Mobile phones have been gaining more and more functionality, which makes it easier for users to access information, surf the Web, and receive key messages. Along with these new features has come the ability of hackers and unauthorized users to tinker with sensitive information. “Right now, security is a major concern for companies that are using handheld devices to improve employee productivity,” said Neil Strother, an industry analyst with market research firm The NPD Group.
The Trusted Computing Group (TCG), an industry consortium backed by companies such as IBM, Nokia, Motorola, Samsung, VeriSign and Vodafone Group, has been developing a set of specifications to make it simpler to secure such devices. The new features are needed because cell phones are now capable of doing more than simply completing voice calls. The devices now can take pictures, keep track of a user’s calendar, and send email messages. Also in a small but growing number of cases, they are being used to replace wallets in electronic commerce transactions.
The standards, which have been dubbed Trusted Network Connect (TNC), are designed to make cell phones more PC-like and in fact are similar to standards the group developed for desktop and laptop computers. “Security is important for cell phones because it is much more likely that a user will lose that device than a laptop or desktop computer,” noted John Pescatore, a research director at Gartner Group.
A Security Cornucopia
The TCG’s plan touches upon many security issues and promises a number of potential benefits. First, the standard would help to ensure that outsiders do not tinker with the devices. Phones would now store user authentication information and rely on it to let users access data stored on the devices. Also, the TCG’s proposal helps to make sure that only authorized software is downloaded to the device. A digital rights management function prevents users from illegally making copies of various programs.
One TNC goal is to make it easier for companies to secure their systems. In many instances, users sometimes knowingly or sometimes inadvertently disable, modify, or fail to comply with corporate security procedures. The TCG’s work helps to tighten up endpoint security and protects corporate networks by putting a series of checks in place for each transaction
The specification is divided into various functions performed by different types of devices. Endpoints can function as end user systems, switches, routers, firewalls, Virtual Private Network gateways, or special purpose systems. Integrity Agent software is installed on each endpoint, and the software collects information about the endpoint’s current state of security from programs, such as anti-virus, personal firewall, and patch management programs. The agent then interfaces with plug-in Integrity Measurement Collectors (IMCs), which collect information about the client system’s security checks and consolidate the data for reporting functions.
Are Security Checks Turned On?
The type of information that can be collected includes whether security products are enabled or disabled, what versions of security products the phone is running, which version of virus definitions it is supporting, the date and results from the last security scan, and any patch updates that have been completed. Multiple IMCs can reside on a single endpoint, collect data from an array of security products, and use it to help companies determine if any security breach is lurking.
After the device information is collected, it is sent to an Integrity Server, which checks the information against company security policies defined by network administrators. This system then decides whether an endpoint should be granted access to a network or what changes need to occur before that access will be granted.
Traditionally cell phone security checks were available only though proprietary architectures, which made it difficult for users to mix and match different security products. TNC, which works standards, such as IP Security (IPsec), Extensible Authentication Protocol (EAP) and Secure Sockets Layer (SSL), has been designed to make it simpler for users to work with a variety of security options.
While the specification is promising, a number of issues could curb its acceptance. “Vendors have not always been in synch about what is the best way to offer security functions to handheld device users,” Gartner Group’s Pescatore told TechNewsWorld. Consequently, other specifications, such as Trusted Mobile Platform, have been proposed, and no one is sure how the different initiatives will mesh.
There are also issues about how vendors will implement these security checks. “We have heard that some carriers want to use the TGC work to prevent users from downloading ring tones from competitor’s networks,” said Seth Schoen, a staff technologist at the Electronic Frontier Foundation, a group that monitors civil liberty issues. The group objects to such applications of the technology because it would limit consumers’ choices.
Performance is another consideration. “Security features will always take processing cycles from users’ systems,” The NPD Group’s Strother told TechNewsWorld. The more security functions that a company implements, the greater the potential drain on users’ systems. Support for the specification could also lead to higher-priced devices.
At the moment, the potential impact of it TNC is unclear. Vendors are still outlining the specification and developing a reference model that may be incorporated into cell phones. “I don’t expect TNC compliant products to begin shipping in volume until 2008,” concluded Gartner Group’s Pescatore. “Eventually, the cell phone industry will adopt something to improve cell phone security, but I am not yet convinced that will be the TCG’s work or something from another group.”