Jan-08-2009 08:48 AM
Now that wireless access to databases, the internet, and email is
becoming widespread, both inside workplaces and in public venues,
companies need to do considerable catching up to protect the security
of handheld devices used by their staffers. "A lot of organizations
still have not done the basics," says Allan Carey of the Institute for
Applied Network Security.
Yet these basics are perfectly do-able. Reliable and widely deployed security standards are available in two forms, authentication and encryption.
The first generation of mobile devices often paid little attention to security issues, BlackBerry being a notable exception. But newer devices, like Apple's iPhone, Palm's Treo, and units based on Microsoft's Windows Mobile 6, are increasingly designed with wireless security in mind. Apple's iPhone, for instance, initially lacked such basic security standards as VPN, strong passwords, security manageability, encryption, and remote-kill capabilities. But as businesses buy iPhones for their employees to use, Apple has added VPN support and has promised to plug other security gaps, mainly through software updates. [1]
In 2007, Palm, at the request of the US military, introduced a security option for its Treo that uses Bluetooth card readers to swipe second-factor authentication cards, besides asking for a password to be entered, before each Treo can be used.
Allan Carey points to two types of organizations that learned about wi-fi security the hard way. Health care organizations are bound by HIPAA's stringent data protection privacy requirements. And universities have a large mobile workforce and student body busily using different devices in multiple locations. Both became prime targets for hackers in the early days of wireless networking. [2]
Wireless users face one key threat to their security: interception of data during transmission, either from a wi-fi eavesdropper or through a rogue access point. And all mobile device users worry about losing stored data when their device is lost or stolen. For such users, data encryption, during transmission or at rest, is the answer, combined with access authentication beforehand. These two control techniques must always be combined with network-wide security features, like requiring strong passwords, imposing user access control policies systematically, and segregating traffic through such techniques as VPNs and virtual LANs. By applying these methods across the board in a wireless network, the damage from any one individual breach can be contained. [3]
Companies using newer technology, like 3G, WiMax, and 700MHz spectrum, are on firmer ground because security issues are handled better. Yet hackers are always looking for fresh ways to get in, so it makes sense to apply up-to-date IT security uniformly to all wireless devices used within an organization.
One reason so many companies issue BlackBerry units to their staffers is that BlackBerry supports a much wider array of security techniques, putting their product on par with laptops and PC stations for security purposes. Apple's announced plans for the iPhone's 2.0 software suggest it may come close to BlackBerry's standard.
But the challenge continues, because so many businesses are switching so many uses to wireless: hand held meter readers used on-site, airport baggage claim scanners, package scanners, and retail kiosks. Every new wi-fi use is a new security hole that must be closed.
The best systematic solution is to set centralized security standards and make all devices comply. If a company requires that all computer stations and handheld devices connect uniformly to the organization's network, and consistently use that network's security and access features, then the burden passes to users and vendors. Then, the company's IT department can concentrate on refining its centralized cyber-security solutions, undistracted by problems thrown up by particular devices or new uses.
And there's plenty to deal with without being distracted. As mobile devices become physically lighter yet logically heavier, they can store whole databases of the company's most sensitive records, stuff that used to be found only in hard-wired units back at the office. So every time a mobile device is lost or stolen, the company's guts are laid bare. If you lose your unit at a business conference or trade show, it's very easy for a competitor to grab it and know what to do with it. [4]
Centralizing wi-fi security is the first step, but there are others. Most companies need to raise access to three capabilities: authentication, wipe-and-lock features that will remotely render the device useless if hacked, and encryption. Companies must also start to discriminate among devices. A BlackBerry, because it offers more security, can be permitted more access to data than simpler products.
Companies must also educate employees about cyber-threats. Staffers must learn to treat data as a precious company asset worth protecting. To back this up, some companies tie a portion of an employee's compensation or annual bonus to his security record. How many times has he lost a BlackBerry or laptop? When security is on the line, money talks. [5]
NOTES
1., 2., 3. http://www.csoonline.com/article/347313/Wireless_Security_The_Basics
4., 5. http://www.csoonline.com/article/328666/Protecting_the_Mobile_Workforce
LINKS
http://www.csoonline.com/article/347313/Wireless_Security_The_Basics
http://www.csoonline.com/article/328666/Protecting_the_Mobile_Workforce