You are on page 1of 7

MOBILE DATA SECURITY

D.M.G.PRASAD, A.N.SAI KRISHNA,


S.V.H.college of engg.., S.V.H.college of engg..,
Machilipatnam. Machilipatnam.
Ph no: 9849616166 Ph no: 9848464972
damarla2003@yahoo.com saikris632adivi@yahoo.co.in

Abstract environment, security strategy needs to


Every day, mobile workers take laptop address ways of managing and securing the
computers and handheld devices outside of mobile devices that access and store
the organizations secure environment. Cell privileged data. Making data available to all
phones, PDAs, laptop computers, and other authorized users whenever they require it
devices make it convenient to access makes data more valuable. The use of
information anywhere. However, the mobile devices to access information has
potential for confidential information to be made it easier for users to be more
exploited on these devices, the ability to productive by making data available outside
access the corporate network from outside the enterprise. But mobile computing
the firewall, as well as the susceptibility of necessitates the exchange of confidential
these devices to loss and theft creates data over public networks, rather than over
security risks that must be addressed in order wired networks inside the enterprise. There
to protect the privileged data. This paper is also the risk of data being intercepted over
discusses issues we have to consider when wireless networks. With mobile computing,
designing and implementing procedures to it is more difficult to identify the entity that
protect the mobile data, including the is accessing the enterprise information than
security problems of interception of data it is to identify the entity over a traditional
transmissions, authentication of users, rogue wired network.
access to data, and lost devices. It also
discusses how the security strategy can 2. Implementing Security
address these problems. Procedures
When thinking about mobile data security,
1. Introduction there is no perfect solution. Security is about
Mobile devices, such as laptops and PDAs, reducing risk, not eliminating it. In order to
make it possible for workers to access establish security procedures to protect the
information anywhere. However, enhanced data, there are several questions that we can
mobility means data can travel outside the consider. The answers to these questions will
boundaries of LAN firewall. As more vary from organization to organization, but
workers use mobile devices to access they can help us understand what security
privileged data outside organization's secure measures will best meet our needs.
Five common problems encountered with • Authentication we have to ensure that we
mobile data are: know who we are communicating with on
the other end and avoid a man-in-the-middle
attack. Clients connecting to the enterprise
• interception of data transmissions system need to know that they are
• authentication of users communicating with the correct server. We
• rogue access to data also want to ensure that only authorized
• lost devices clients are communicating with the server. In
• Protecting existing security order to protect the data, we should ensure
investments that there is end-to-end encryption of the
data, from the remote device to behind the
3. Solving mobile data security corporate firewall.
Problems .
3.1.1. Communication architecture
It is important to find and address the
The communication stack isolates the
weakest link in the security system.
different functions needed for reliable data
Addressing an area of weakness could
transfer. Each layer of a protocol stack treats
include encrypting data on the device,
information passed to it by the layer above
encrypting data communications, password-
merely as data, labeling that data in such a
protecting devices, incorporating user login
way as to be identified and deciphered by the
mechanisms, or implementing device
equivalent layer on the other computer. Only
security policies. Now, let's examine each of
the physical layer is responsible for actually
the five mobile data security issues.
placing data onto the wire or over the air—
all other layers provide some well-defined
3.1. Protecting data transmissions level of functionality, such as error
When data is being transmitted, we want to detection, correction, and encryption [1] and
ensure that it is secure from end to end. so on. Figure 2 shows a typical
There are many places where our data may communication stack and how adding
be intercepted: in thin-client, browser-based
security affects the architecture.
applications, e-mail, voice, data
When an application needs to
synchronization, client/server
encrypt the data that it is sending, it is
communications, or messages and alerts.
necessary to have a security protocol to
Secure data transmission has the following
establish a secure connection. Security
features:
protocols are a negotiation (often called a
• Confidentiality Communications should handshake) of security parameters required
remain private. to securely establish an encrypted
• Integrity No one should be able to change communication session. Generally, they also
the data, regardless of whether they are able provide authentication. Examples of security
to see it. protocols are Transport Layer Security
(TLS) and Secure Sockets Layer (SSL). [4]
Transport-layer security is important transmissions could be intercepted by an
whenever communications must travel over attacker. Using transport-layer security
a public or private network where

Client T Database
Application L Server
S

Figure 1

Communication stack Communication stack


Without encryption with encryption

Application Application

Security
Encryption Protocol

Transport Transport
Layer (TCP) Layer (TCP)

