Corporate information technology users are increasingly relying on personal data assistants (PDAs) to check e-mail, surf the Web, and a variety of other tasks. When you use PDAs for online tasks they become just as vulnerable as desktop systems to viruses, mobile code exploits, and a variety of other threats. What should organizations do to make keep their PDA users safe from the threats of the Internet?

PDA Security Issues

With PDAs becoming ubiquitous, the same threats that affect desktop users are starting to affect PDAs. The biggest threats that PDA users need to be concerned typically fall into one of these six categories:

• Password theft
• Viruses and data corruption
• Data theft through line sniffing
• Theft of the PDA itself
• Mobile code vulnerabilities
• Wireless vulnerabilities

The biggest security risk to PDAs is likely theft of the device itself, and for that reason securing the data on the device in standalone mode is probably the best type of precaution users can take. The second biggest security risk to PDAs is viruses. Mobile code vulnerabilities (Java and ActiveX exploits) are also a threat, but only affect PDAs that do Web surfing. Wireless vulnerabilities only affect PDAs that use wireless services or have their wireless port enabled.

Encryption solutions exist for PDAs to secure both the data, and links used to communicate with remote systems and networks. The encryption solutions that exist for PDAs typically are one of two types: products to secure the data as the PDA sits in standalone mode or products to secure the link as the data moves back and forth to and from infrastructure devices (such as the desktop unit that it uses for hot-syncing). Using an encryption product to secure either the link to the desktop hot-sync system, or for wireless surfing, means that you basically need to wrap up your PDA traffic in a VPN. Unless you have extremely sensitive data (e.g. government classified data), using a VPN on your PDA may not be worth the performance hits you will suffer.

The best way to protect your PDA from wireless vulnerabilities is to install a VPN client on your PDA. When you protect wireless transmissions, you are protecting the data in transit. If you install a VPN client on your PDA, you will likely notice performance degradations and unless you have reason to believe that someone is "sniffing" your wireless traffic, or you have sensitive information to protect, installing a VPN client on your PDA is probably not worth it. However, if you are dialing into a classified network on your PDA, the security policies of the organization may require that you use a VPN whether you want to or not.

VPNs operate using a client-server architecture, therefore PDAs using VPN clients need to connect to a VPN gateway server residing on the destination network. It is not possible to establish a VPN tunnel with the VPN client by itself. Therefore, unless you have a VPN gateway server on the destination network that your PDA client will connect to, there is no point in trying to configure a VPN client. For stronger VPN security, you'll want to use X.509 digital certificates for authentication.

Security Policies for PDAs

Organizations can also create security policies to help protect sensitive data that resides on PDAs. For example, a policy that requires the wireless port be disabled will reduce the risk of sensitive data being transmitted to unauthorized individuals. You can create an end-user behavior policy that stipulates that PDAs not be used for receipt or sending of e-mails with private and sensitive information. By creating end-user behavior security policies organizations can hold the end-users accountable for security violations.

If you feel that your network is at risk for PDA viruses, and you have not deployed enterprise anti-virus software for PDAs, you can create a policy that requires the synchronization capability (hotsync) to be turned off. Keep in mind that end-users typically are resistant to security policies, and your best bet for gaining end-user acceptance is by illustrating the risks to executive managers who may help with championing and supporting PDA security policies.