For nearly three months I’ve been writing a column on what I call "mobile security." In past articles I’ve examined the dangers of public WiFi networks, tablet PC theft, data seepage, and even the security of using Skype. But all these are really just anecdotes to the larger issue. Today I’d like to take a moment to examine what "mobile security" is and why is it so hard.
Maybe you’ve heard the acrostic "CIA" used to define computer security. In computer security described as "CIA," "C" stands for confidentiality, keeping you data private from people you haven’t authorized to have it. "I" stands for integrity, making sure no one can alter or delete your data without your permission. Finally, "A" stands for availability, which is concerned with ensuring that your computer and its data are able to be accessed and used when you want them. Nearly all computer security measures, from passwords to virus scanners, are working to protect one or more of these three components of computer security.
So, with that brief definition in place, mobile security is like traditional computer security, but with a huge twist. In traditional computer security, your computer is largely stationary–it doesn’t go anywhere. As you make your plans on how to protect a desktop PC or server (to ensure confidentiality, integrity, and availability), your assumptions about its environment are static. In mobile security, however, the environment is constantly changing. One day, for example, you might be working in a conference room at your company’s headquarters. The next day, you might be working with your tablet PC or ultra-mobile device at the airport or coffee shop. Are the threats to your mobile computer platform different in these two locations? You bet! While working at your company’s facility, the threats and dangers are significantly less and there is more protection. In an airport or coffee shop, your mobile computing device is subject to more threats (prying eyes, network-based attacks, and the potential of outright theft of your device) and the protections you enjoy at your company’s facility (things like control over the physical environment, a corporate firewall, and other trusted employees) are gone.
As our computing environment changes, our mobile security measures need to adapt to handle the new threat profile. Unfortunately, I don’t see many computer security measures that adapt according to the environment, they default to what I would call "strict" mode or "loose" mode. And so, I think this is what makes mobile security so hard–the need for adaptation and the lack of automation. Ideally, security measures should adapt automatically based on the environment. Do I really need my password protected screen saver to engage after 5 minutes when I’m working from home? Do I want my firewall to block all incoming connections when my tablet PC is connected to my corporate network? These answers change drastically once I take my mobile computing platform into a "hostile" environment like a public WiFi network or hotel broadband connection. I’ve noticed in MS Vista, you can set your network adapter for different environments (public network or home network), but you still have to manually and intentionally change those settings. I would suspect most users don’t change those settings to fit there changing circumstances.
So where do you stand? Do you run your computer like Fort Knox all the time so that you’re ready for hacker threats when you head out into the big, wide world? Or do you play fast and loose, leaving your mobile computing device largely unprotected to maximize your efficiency but taking huge risks once you leave the confines of more protected networks? Maybe you’re in a much smaller group that is constantly tweaking your security settings to fit your situation and provide the appropriate level of protection for the environment you find yourself in today. Which one best describes you?