Supporting Netbooks, Laptops, iPads, Slate, and Tablet Computers

Updated: April 20, 2010

Why an Acceptable Use Policy Matters

Large enterprises have a document called their Acceptable Use Policy (AUP) that covers all the details of safely and securely using portable computing devices (among other things). The AUP is often buried inside the Employee Handbook, or if it's large enough, in a separate three ring binder of its own. No one reads these policies.

Devise your own Acceptable Use Policy by listing, on one page of paper, how you expect your users to work with their mobile computing devices. Explain the legal penalties for losing data (thousands of dollars for each and every customer record lost). Explain the need for your security measures, because you will think them minimal but users will consider them burdensome. Explain that those who violate the rules can be fired with cause for exposing the company to severe legal ramifications. When employees understand why security is necessary, they are far more likely to follow the rules.

Authentication and Full Disk Encryption

Because of the increase in the number and severity of Data Breach laws, the first goal when supporting mobile computing devices is to safeguard against data loss. Your protection must be complete no matter if the device is lost by accident or stolen on purpose. Reference Focus Research Brief Security Tips for the Traveling Netbook, Laptop, and iPad for general tips. Security experts suggest you protect every portable device as if it was targeted for theft by spies looking for information, and hold onto your device as carefully as if it was a bag holding $1,000 in cash.

One reason large enterprises have shied away from netbooks is their lack if biometric authentication tools like fingerprint readers, a requirement written into most enterprise's security guidelines. Smaller companies don't often require such measures, and are more likely to adopt alternative biometrics tools, such as facial recognition using a netbook's Web cam, than larger companies. USB-connected fingerprint readers are available for use on netbooks, if a company feels strongly that two methods of ID, such as a password and a fingerprint, are necessary. The iPad has no support for external USB devices and the first version does not include a Web camera, so alternative security measures will be difficult but necessary.

Smaller companies feel comfortable relying on username and password authentication, but use more than the Windows password. The most secure option is relying on a FDE (Full Disk Encryption) product to provide both computer login authentication and disk encryption. All FDE authentication username and password systems are far more secure than that of Windows.

Full Disk Encryption protects against data loss in two ways:

  1. Anyone who steals a netbook, or finds a lost laptop, will be unable to see the disk contents. Use of FDE is critical in cases where netbooks have been stolen expressly to steal the data on the hard drive. That doesn't happen often, but FDE stops both casual and concentrated attempts to read data from the hard disk.
  2. FDE stops anyone who steals or finds a netbook from connecting to company networks and internal websites. Since the default for most users is to let their browser store logins and passwords, anyone finding a company mobile computing device suddenly has full access to your company network.

Secure authentication, and more importantly, full disk encryption, must be the first rule for all mobile computing devices in order to properly protect your company's data. Harsher data breach laws enacted recently make it almost impossible for a small company to weather a breach and subsequent penalties and publicity.

The cost of Full Disk Encryption is no longer an issue: TrueCrypt is Open Source and free for everyone. PGP has a managed encryption product designed and priced for workgroups.

Safely Accessing Data Remotely

Mobile computing devices often need to connect to company data sources. Doing so requires some planning and preparation to allow employees access to company data while keeping out hackers and competitors.

There are five ways to safely access data from outside the office:

  1. Connect to protected pages on a company Web server
  2. Connect to company information hosted by an online application provider
  3. Connect to a company computer via a remote computer control service like LogMeIn, GoToMyPc and others
  4. Connect to the company through a Virtual Private Network
  5. Connect to the company through virtual desktops

If your mobile users need access to a small amount of static information, such as reports, putting them on private pages of your website may be enough. Some companies have found such a method also works for providing clients access as well. Your website administrator can set up password protected pages, or entire websites, for employees and customers.

The boom in SaaS (Software as a Service) applications, accepted readily by many small and medium sized businesses, makes information available to all employees. For instance, Salesforce.com revolutionized the CRM (Customer Relationship Management) world by hosting a full-featured CRM application "in the cloud." Thousands of SaaS providers now offer software of every type, from CRM to word processing to accounting to project management and on and on. These services allow companies to gain the benefits of mature software without incurring the costs of servers and server software licenses. Users access the service, not the home network, reducing the security risks on the company network, and can therefore work from anywhere at any time they have an Internet connection.

Remote PC tools, such as GoToMyPC and LogMeIn, allow a remote user to access and control one PC from another, such as mobile laptop or netbook. This increases cost, since two computers are needed to support one concurrent user. For small companies with few remote users, however, this method works well enough. Only screen updates are sent from the remote computer to the user, so speeds are not as fast as local processing, but faster than most remote networking links.

A VPN (Virtual Private Network) extends the company network across the Internet to a remote computer with proper software and authentication. Processing happens locally, but all data must traverse the Internet, making disk intensive applications painfully slow. File transfers, such as loading documents or spreadsheets across the VPN for local work, then replacing them when finished, provide acceptable performance. Almost all routers today support some number of VPN concurrent connections. Clients can use special software, or on more modern routers, a browser link for connection. IT support will need to set up the VPN on the router and the client. Interestingly, the new Apple iPad includes Cisco VPN client software.

Technically a bit of a mashup of remote PC control software and server virtualization, a new technology gaining popularity is VDI (Virtual Desktop Infrastructure). Multiple desktop images run as virtual machines in a server, and each image supports a single concurrent user. Large companies use VDI to better control the desktop environment and tighten security for local users. Remote users, with proper client software, can connect and use one of the desktop images across the Internet. IT support will be needed to configure the virtual server environment for users, making this a fairly expensive method initially. Savings come from lowered support costs, and the ability to support inexpensive thin clients or old PCs at the user end of the connection.

Data Backup and Malware Protection

No matter how thorough your in-house backup systems, mobile devices that stay in the field more than a day need a separate backup process. Consumer backup systems (Carbonite and Mozy) work fine for just a few users. Larger numbers of company netbooks and laptops to protect will require a commercial backup service (SpiderOak and many others). Luckily, those are now just as affordable as the consumer versions. A good fit from a commercial service will offer offsite backup options for your in-house data, and support computers used outside the office as well.

Synchronization services constantly check to make sure each file in designated folders are duplicated at another location, such as a netbook and a desktop computer back in the office. Some users find these valuable, as when an inside sales person updates a contract document and the outside person's copy is updated automatically. A few backup services provide folder synchronization between designated folders on the service and one or more user computers.

As always, test your backup service on a regular basis. Everyone calls this "backup" but nobody cares about backup, they just want restore. Verify the restore process regularly.

Mobile devices will need their own malware protection, in fact, they'll need more than your internal computers because they can't rely on any company firewalls and virus filters. If you use client management software in the office, set the policy to update and scan all mobile devices when they return to the home network. Many sad tales about viruses bypassing the company firewall under the arm of mobile employees fill support forums. Don't become the author of one of those sad tales.

Featured Research