The Portable Puzzle

When it comes to developing solutions for managing the security of mobile and portable storage devices, IT executives' attitudes can be summed up in one word: frustrated.

That's the word that best describes the responses we've received to Dark Reading's portable and mobile security survey over the past month. Security professionals say they are frustrated by their inability to enforce policies for securing mobile devices, and their inability to find adequate technology solutions among a plethora of rapidly-developing products.

As we saw in Part 1 of our survey analysis last week (See No Wires & No Policies.), corporations and large organizations are having trouble developing enforceable policies for securing portable devices. While 42 percent of respondents said their organizations maintain an "unplugged" philosophy for most users, approximately 61 percent said they either haven't got a policy for removable storage devices, or their organizations were vulnerable because their policy was unenforceable. About 28 percent of respondents said their policies for mobile device management were either nonexistent or unenforceable.

A major reason for these policy shortcomings is the dearth of viable technology for managing the security of devices that travel outside company walls, security professionals say. In our survey, 47 percent of respondents said current products for managing removable storage were inadequate or nonexistent; about 46 percent said the same is true of products for securing mobile and wireless devices.

A shortage of adequate encryption technology is one problem, IT executives say. "The most frustrating aspect of securing mobile devices and storage media is trying to find a way to implement encryption that works for all our users around the globe," says Greg Lyons, security research analyst at a major consumer-packaged foods company. "Different countries today have widely varying laws on decryption, and regional solutions are no help, because our users often travel between jurisdictions."

Other respondents are exasperated by the myriad of portable technology available on the consumer market, much of which ends up in their users' pockets. "New devices from Best Buy should be left home or at the door," says David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "The company should provide the tools or access required."

Some security pros say there may be adequate solutions on the market, but they are so overwhelmed with new product information that they can't make heads or tails of it. "Nobody can keep up with all of the new technology," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment.

And others say the price tag for current solutions is simply too high. "It's not so much that the products are inadequate, it's that they are unrealistically expensive for the small- to mid-sized company, or a not-for-profit like us," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif.

Vendors, not surprisingly, disagreed with the survey respondents' assessment. Officials at companies such as SecureWave and Reflex Magnetics, both of which offer tools for managing and securing removable storage media, say their challenge is simply getting the word out to IT staffers who don't know there are viable products on the market to solve the remote device security problem.

By a wide margin, security professionals' greatest concern about mobile and portable devices is simple loss or theft. Some 62 percent of respondents ranked laptop theft as one of their top two concerns, and 37 percent ranked loss or theft of removable storage media in the top two. Introduction of malware via portable storage devices was cited by 29 percent of respondents; 22 percent were concerned about penetration of Wi-Fi or other wireless data network connections. Only 16 percent expressed high anxiety about the loss or theft of PDAs or other mobile devices; just four percent were worried about eavesdropping on cellular calls.

Interestingly, however, only one percent of respondents have actually experienced a security violation through mobile or portable storage media, and only 26 percent of respondents cited the threat of attack as the primary driver behind their mobile and portable security initiatives. The most frequently-cited driver for mobile security efforts was a general push for better security across the enterprise (30 percent), followed by compliance with Sarbanes-Oxley or other regulatory standards (25 percent).

No matter what their motivation, though, survey respondents wish they could find products and vendors that fit better with their existing environments. "Every [vendor] has a better way of doing things and has included special features in their applications," Kubista observed. "But it's all useless if it takes forever to map that application to a business process."

— Tim Wilson, Site Editor, Dark Reading