IP Layer IP Layer

Physical Physical
Hardware Hardware

Figure 2
allows a client application to verify the incorporate randomness designed to be truly
identity of a server. Clients can ensure that unpredictable. Algorithms that use public
they communicate only with servers they key cryptography include RSA, Diffie-
trust Hellman, and Elliptic Curve Cryptography
(ECC).
3.1.2. Public-key cryptography
Public-key cryptography [3] makes use of 3.1.3. Digital certificates
mathematical systems that work with pairs A digital certificate is an electronic
of very large, associated numbers. These document that identifies a person or entity
numbers, called keys, have particular and contains a copy of their public key. Each
properties. Each key can be used to encrypt certificate includes a public key so that
information. Once encrypted, these messages anyone can communicate securely with the
can be decrypted only using the matching person or entity by encrypting information
key. One of the keys, called the public key, with this public key. Digital certificates
is published in a public forum and can be conform to a standardized file format that
used to encrypt information that is sent to contains the following information:
the owner of the public key. The owner 1. Identity information, such as the name and
keeps the second key, called the private key, address of the certificate owner
secret. 2. Public key
A message encrypted with the 3. Expiry date
public key can be decrypted only by using 4. One or more digital signatures, to prevent
the private key. Since the public key is modification of the certificate
published, anyone can create a message that
only the private key owner can read. In 3.1.4. Digital signatures
addition, anyone who knows the public key A digital signature [5] provides a means to
can decrypt a message encrypted with the detect whether a document has been altered.
private key. In this way, the owner of the A digital signature is also used to verify that
private key can "prove" that they know the the certificate represents the person or
private key by using it to create a message company that it claims to represent. For
that can be decrypted using the associated example, if you receive a certificate from the
public key. It is essential that the private key ABC Company that is signed by VeriSign or
cannot be found easily through knowledge another certificate authority, then you can be
of the public key. The ease with which the confident that you are communicating with
private key can be derived from the public the real ABC Company if you trust the
key is often associated with the strength of certificate authority. A digital signature is a
the cryptosystem and the size (in bits) of the cryptographic operation created by
public key. Another aspect of the private key calculating a value, called a message digest,
is that it must be difficult to guess. The from the document information, or in the
generation of high-quality private keys must
case of a certificate, the identity information 3.3 Protecting against rogue access to data
and the public key. In some cases, services on a mobile device
3.2. Protecting against unauthorized users may respond to requests for data. These
[2] services can be exploited to gain access to
We have to be certain that only authorized the device's contents. Trojans can lurk on
clients can connect to server and that client devices, and if a device has been exposed,
are connecting to the correct server. then the Trojan can make connections and
Verifying that the correct entities are pass out data: in effect, the Trojan becomes a
involved in data transmission is even more service. Currently, there are not many
difficult in message systems because hand- Trojans around for handheld devices, but
shaking protocols cannot be used. Each time this is a significant concern for laptops that
the user goes deeper into a new area of are connected to the Internet. A device can
sensitivity or functionality, our application also be attacked through interfaces such as
and middleware infrastructure should know database servers, Internet servers, or FTP
who they are, and whether they should be servers.
there.
3.3.1. Preventing rogue access to data
3.2.1. Only the chosen may enter On laptop computers, you can use a personal
A password should be required before a firewall, such as Black ICE or Zone Alarm,
mobile user can synchronize with a back-end to help prevent rogue access to your data.
database or browse information stored on a Device management software can also help
company server; no exceptions. We can use address the problem of rogue access to data
mobile device management software to by allowing you to enforce your security
ensure that users have not circumvented policies from a central location.
security measures or stored their password in
a file on their device. 3.3.2. The enemy within
Often the biggest threat to the security of our
3.2.2. Rights and privileges corporate systems and data are our own
Define what clients can and cannot do. users, who disable security mechanisms and
Depending on the application, specific rights configurations in order to save a few seconds
and permissions are configured on a per-user when logging in or synchronizing data.
basis. For example, a sales force automation Protect and enforce system configurations by
application might allow a sales automatically identifying and correcting
representative to submit orders, but not devices where users have defeated password
approve them. A sales manager’s password protection by storing the password on the
would carry with it the authorization to view device, or changing security configuration
orders and approve or deny them. options.
3.4. Protecting data on lost devices firewall. Our mobile application should also
Mobile devices are small and expensive, so enforce password entry, and harmonize
they are easily lost or left in taxis, and are a security configurations with LAN e-mail
favorite target for thieves. If you don’t want systems.
the new owner to have access to your
corporate systems or view sensitive data, 4. Conclusion
precautions must be taken.

3.4.1. Persistent data needs persistent Security is about minimizing risk, not
protection eliminating it. This means identifying the
There are two precautions that that you can weakest links in our system and then
take to prevent disclosure of the data stored designing an appropriate solution that takes
on a mobile device: encrypting sensitive into account the associated risks and costs to
data, and encrypting the entire file system protect the mobile data.
(this may be useful when using data outside
of a database, such as in a spread 5. REFERENCES
sheat).protect the data that is stored on hard
disks, in persistent memory, or on removable [1] Bernard Sklar, “Digital
flash cards (whether they are in or out of the Communications”,
device). Second edition, Pearson Education.
[2] Diffie, W., and Hellman, M.E., “Privacy
3.5. Protecting existing security and Authentication: Introduction to
investment Cryptography”, Proc.IEEE, Vol.67, no.3,
Whether we are creating new mobile Mar.1979, pp.397-427
applications or extending the reach of [3] Benning, D.E.R.,”Cryptography and
existing systems, our mobile development Data Security”, Addison-Wesley publishing,
should be as secure as applications running 1982
on our corporate LAN. Integrate our mobile [4] National Bureau of standards,”Data
applications with existing security Encryption Standard”, FIPS, no.46, Jan
infrastructures through open standards and 1977.
flexible architecture. [5] Digital Signature Standard,FIPS,186-1,
Govt. printing office,Dec .1998
3.5.1. The e-mail of the species
E-mail is one of the most frequent points of Websites:
entry for potential security threats, whether http://www.bitpipe.com/data/detail?id=1037
inside or outside the office. As you do with 031017_410&type=RES
desk top e-mail systems, encrypt all www.informit.com
incoming and outgoing messages between www.howstuffworks.com
our corporate email server and mobile www.veriozn-learning.com
devices that are outside our company’s

You might also like