Mobile systems: a threat to corporate security

By | February 9, 2005

In recent years, corporate security levels have significantly improved. There is much more effective control of Internet connections, security tools installed on networked computers, user training, etc.

Nevertheless, at the same time as these factors are improving, technology is also advancing and conflicts are arising, in particular, between traditional security policies and the mobility of network users.

Today there is an increasing need for many company employees to have mobile devices: from laptops to latest generation cell phones. Such equipment spends long periods outside the ‘secure’ environment of the office, where corporate security policies won’t be able to protect them from possible attacks.

In the case of a sales rep, for example, one of their main concerns is to be able to receive email in a computer connected to the Internet in a hotel room. Accustomed to the secure office environment, security often tends to be something of an afterthought in such circumstances. The consequences however, could be extremely serious, as without the protection of a firewall, the laptop becomes an easy target for hackers and an out-of-date antivirus could result in a computer becoming a ‘zombie’.

The problems are compounded by the fact that these types of computers often contain vital strategic information: projects, offers for clients, customer databases, etc. This type of key data needs to be protected from competitors or unscrupulous hackers.

But there is also another factor which should be of concern to system administrators in corporate networks: sooner or later, this roaming computer will connect up to the corporate network, with all the material that it has picked up from the Internet along the way. Hacking tools, Trojans, spyware… all of these can directly enter the corporate network if the correct measures are not applied. Obviously there are tools that prevent the spread of this type of malicious code throughout the company, but nevertheless, a door has still been left wide open to them. Another problem that often goes unnoticed is that of third-party computers connecting to the network. As more services are outsourced from large corporations, many external contractors need to connect to the network with laptops, just as if they were another employee.

These computers would normally have some sort of security system installed, from antivirus products to firewalls, but how can you be sure they meet your company’s security policy? Network administrators have enough problems without having to go around checking subcontractors’ computers one-by-one (not to mention the problems arising from privacy rules that may vary considerably from one company to another).

All these circumstances reveal the need for specific control over the laptops and other mobile devices that connect to the network. In order to anticipate a user possibly breaking security rules, full, automatic security control needs to be applied to laptops when they connect, whether they belong to external personnel or roaming employees.

When a system connects to the corporate network, it is important to ensure that that system is secure, i.e. that it compiles with the security levels established by the network administrator. This means that malware won’t be able to enter the corporation through this type of connection. Access should be permitted or denied depending on the result, or if necessary, security levels of the device should be adapted to the company’s security requirements.

However, on many occasions these kinds of connections are anticipated and can be redirected to specific network segments or sets of permissions and restrictions can be established automatically without causing a conflict between the security policies of different companies.

So it is quite evident, the question of laptops and other mobile devices connecting to the corporate network is not without its problems, and needs to be controlled with great care. The tools for protecting these computers will shortly become a basic element for the proper implementation of corporate security policies.

Leave a Reply