Hush your mouth!
There are plenty of ways of protecting data on laptops from falling into the wrong hands. But what do you do when the data you want to protect is a conversation from a mobile phone?
Securing corporate information is like squeezing the air in a balloon: the more you tighten your grip on it in one place the more likely it is to escape to another. Now some of the techniques that have been developed to protect mobile data on laptops are being extended to do the same for smartphones, and to start making inroads into what may be the last unprotected source of mobile corporate data - the voice.
How bad is the problem? Market analyst IDC says there will be one billion mobile workers by 2011. Rival analysis firm Gartner says that the number of people working remotely is increasing 10 per cent a year, and that around 45 per cent of US employees spend at least eight hours a week working outside the office.
Spencer Parker, director of product management for ScanSafe, which offers a cloud-based security service designed to cut the corporate risk of employees' Web browsing, says a survey of his company's customers found that 94 per cent of them have at least 10 per cent of their users working remotely. In 65 per cent of cases, users had circumvented some aspect of corporate security controls on their laptops. And 40 per cent of those surveyed had reported a security incident due to a roaming worker, versus 2 per cent due to internal staff.
Part of the problem with protecting the data and network access that laptops present is that the machines spend so much time out in the wild, beyond the regular ministrations of a central IT authority. This affects IT departments' ability to keep them up to date, and the users' behaviour - the ScanSafe survey suggested that roaming workers do 753 per cent more file sharing than those working on an office computer, 420 per cent more streaming, and make 153 per cent more requests for pornography. These people are nonetheless aware of the mobile security issue - they're much less likely to do their personal banking on a laptop outside its corporate network.
Alcatel-Lucent has come up with one way to tackle the problem. Its Nonstop Laptop Guardian consists of a dongle for a laptop and a gateway server that sits inline with an organisation's existing network. The dongle includes a 3G modem, CPU with hardened operating system and 256MB of memory, GPS and a five-day back-up battery, so IT departments can communicate with their users' laptops even when they're turned off and beyond the reach of the normal network.
"It overcomes the mobile blind spot created when you disconnect from the corporate LAN," said Michael Hardiman, business development director for enterprise security solutions at Alcatel Lucent Telecom.
The 3G connection means an IT department can send software patches and operating-system upgrades to users' laptops while they're off, helping to keep them secure. It can also be used to ensure the security of mobile laptop data, by providing the link for remote data-access control schemes. Onboard encryption hardware helps protect data, and if a laptop is stolen the 3G link provides the tools to remotely wipe data from the hard-drive. The dongle also stops users accessing the open Internet by automatically creating a secure virtual private network when the machine is started.
The dongle is just one embodiment of the underlying technology of the Nonstop Laptop Guardian. A company called Novatel Wireless has launched a wireless hotspot, about the size of a cigarette case, which makes a 3G connection to a mobile operator and then shares the bandwidth through a small Wi-Fi hotspot. According to Hardiman, the Nonstop Laptop Guardian software is currently being ported to the hotspot and will soon be available as a downloadable upgrade. Mobile operators should like it because it improves the manageability of the device. The advantage for individual or corporate users is that they could use the hotspot to provide all access control and encryption facilities, and then protect a laptop's data simply by carrying the hotspot separately.
Alcatel-Lucent isn't saying more at the moment, but it's clear that the basic hardware necessary to run the underlying technology of Nonstop Laptop Guardian already exists in many mobile phones and smartphones.
Mobile phone security
As many celebrities have found to their cost, losing a mobile phone can be more than an annoyance, as thieves tout the address books, pictures and video held on them to the highest bidder. Applications such as GhostPigeon for the Symbian mobile operating system can help ease the problem, by enabling users to hide contacts, call logs, photos, video and any other data from casual observers. The application, which is invisible in use, creates a 'phone within a phone' that protects key information using a hidden menu accessed by a secret code.
For those who need protection through encryption, rather than just obscurity, companies such as Credant Technologies have tools to encrypt data on mobile devices and control its use through centrally held policies. Its Mobile Guardian product includes encryption software that runs on the mobile device, with the keys being held by policy administrators in the IT department and gatekeeper software managing the use of the encryption software on an individual or group basis. The Mobile Guardian software runs on smartphones using the Windows Mobile and Symbian operating systems.
While it may seem a little over the top to start running data encryption code on a mobile phone or smartphone, Andrew Kahl, vice president of operations at Credant, points out that "you can put $300m worth of corporate data on a $20 USB stick."
There's a security angle, too. He claims that people have bought USB sticks from market stalls in Afghanistan that have carried everything from details of how to drive a tank to instructions on firing a rocket launcher.
Military radio systems have long encrypted voice transmissions to avoid them being overheard. Of course, you would hardly think it necessary on mobile phones, given the banality of most conversations you overhear. But in business, this is less the case. It's not hard to imagine senior executives wanting to talk about an impending deal or legal case in a secure way from a mobile phone, but not having many options for doing so.
Bruce Jenkins is a managing consultant at software security analysis company Fortify and a former major in the US Air Force. He spent 14 months in Kuwait in the early 1990s as a communication squadron commander, protecting the communications networks for the multinational forces there.
"There are multiple opinions as to what [constitutes] good security," he says. He argues that, for mobile devices, it is possible to intercept communications with a 'man in the middle' attack, in which a rogue basestation is set up close to the target mobile to capture the conversation before it reaches the legitimate network. It may also be possible to intercept conversations as they pass over the backhaul links from basestations to the rest of the network.
One UK company has developed a technique for protecting calls made from mobiles, including the BlackBerry and those running the Symbian or Windows Mobile operating systems.
"Little has been done to secure voice data," said Simon Bransfield-Garth, CEO of CellCrypt. "It's the last form of unsecured data."
Bransfield-Garth claims the technology is secure enough to be used in 'BlackBerry One', the special smartphone that is being developed for US president Barack Obama.
"There's no reason why the technology we've developed couldn't go through the process to get certification at that level, but it takes two to three years," he said.
Instead the company is focusing on general government users and the senior levels of corporations.
"The initial market for this is in government, but we're seeing a strong growth in the corporate market as well. The CEO of Exxon has a secure voice phone, and we think our solution would also be appropriate for use in the oil business, drug discovery, legal, finance and transportation sector as well - anywhere there's a potential threat of eavesdropping."
Bransfield-Garth says that voice encryption for mobiles has been carried out in the past by digitising speech, encrypting it and then sending it over circuit-switched data connections, which haven't been implemented everywhere. Cellcrypt's approach is to encrypt the digitised voice and send it as an IP data-stream over 3G or Wi-Fi connections, reducing the latency involved and using a more widely implemented channel to carry the data than before.
"This gives you two big benefits over existing solutions," he said. "You don't have long latencies - over a Wi-Fi network it will be about 250ms and over 3G about 375ms - and it doesn't care which country it is working in."
Bransfield-Garth says his company's technology relies on a combination of expertise in efficient encryption algorithms, to save the handset's battery power, and network architectures, to manage the latency involved in sending encrypted speech over wireless networks. It uses standard cryptography algorithms to encrypt and authenticate the voice data, exchange keys and assure data integrity.
Cellcrypt also runs secure servers that help authenticate connections and establish secure routing, but which don't take any part in the trust relationship that is created for each secure call. For the deeply security conscious, CellCrypt also offers customers the option of running their own authentication servers.