DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

PDA PROTECTION

Handheld Computing Power: A Two-Edged Sword

By JOAN HERBIG

It’s 2 a.m. Do you know where your corporate data is?
If your V.P. of marketing just ran to catch a red-eye flight, it might be sitting in her forgotten PDA at the airport lounge. Product roll-out dates, details about your sales pipeline, strategic pricing, and other sensitive information may be left for the taking.
Of course, it might be stored on a smart phone serving as chew toy for a sales rep’s pup. It might be blasted to nevermore by a failed handheld device battery. It might even be glowing before the eyes of a determined industrial spy.
If you think these scenarios are exaggerated, think again. Gartner Research estimates that a quarter of a million mobile devices were left in airports last year alone – an incredible figure, considering everywhere else devices can be forgotten or dropped or neglected.
Gartner also predicts by the year 2005, 40 percent of corporate data will reside on handheld devices. The ramifications of this fact are immense. The cost of replacing a $600 device pales in comparison to the costs of leaked NDA information or a pre-empted marketing campaign.
The question, therefore, is not whether data stored on handheld devices can be compromised or lost, but how you’ll prevent it and how you’ll recover.

Reaching Out to Handheld Devices
Until recently, handheld devices were little more than glorified address books. Loss or theft of the information they contained was inconvenient, but not disastrous (unless one happened to be a crime boss). Now, however, personal digital assistants (PDAs) and smart phones/pagers – including devices by Pocket PC, Palm, RIM BlackBerry and Symbian – boast enough computing power to run full-fledged corporate applications. Many can tie directly into the local area network (LAN) via a wired or wireless connection, freely exchanging business data with the server. They can then carry that data beyond the enterprise firewall – straight into the school of hard knocks. The risks are indisputable if not yet well publicized, and the wise system manager, vice president of IT or CEO would do well to prepare now to minimize those risks.
A new category of software makes this possible, allowing handhelds to be managed and protected just as LAN PCs are. With this mobile infrastructure technology, network administrators are able to:
• Defend handheld devices against unauthorized access;
• Deter or prevent intentional information theft;
• Recover lost data and make it possible for the affected user to get back to work.
By extending administrative oversight to handhelds, the enterprise is able to minimize data loss, as well as unpleasant side effects should disaster strike.

Preventing Unauthorized Access
Because handhelds can be tucked into a purse or a pocket and carried everywhere a user goes, they often are considered “private” tools, outside the corporate purview. This is certainly the case as long as the device is used to play electronic pinochle or keep track of wallpaper samples. But the moment a user downloads data from the corporate network, the company gains a vested interest in protecting that data. In fact, a company that does not take steps to do so puts its business at risk.
Take the case of the executive who left her PDA in the airport lounge. What if she hadn’t turned on the password feature? (Most people don’t.) Any passerby could switch on the device and gain complete access to everything in its memory. The fate of all that corporate data is literally in a stranger’s hands.
But let’s say the executive’s company had implemented a mobile infrastructure solution. On her way to Detroit she calls the IT administrator from the airplane and lets him know the device is still in Memphis. If the device uses a wireless connection to the network, the administrator can simply connect to the device and lock it down (turn on password protection). He can also download a message to the lockdown screen explaining how to contact the device’s owner.
For devices that depend on a wire-line connection (or if the device is located outside the wireless coverage area), remote lockdown is still possible, if not immediate. When an unrecognized user tries to connect to the Internet, the corporate server automatically detects the attempt and locks down the device.
In addition, if a device belongs to a wireless network, it is possible to determine the communication tower closest to its location. This information may jog the memory of a user who hasn’t a clue where he left his device.

Preventing Information Theft
Sending a lockdown command from a remote location effectively prevents the casual finder from viewing data on the device. But some “finders” may actually be savvy thieves who know darn well how to hack a password or retrieve data via the infrared or serial port. As always, foiling determined hackers requires stronger measures than shielding data from random eyes. Using mobile infrastructure technology, the IT administrator can take several steps to reduce the opportunity for hackers to do significant harm:
1. Data on the device can be stored in encrypted form and retrieved in a readable format only after a recognized password has been entered. It goes without saying that data traveling between the server and the device should also be encrypted.
2. If the information on a lost device is sensitive, it may be safer to delete it altogether rather than simply locking down the device. This security measure may be the last in a series of actions taken to protect device data. For instance, if a device has not connected with the server for 12 hours, a lockdown command is automatically sent. If the device has not connected for 36 hours, all data is deleted from the device. The device can be configured to carry out actions such as these even when it is severed from network contact. The ability to erase some or all of the device data allows the corporation to maintain control of this precious resource, even if the device itself is no longer in its possession.
3. Configuration standards for handheld devices can be defined and automatically enforced from a central location. Every time a user connects to the corporate network, configuration settings can be checked and automatically changed if they’re out of compliance. As a result, the user who turns off password protection soon finds that it has been automatically turned on again. He may also receive an e-mail explaining why the precaution is necessary and encouraging him not to disable it again.

Recovering Lost Data
The enterprise bears the brunt of data loss or misuse, in terms of liability, competitive weakness and reduced employee productivity. The employee, however, feels the full force of that loss in terms of frustration and heartfelt anguish.
What if the PDA left at the airport contains a presentation the executive is giving to a major prospective client in two hours? Without a mobile infrastructure solution, she would be on her own. But her frantic call to the IT administrator is not in vain if he can “reach out and touch” the device via handheld management software. If she purchases a new PDA at the nearest office store and connects it to a PC with Internet access, the administrator can simply 1) download the mobile infrastructure solution onto the new client; 2) authenticate the user; and 3) restore the device to its last known settings, including all applications and data.
The new device looks and acts exactly like the one that was lost. And the grateful executive is able to give her presentation, although her hands might still be shaking.
Of course data loss can occur even when a device remains in the user’s possession. The handheld might bounce down an escalator or go through the wash. Or it might just sit there too long. Handheld device batteries have a relatively short life span, which most users aren’t known to chaperon with much diligence. For some devices, when the battery discharges completely only the data burned into ROM at the factory is retained. Everything else is lost, including applications, settings and data. While the data is safe from misuse, it is just as unavailable for legitimate use, which can cause even the toughest salesman to call the IT department near tears, pleading for help.
That help can only be given, however, if the data on his device has been adequately backed up. Again, the average computer user isn’t famous for making conscientious backups, and this is especially the case for busy, mobile users of handhelds. For some reason the average human mind can’t conceive of a month’s work gone missing, despite the fact that handhelds are easily lost, stolen, broken, or subject to battery failure. So if backups are going to happen, they need to take place automatically; they need to store the data on the server (not on the companion laptop kept in the same place as the handheld); and they need to be performed in an unobtrusive manner.
With mobile infrastructure technology, all this is possible. Device backups can take place in the background, whenever the user connects to the server to check e-mail or update his work orders. Better yet, a server-side solution allows the IT department to control how often data is backed up, as well as where and how it is stored.

Wielding The Two-Edged Sword
The increased computing power of today’s handhelds allows enterprises to improve the productivity of field employees and streamline many labor-intensive business processes. Nevertheless, this increased power is truly a two-edged sword. The mobility that makes handhelds so convenient also makes them unpredictable wildcards, capable of wreaking havoc on the entire enterprise. The need to extend network management capabilities to mobile handheld devices is obvious. By implementing mobile infrastructure technology, companies can protect themselves from data theft, and recover quickly from its accidental loss.

©Copyright 2003 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.