Book Review: PDA Security Incorporating Handhelds into the Enterprise 

Authors: David Melnick, Mark Dinman, Alexander Muratov 

Publisher: McGraw Hill 

Published: July 2003 

ISBN: 0071424903 

Soft cover, 378 pages 

Price $39.95

According to information published on the companion Web site to the book PDA Security Incorporating Handhelds into the Enterprise PDAs have moved into the workplace. More than 25 million of them will soon be accessing company networks. Such a proliferation of PDAs represents another challenge for systems administrators who are already struggling to ensure that their company's information is not violated in any way or by any means.

PDA Security Incorporating Handhelds into the Enterprise will be useful to those administrators tasked with developing a practical handheld computing strategy for their company or organization. Most important, the book provides the framework for assessing and then addressing the risks that PDAs present.

The book consists of four major sections: Introduction to PDA Security in the Enterprise, Handhelds in the Enterprise, The Technology of PDA Security, and Graduation Section One provides an overview of what constitutes a handheld and discusses the handheld's emerging role in the enterprise. The book's authors explain that they use the terms handheld, computing, and PDA somewhat interchangeably, but that PDAs are best understood as a subset of the handheld computing area.

For many companies a gray area is determining who is responsible for managing and supporting the employee handheld devices. For instance, whose job is it to reset a password for one of these devices or to install and configure the latest version of the device software?

In addition to managing these devices, companies must also address security concerns. Implementing a uniform security policy for PDAs is akin to hitting a moving target. Paradoxically, the handheld market is characterized by immaturity and rapid development and the situation is worsened by the large variety of devices and options available to consumers and corporations.

Yet, one more obstacle to overcome when introducing security measures for PDAs is addressing the special needs of handheld users. This area of concern is a sensitive one because people are drawn to PDAs by the convenience and flexibility that they offer. The book's authors point out that systems administrators must choose wisely so that their end users will not feel the security significantly detracts from their handheld user experience.

In Section Two, which you can read independently of the rest of the book, the focus turns to security risk management for PDAs in the enterprise. For PDAs, security risk management includes three stages, the identification of risks, an analysis of any risks that have been exposed, and the planning monitoring and controls that you must establish to ensure that an appropriate response exists for every risk that you've identified and examined in stages one and two. Even from a purely physical perspective, you need to investigate the issue of which individuals are bringing handhelds into the premises as well as determine their role within the company and their reason for using a handheld.

Section Three delves heavily into the technology of PDA security. Examples of the technical topics covered in detail include device access authentication network connection security data storage security data encryption resistance to intruder penetration cryptography and access to device storage bypassing the OS. This section also discusses the two major handheld platforms, the Pocket PC OS platform and the PalmSource OS platform. In addition, the authors briefly mention other devices available on the market including RIM with RIM OS Linux based PDAs, such as Sharp Zaurus and the Symbian OS based SmartPhones.

In Section Four the authors attempt to predict the future of handheld computing promises. The most likely outcome resulting from research that's currently underway is device convergence. Having just one all encompassing unit will eliminate the device clutter from which many professionals now suffer and will deliver functionality that will enable text messaging, Web browsing, email capabilities, digital camera capabilities, the integration of both a desktop calendar and an address book application, and new GPS applications for tracking and monitoring people animals and objects.

Of course closely coupled with any developments like these is the security required to protect the data that's both stored on and transmitted from handheld devices. While looking into their crystal ball, the authors of PDA Security Incorporating Handhelds into the Enterprise predict that over the next few years a few products will lead the way in enforcing mobile device security policies. They will track devices that attach to the networks and log such information as which applications are running when the devices touch the corporate network and security events and breaches that occur on the devices.

As a close to this review, it's worth reflecting on the cautionary note that the authors provide in the book's introduction PDA security has become an Achilles heel within an Enterprise's overall security strategy. But on an optimistic note they add that the still emerging hardware and software tools have focused unprecedented bottom up attention on achieving enforceable security policies within the handheld computing industry.

To keep up to date with the latest news and issues affecting PDA security. I recommend that you bookmark the Web site that acts as a companion to this book and visit it on a regular basis.

For more book reviews visit the Windows IT Library Web site.