It’s 10 o’clock. Do you know where your mobile device is?
One of a network administrator’s biggest fears is a lost or stolen device. And for good reason. Hacking has gone hard-core. The motivations for digital “break and enter” have morphed from youthful curiosity to organized crime.
Think about the invaluable customer and corporate data and access credentials you have on your device—and I’m not even going to mention 1 and 2 Gb storage cards without any type of password protection.
I’ve always felt compassion for the network administrators who shoulder the job of balancing industrial-strength network security with mobile users’ demands for convenience. None of my mobile-packing pals wants to take the time to enter a 10-digit pin number just to answer a call.
But they can be on the hook for violations of HIPAA, Gramm-Leach-Bliley, California Assembly Bill 1950, the European Union’s Privacy Directive—to name a few—if customer data leaked from their mobile device.
This double-edge sword of data-anywhere will get a little easier to handle with the Microsoft Messaging & Security Feature Pack for Windows Mobile 5.0. The Feature Pack, affectionately called MSFP, is an extension to the Windows Mobile 5.0 operating system. It is targeted to businesses who update Exchange Server 2003 to SP2. Both updates will be available to organizations and device manufacturers in the second half of 2005. In this article, I’ll highlight five of the new security features.
Security Strategy
I spoke with Samir Kumar and Weihun Liew, two of Microsoft’s Windows Mobile product managers. They said that MSFP is an initial release to help organizations who want to extend their messaging security model to include smart mobile devices.
Extending the existing security model means organizations won’t have to create and maintain a parallel security infrastructure dedicated to mobile devices.
The Windows Mobile-based device security strategy has been to build in support for messaging security standards—such as 128-bit encryption, NTLM authentication, and SSL (Secure Socket Layer). These are the same standards that apply to desktop e-mail communications, plus WiFi security standards. MSFP adds more of the standards-based security features that customers want. It gives network administrators new tools to enforce corporate security policies and to take preventive and remedial action.
Native Support for Security Standards
S/MIME: One new feature most desired by government agencies worldwide and their key contractors is native support for S/MIME (Secure Multipurpose Internet Mail Extension) SSL encryption of Calendar, Inbox, Contacts, Tasks—all Microsoft Exchange data—during transit between the device and the server.
Mobile device users will be able to use digital certificates to sign and encrypt messaging information. So, “bad guys” who may intercept messages from your mobile device won’t find it easy to pretend they are you or read the encrypted information. This update meets the U.S. standard for Federal Information 140-2 certification of cryptographic modules.
Certificate-based Authentication: With MSFP, you don’t need to store logon credentials on your Windows 5.0 mobile device. “That’s a fancy way of saying, ‘more secure way to access Exchange,’” said Kumar.
Muscle Power for Network Administrators
Policy enforcement: A security policy is only as strong as the means to enforce it. Today, network administrators need to find a third-party product to enforce security policies on a Windows Mobile-based device. With MSFP, network administrators will be able to set and change policies from their Exchange Server 2003 SP2 console. They’ll be able to distribute them over the air to mobile devices.
“Administrators will have more flexibility,” said Liew. “For example, they can set which policies are recommended, which policies are mandatory, and which users are exempt. They can refresh policies every two hours. There’s a theme here, of how we’re enabling IT to do more.” The initial release is focusing on “passive security,” such as enforcing password length and strength and time-out periods.
Local wipe: With the Messaging and Security Feature Pack, network administrators can enforce policies that lock the device after a number of incorrect attempts to guess a password.
Remote wipe: For higher level protection, network administrators would have the capability to issue a remote “kill bits” order to wipe data and credentials from a device reported lost or stolen. Because Windows Mobile 5.0 works well with Exchange 2003 SP2 and Active Directory, even if you lost your device, you could still use your digital credentials elsewhere. Your smart card would work for building access or network computing resources.
Later this year or early in 2006, mobile device makers will begin offering upgrades to existing Windows Mobile 5.0 devices or releasing new ones with MSFP installed. In the meantime, please be careful where you leave your mobile device!
