Previous Table of Contents Next


Chapter 58
Protection of Mobile Computing Assets

Dave Cullinane

Now that users can access information outside the relatively safe confines of the office, information is more vulnerable than ever before. This chapter discusses how organizations can revamp security controls to protect information from the hazards imposed by mobile computing.

KEEPING PACE WITH CHANGE

Before the advent of mobile computing, critical assets (information and equipment) were all locked inside the data center and stringent protections were imposed on them. However, as computing moved away from the data center, users moved away from the protections that they had created. Today’s user is no longer tied to a desk or a terminal. Remote access is no longer dependent on telephone lines. Portable computers, cellular phones, and radio frequency (RF) modems allow work to be performed at home, at a customer site, in hotel rooms, or while flying in an airplane — literally anywhere.

The assets that need to be protected are no less critical. In fact, in today’s highly competitive environment, information may be even more valuable. In some industries, biotechnology for example, information may be the single most important asset the company has. The theft of the laptop containing Desert Storm battle plans meant the loss of a few thousand dollars worth of physical assets. But the potential value of the information was inestimable. With the storage capacity of disks and other devices skyrocketing — a 4 GB, 5.25-inch disk contains the information equivalent of roughly 28,000 medium-size books — the potential damage from information loss is extreme.

The situation is not likely to improve. The physical size and price of systems, equipment, and parts is constantly decreasing. But capacity, performance, connectivity, and mobility are constantly increasing. The “corporate information vault” is being distributed across buildings, briefcases, and even pockets. Risks that were not considered significant in the office may be much more significant in a mobile computing environment. Controls have not kept pace with the changes. Far too many users are still trying to protect critical information and computer assets with the same controls that were put in place more than a decade ago. They are not working. Objectives must be redefined and controls revamped.

DETERMINING THE VALUE OF INFORMATION

The function of security is to provide the appropriate level of protection for critical business assets. Organizations expend considerable resources acquiring, processing, storing, transmitting, and using information. Valuation of that information depends on the users’ frame of reference and perspective. Information is an intangible asset with value that is difficult to understand and complex to assess. If exclusive possession of information — such as trade secrets, new product information, business plans and proposals, or customer records — is essential, then confidentiality is a critical element in the determination of value. Availability of information may be more essential to business continuity than security. The purpose of the information must be understood to determine what level of protection is needed. The value of the information may be $1 million, but its value to the organization, if it is made available to the sales force, for example, may be 10 times that amount.

Security professionals need to help businesses understand what the threats are to assets and how vulnerable the business is to each of those threats. Businesses must also be assisted in understanding what alternatives exist for protecting assets and what the implications are for each alternative. Then protective measures can be designed to work within the organization’s objectives and culture. The security measures should be accepted by the users as reasonable and provide cost-effective protection — a return on the investment.

Computer Security Principles

Security should not be complicated and inconvenient. If it is, it will fail, because users will circumvent the controls in the interest of accomplishing the work of the business. For security to be effective it must:

  Be pervasive; addressing not just computers, but all asset protection issues.
  Meet the businesses’ requirements, not the vendors requirements.
  Be usable by everyone, not just the technically sophisticated.
  Address all equipment and protocols, including those in use today and planned for the future.

Comprehensive protection of business assets should cover:

  People, including employees, visitors, vendors, contract workers, and customers.
  Property, including buildings, campuses, and computers.
  Information, written or electronic.
  The company’s business reputation.

In today’s computing environment, comprehensive protection of assets is accomplished by blending the appropriate physical, operational, information, system, and network security controls.

PROTECTING THE MOBILE OFFICE

The mobility of computing resources compromises traditional physical and logical security protections. Physical security in the building is far more important today than it was when a secure inner perimeter protected the assets housed inside the data center. Information that may have been perfectly appropriate for employees to review in their relatively secure office may be far too sensitive for use in public where the environment is unguarded at best and may even be hostile. Users have been taking confidential information outside the workplace for years, but generally in relatively small amounts. Today users can walk out the door with tens of thousands of books worth of information in a briefcase or a pocket; and the population of laptop and notebook PCs used in the office is expected to almost double by 1996.

The most important control for the protection of portable computers is an educated user. Training is essential to make users aware of the issues and their responsibilities. Users who understand the threats and their exposure to those threats, and who take appropriate measures to protect valuable computer and information assets in their possession, will go far in reducing the organization’s risk. The most common threats to portable information are theft, malicious code, and eavesdropping.


Previous Table of Contents Next

Copyright © CRC Press LLC