By Jason Compton

The risks are getting bigger for the smallest class of enterprise computing devices. It's been more than 10 years since the first Pilot (now Palm) handhelds revolutionized the way people thought about pocket-sized computing. But whereas early models could do little more than store a modest address book and a schedule, today's high-powered handhelds increasingly have access to corporate data. Linked to both cellular and enterprise data networks, and possessing growing computing power and storage capacity, the smartphone in 2007 is a serious productivity device. It is also a potential enterprise IT security liability.

Anecdotes abound of taxi drivers who collect forgotten smartphones and PDAs by the dozen every year. Losses of laptops and other mobile devices still afflict nearly half of all companies every year, leading to high-profile embarrassments and exposure to liability (see chart). Now that smartphones are vulnerable to data breaches and used as daily computing devices by both executives and the rank and file, bringing them into compliance with security policies becomes critical.

"It's a problem when you don't have a centrally managed security environment and don't have control over every single person's device," says Natalie Lambert, senior analyst with Forrester Research. "That's where you run into problems and where policies need to be created, so that if [employees] bring a device into the company, it can be integrated into the company's overall strategy."

Seeing a market need, CA has launched a project to assess emerging mobile security needs. "Think of this initiative as a start-up inside a larger company," says Marc Camm, vice president and GM of the group. "The first step we take is to quickly understand the market need, speak to customers to validate our research and then specify the product to deliver a solution. The next step is to build a solution and then put it in the hands of beta customers." Camm's team uses a rapid development process that enables them to work with customers to provide direct and regular feedback. "In this way," he adds, "we can quickly provide new solutions to our customers."

Broader Scope
Initially, CA believed that a lack of good device management products was the primary shortcoming in the smartphone market. "As the initiative progressed, it expanded quite dramatically to include several more mobile device platforms, and the scope broadened to include not just management, but security," says Al Nugent, executive VP and chief technology officer at CA.

Simply put, as mobile devices carry more important data and applications, they need the same levels of management and security protection found on other IT assets. "Based on the market research and intelligence about the mobile market, and speaking with many of our customers, we knew that we needed to do more to help them manage and secure their mobile assets," Camm says.

The result, now in beta testing, is the CA Mobile Device Management solution, designed for cross-platform management of Symbian, Windows Mobile and RIM BlackBerry devices. The solution encompasses four processes commonly practiced on the more conventional IT equipment: asset management, security management, policy management and configuration management. On the Symbian and Windows Mobile platforms, CA supports the native Open Mobile Alliance's Device Management (OMA DM) standard client on the device.

Mobile asset management provides a crucial "who, what and where" about the smartphones themselves. Large companies want the ability to control and protect mobile devices like smartphones just like any other IT asset. "Up to now, the cellular based devices have been managed by the telecom department, which has traditionally focused on knowing what phone numbers are being paid for, but doesn't usually know who has what phone or the device user's name," Camm says. "The responsibility for smartphones is moving to the IT team to manage, and the IT staff expects the same level of asset information they have for their other IT assets."

Wipe Out
Security management of mobile devices is critical to the enterprise. Security management governs everything from security policy enforcement to instituting processes for resetting forgotten passwords and rebooting the device, to even disabling the device remotely if necessary. "If you lose your device and can't find it, a call to the help desk will result in the wipeout of all of the information on the device," Camm says.

The architecture supported by many of today's smartphone operating systems helps prevent any malicious intruders from modifying, disabling or erasing the device while under security management. "Many of the security features of these platforms are certificate-based and have different levels of execution permission associated with different levels of credentials," he says. "So, if you don't hold the management permissions, you can't get very far on the device."

Seamlessness is a key aspect of mobile device management and security. The instant-on ease of use of these devices is a key feature of their success and adoption, so solutions that complicate using the device can destroy its value. "Companies love what RIM does natively," Lambert says, pointing out that many corporate users are standardizing on BlackBerry for its ability to be cut off from data that is sent to it at any time, and its ability to remotely kill the devices. "So technology developers are really trying to balance security and productivity, to the point that malware protection or firewalls will have zero impact on the user. [Capabilities like] remote kill and device encryption are completely invisible."

In fact, management suites can bolster the productivity of smartphones by reducing the time they spend in the IT shop undergoing configuration and preparation. "Today, if you get a BlackBerry, IT provisions it, configures it, sets you up with the server and finally gives it to you," Camm says. "That could take a day, a week or a month, depending on the work cycles of the IT staff. Our solution exposes a self-service portal, so instead of waiting a long time to get a BlackBerry online, you can be up and running in a few minutes."

"Policy management supports all regulations that are being enforced or encouraged by the industry you're in," Camm says. "So whether it's in the financial industry and Sarbanes-Oxley is the guideline, or in health care where you're following HIPAA, we can manage and enforce your policy on the device."

The initial trial of the new management and security solution focuses on BlackBerry devices, with Windows Mobile and Symbian to follow later this year. "What we're looking to accomplish with the beta is the assurance that we've got the things the market needs, and that both administrators and users feel their load has been lightened considerably by the improvements we've made in the overall administration process for mobile devices," Nugent says.

It's a goal Camm believes his group is well-positioned to attain, despite the breakneck pace of smartphone evolution. "The mobile market of smartphones and operating platforms changes rapidly—it has not been easy to keep up with the gyrations from all of the different vendors," Camm says. "But the fact that these devices have become so mission-critical means we have to maintain enablement of their security management, and we know that the IT audience has high expectations for the security and management capabilities that they have deemed 'must have.' "

Jason Compton is a technology journalist based in the Madison, Wisc., area who has written for more than 40 technology publications.