Product Group Tests

Portable device security (2008)

by Peter Stephenson February 01, 2008
products

GROUP SUMMARY:

For its strong feature set, ease of use and good value we rate Centennial Software's DeviceWall v4.6 our Best Buy.

Our Recommended award goes to Utimaco's SafeGuard PDA Enterprise v4.25. Its simple administration and good feature set, combined with the ease-of-use for end users, make this a solid buy for almost any size enterprise.

This may be the toughest group review we've had in a long time. This wasn't because of the products themselves, but because of the infrastructures required to make everything work well. Talking to other people who have implemented this functionality confirmed our experience. So if you're thinking of going down this route, make sure you are ready, understand the infrastructure requirements and have at least twice the implementation time that your schedule calls for.

What we're talking about here is not simple endpoint security, although some of the products we looked at also do that. The devices we sought to secure included wireless handhelds such as BlackBerrys. Some are considered PDAs, others smartphones. What they all have in common is that they contain and transmit sensitive information over public data networks. They protect information both at rest and in motion.

This differs from some other endpoint devices that focus on data at rest. Many of these tools have portable versions of common operating systems such as Microsoft Windows and all can run applications that are equal or similar to typical MS Office applications.

How to ease implementation
Because this was such a difficult project, we called on the vendors and some outside consultants for advice. We recommend that you do the same. There are two areas that cause a lot of potential problems: the required Microsoft infrastructure and the public carrier infrastructure.

Basically, these products communicate over a public carrier's data network with a Microsoft Outlook Web Access (OWA) or similar implementation at your end. If you are already using OWA, you are light years ahead of the challenges we encountered. However, mastering OWA is not the whole picture.

Some tools we looked at require Microsoft Internet Security and Acceleration (ISA) server implementation because they publish their own web portals. I prefer not to use the ISA server, as I have often found it difficult to configure and manage. Other products, such as those from Cisco, can provide equal or better functionality while being easier to set up and manage.

Many of these products require security certificates and that, in itself, can be a challenge. It's not the individual components of the infrastructure that complicate matters; it's the way they work with each other and the security software.

We recommend you start with a solid implementation of your infrastructure that permits your choice of PDA/smartphone to communicate without the security software. This is where the public carrier comes in. Some carriers do a better job of providing wide geographic digital network coverage. This is becoming less and less of a challenge as carriers move towards 3G networks. But in many cases, the only coverage is either analogue or not completely compatible with the handheld product you have purchased.

Once you have the addressed these issues you can start thinking about adding the security software. This offers several functions. First, it has to provide the appropriate access control and encryption. More importantly, it needs to be manageable from a central point as it is the nature of these devices that they are used away from the enterprise.

One problem with using portable devices may be that you need to check critical email half a country away at midnight local time when support may be on a call-back basis. You may find that the mobile phone works and calls can be made and received, but data cannot. Troubleshooting this type of problem requires good tools and the addition of security can either aid or impede the support process.

How we tested
We took a slightly different approach for these products since the requirements for test beds are varied and the public carriers did not always provide reliable service in the area of our lab. This resulted in experiencing problems that have nothing to do with the security products themselves.

Therefore, rather than perform full in-house testing we depended on live access to vendor demo systems where available and direct testing of some of those that did not have these. As a result we got a broader view of the products than we normally do because we were able to exercise some of the more difficult aspects of implementation and security administration for the products themselves.

- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/

SC Webcasts UK

Sign up to our newsletters

FOLLOW US