get caught with a hand in a cookie jar and some new team emerges to tell it like it isn't.

Zidane
06-13-2005, 02:05 PM
One thing I wonder along the lines of security: suppose someone were to hack the remote wipe feature? Can you imagine thousands of PPC Phone users all of a sudden losing their data? I hope that there's some kind of security to prevent that.

PDANEWBIE
06-13-2005, 06:16 PM
The one thing that gets me is that most businesses have different security standards so WHY would any business require the built in functionality of a device to be what they need? This is the job of the corperate security officers to put in place a plan of the softwares needed to make their own company secure! That is like saying I am not going to buy a car because I need to have these three things in the car is it the car manufacturers problem? No its the people who need that functionality. The thing is WM 5.0 is a platform... what is a platform? Its something that you build on to your liking. come on coperate users buy a platform and then buy any software that you need to "secure" the data.

farnold
06-13-2005, 08:00 PM
Why is Gartner so very full of crap?
Because they get paid for having an opinion :idea:

Years back I worked for a one of the Big 5 being responsible for their CRM practice. We conducted a study of the local market and main players through Gartner. We had no customer to that date but became a Gold Partner of the study to be able to bring our questions into the study. Mind you, we ended up being in the top quadrant outperforming many competitors with serious market experience.

When I read reports of the so called analysts - I'd rather call them opinion maker - I only ever think about who may have paid for them and who hasn't.