Personal Digital Assistants (PDAs) are an enigma for most corporate IT departments. As their use becomes more prevalent it will require a rethinking of many corporate policies covering everything from the handling of personal information to writing down passwords. The stakes get even higher when you consider what the consequences might be of a lost or stolen executive PDA.
Trust Digital LLC’s PDASecure ( http://www.trustdigital.com) is one of several products that offer a solution to the PDA security problem (others include PDA Defense ( http://www.pdadefense.com) and PDAlok ( http://www.pdalok.com)). PDASecure uses encryption algorithms and password protection to protect all the vulnerabilities associated with a PDA. PDASecure costs around US$39.95 per protected PDA. A version with centralized management costs about US$79.95 per protected PDA plus US$5,000 for the server piece.
We tested PDASecure on a Compaq iPaq 3835 PDA running PocketPC 2002. We installed the software on a PC and then connected through the PDA’s docking cradle. Total installation time was only a few minutes.
We were concerned about the requirement to enter a password every time the PDA is turned on. While this can be particularly annoying if you’re using the PDA to take notes in a meeting and you frequently turn it on and off to save the battery, we also realize that it can be just the ticket for a PDA used in a high-security environment. The Palm version of PDASecure lets you turn the logon password on and off and require a password for specific applications like contacts or notes. The enterprise version of the Palm software lets you define a sequence of touches on the screen as a password. For example, you could touch the middle, lower left, lower right and top middle areas of the screen and the device would unlock. This could even be done while the device is in a pocket, purse, or briefcase, so others can’t watch your motions.
Performance of the encryption algorithms depends on the level of protection you choose. PDASecure supports six different algorithms with up to 128-bit encryption. The most secure level could take up to 90 seconds to decrypt an address book. That alone could cause most users to shy away from using strong encryption. The PDASecure documentation gives a strong warning that if you forget your password there is no way to recover your encrypted information.
At the administrator level PDASecure makes it possible to enable or disable both ActiveSync and beaming. After turning this feature on, a password is required to sync the device – and beaming is disabled. You can also lock the device after a specified number of failed password attempts, and also erase the device if the number of attempts is exceeded.
The enterprise version includes a policy editor that lets you establish a network-wide policy for all PDAs. The Policy Editor supports user groups, which lets you set policies for groups based on their needs. Specific policies include setting the password length, time of day usage, and application lockouts. You can also enable the logging of actions such as application usage, invalid logins, application deletion and number of beams sent or received.
Getting end users to put up with the inconvenience of entering a password and the delays associated with encryption may be a difficult task. The Palm version seems to have the slight edge over the PocketPC version, since you can choose to protect specific applications like your address book or notes. That way you can put your sensitive information in a single place and not be bothered with a password every time you turn the device on.
From our perspective the PocketPC version was more trouble than it was worth. Having to type in a password every time the device is turned on is enough of a disincentive to avoid using it. We wound up uninstalling the product after using it for a few days. The Palm version is much more usable and less intrusive. According to Trust Digital, future PocketPC versions will include the same level of features as the Palm currently has. We do, however, realize that other people have security requirements that make what we see as an annoyance a major plus for them.