ISSE: Mobiles need wireline security

Mobile devices will only bring business value if they are as secure as their desktop equivalents, according to the head of security at Research in Motion (RIM).

"We must make sure not to compromise data security just for mobility," Scott Totzke, vice president in RIM's global security group, told delegates to this year's ISSE conference in Warsaw. "All the things we have spent time developing in wireline [security] still apply for mobiles."

Businesses, Totzke believes, are moving from simple mobile connectivity and communications to interaction and transactions.

Companies are starting to move internal processes that used to be limited to desktop PCs or, occasionally, laptop PCs to handhelds. At the same time, improved processors and storage on mobile devices mean that employees keep more data on them. But these improvements can create security risks.

"Wireless devices are personal computers, perhaps even the first truly personal computer," said Totzke. "But their storage capacity means you are taking more information out on the road."

This makes it critical for network operators, device manufacturers and even end users to pay attention to security from the outset. This week, RIM achieved Common Criteria Certification for its BlackBerry Enterprise Server and BlackBerry device software. A BlackBerry device will also maintain its own encryption, based on AES, regardless of whether the end user is connecting through a cellular or Wi-Fi network and whether or not they are using a virtual private network (VPN).

"Data is being sent over what you have to consider to be an insecure and untrusted network, at least from a corporate IT perspective," said Totzke. "It is outside your firewall and outside your control."

But as well as encryption of data on the network, businesses should consider encrypting data on mobile devices themselves. "Users will be users: at some point you will lose control of the device, whether you leave it in a taxicab or are a victim of a pickpocket," Totzke warned.

RIM is looking at technologies such as token-based authentication. But the wireless industry needs to do a better job of communicating the risks as well as benefits of mobile devices, Totzke believes.

"We can't ignore security problems and we have to learn the lessons of the wired world, not repeat its mistakes. We have to help customers understand the risk factors and make better use of our existing communications channels. We have to improve, to protect customer data."