Walmart Analysis
Essay Preview: Walmart Analysis
Report this essay
Security as a niche industry is starting to get noticed. There are a number of organisations that have written and published security applications of one sort or another for the PDA world with the enterprise in mind. Of these Credant has one of the best reputations in the market. They have got years of experience and a solid product with several offerings to cover both enterprises and medium sized businesses.
The Credant Mobile Guardian (CMG) is sold in three forms. The personal edition is marketed through OEMs and is the software that is available now on the HP iPAQ business devices (including the iPAQ hx4700 series). Personally, Id love to see this available through retail channels such as Handango and PocketGear, but this is not the case at the moment. The group edition is the one reviewed here and is aimed at organisations that want to apply security policies consistently to the devices in their organizations. Finally there is the enterprise edition which is considerably more expensive and provides remote destruction and a number of other features that may appeal to the enterprise organization.
Features
No two Windows Mobile security applications are created equal. If you look at the feature sets of the security applications on the market today, youll find disparate feature sets between the applications. Some have built in firewall, some dont, some enforce restrictions on storage card, infrared and Bluetooth, others dont and so on.
This article will be looking at the following features and how Credant Mobile Guardian helps defining and applying them:
Policies
Authentication
Device Lockdown
Encryption
Logon/Logoff
Device deployment
On the device
Policies
Credant have created their device security software based on policies. This approach allows you to take your organisations security policy and create an installer that ensures the device complies with the security policy.
The software itself is delivered as a desktop installer that places the policy editor and components onto your laptop or desktop computer. Nothing is installed to the Pocket PC at all at this time.
Once installed, you need to start the policy editor and create a policy file. The policy file is saved as an XML file and can be used to build an installer for the target platform. The target platform can be Windows Mobile Pocket PC, Windows Mobile Smartphone or Palm OS. Ive used a HP iPAQ h6365 Pocket PC Phone Edition device for my tests.
Creating a policy file is a simple matter of working through the available options in the editor. The list is quite extensive and allows for a tightly configured device.
Policy Editor (click for a larger image)
Policy Editor (click for a larger image)
Authentication
One of the critical areas of device security is authentication onto the device. That is how the user gains access to the applications and data on the device. CMG gives the option of PIN based or password based authentication.
PIN based authentication uses a numeric keypad similar to the default Windows Mobile PIN to allow users to enter a four digit PIN in order to log on. CMG allows considerably more control over the users PIN than the default authentication. CMG can be configured to force the user to change their PIN at a configurable period as well as remember a number of previous pins to prevent the user from reusing them. CMG can also enforce PIN complexity, preventing sequential numbers or repetition of numbers in a pin making the pin more secure.
If you feel that a PIN does not offer strong enough protection, you can use a password. The password can be configured to ensure complexity and remember previous passwords. In addition you can set how much of the password must be unique, preventing users from using passwords with an incremental number in it.
CMG also gives a number of options for how to manage invalid logon attempts. For instance, you can have CMG simply wait a configurable (and optionally incremental) period of time between sets of logon attempts. For example you can set the device to pause for 30 seconds after three invalid attempts. After a further three attempts, you can set this cool down period to increment by 30 seconds before allowing further attempts. This system makes it very difficult for an unauthorised user to brute force their way onto the device.
Of course if you want to protect your data you really want to be able to remove the data from the device to completely eliminate the possibility of unauthorised access. CMG has an option to allow control over this option too. Rather than forcing the user to wait a specified period of time, you can force them to enter a master password that only an administrator knows. At this point a legitimate user will need to either return to base or call an administrator to obtain this password. This allows the administrator to then decide whether the user is authorised or not. If the administrator decides the user is authorised, the correct master password can be entered. Once the master password is entered the user is forced to change their password and then they have access again.
You can limit the attempts the user can have to enter the master password. Thus if the user can not get the master password, they can only attempt to enter the master password a pre-defined number of times. At the end of these attempts you can configure the device to perform a hard reset which sets the device back to the way it shipped from the manufacturer.
Even if you decide to hard reset the device, you can still retain the CMG software, meaning the data is removed, but the device is still protected by your policies.
If you would like your users to be able to reset their own passwords if they incorrectly enter their password repeatedly, CMG allows you to let the user enter a passphrase (such as their grandmothers maiden name, favourite band growing up or similar) which they must answer correctly to reset their password when they forget. This may help lighten the administrative load from forgotten passwords.
Device Lockdown
CMG also allows