In this interview, Sean Moshir, PatchLink Chief Executive Officer discusses security patching, vulnerability and compliancy management for wireless phones and PDA devices and talks about the current state and future of wireless security in the enterprise.
What are the threats IT organisations have to deal with when implementing wireless technology? And what damage they bring to businesses?
As wireless technology has evolved from merely being an IP telephony device to the new world of smart phones, the IT staff is presented with the new challenge of managing hand-held devices outside the enterprise that will increasingly be used not just to check email – but also to access sensitive enterprise data and applications. Since these new devices are easily lost or stolen, the first order of business is to provide policy management of password and encryption settings as well as the ability to reset a device back to factory defaults if it is ever lost.
As more applications become available and more transactions are performed on mobile devices, they become more attractive to hackers.
According to a recent study published by Gartner, by the end of 2007 there will be at least one disastrous virus that will hinder 30 percent of mobile users.
Today, a handful of “prototype” exploits have demonstrated an ability to exploit security vulnerabilities in the operating system and applications running on these hand-held devices. As with traditional desktops and servers, the only way to effectively combat these exploits is to apply the necessary security patch updates in a timely fashion to all systems that are able to connect into the enterprise.
What are the problems involved in vulnerability/patch management of wireless phones and PDA devices?
Application and operating system developers are forced to create various versions to support different hardware providers and carriers. This is a huge challenge for corporations to keep their various versions up to date.
Patch and vulnerability management for wireless devices must clearly be able to offer over-the-air remediation capabilities to ensure that users are not forced to plug a system into their workstation in order to retrieve an update. To make that a reality, it is necessary to load a small and lightweight agent into the device, so that vulnerability information can be scanned and remediated wherever and whenever the system is connected to a wireless carrier.
Currently, some operating system updates require the device to be cradled because they backup users´ data, delete the old operating system, load a new version and restore users´ data. This poses a problem because most users don´t cradle their device very often. Also, due to the size of these updates, over-the-air updates are impractical. Mobile devices are not mature and standardisation is non-existent.
Organisations such as OMA are trying to solve these problems by having their members agree to standardisation.
What is the impact of Sarbanes-Oxley compliance on Wireless Networks and what it means to businesses?
Government regulations such as HIPPA or Sarbanes-Oxley generally apply to computing systems that access confidential or critical data within a business. For example, many doctors are already able to keep in touch with their home office using a Blackberry or other handheld device using remote access. However, as soon as any patient data can be stored on that device, it will immediately become subject to HIPPA guidelines.
PatchLink Enterprise Reporting Services provides a detailed view of compliance for all systems connected to the enterprise network; workstations and servers across multiple operating systems – and now this enterprise report capability will include the inventory and status of all wireless and handheld devices. Clearly this provides a great foundation for building any report that may be needed for SARBOX, HIPPA or other enterprise audit.
What is, in your opinion, the biggest challenge in keeping wireless devices secure?
In most enterprises today, the wireless devices that are being used are largely unmanaged and also security settings are frequently turned off by default. Obviously popular functions like Bluetooth make it easy to sell high function devices. However, there is often little thought of how such features might provide a backdoor into mobile devices in use by key executives within a corporate setting, and what the implications might be.
The lack of policy and management capabilities and a way to remediate those issues – is the number one challenge we see in the wireless space today.
Based on the feedback you get from your clients, what is the state of wireless security in the enterprise these days?
Of PatchLink´s surveyed customers, 100 percent indicated they have or are in the process of setting up wireless/mobile security policies.
Thus, we see a great deal of interest from our PatchLink customer base in bringing the wireless security realm into their existing patch, vulnerability and compliancy management solution. They are looking to PatchLink to provide them with patch management as well as other security products to extend their security umbrella.
We often see the expression “Wireless Security – Oxymoron” – What is your opinion on the subject? Will wireless networks ever become secure?
There are a number of secure wireless network products on the market today. However, only high-security clientele such as the defence industry will consider these types of issues. For the rest of the market, it may unfortunately require some serious denial of service or exploit for the message to be hammered home. Securing wireless communications as well as securing the devices themselves will become critical to mass-market adoption for intelligent smart phones in the future.