With recent technological advances, wireless devices are well positioned to add value as corporate productivity tools. Investments in this area have the potential to provide widespread improvements in mobile worker efficiency, business activity monitoring, exception handling, and organizational throughput.
While the potential gains are impressive, many organizations are waiting to deploy this technology due to security concerns. Companies which wait may indeed feel secure. But companies which provide their workers with real time access to business critical information while addressing security concerns will have a significant competitive advantage.
In this article, we will explore the security issues involved in wireless deployments, and appropriate steps for information technologists to take when establishing their wireless infrastructure, so that they can take advantage of wireless technologies while minimizing business risk.
A wireless security model should address potential threats not just in the corporate environment, but also in the personal and public environments where wireless devices are typically used. As a basic starting point, you will want to evaluate the level of exposure available through your devices, networks, data, and accompanying information systems.
According to the Gartner Group, over 250,000 PDAs were lost in 2001. These losses occurred in highly public places – airports, restaurants, offices, taxi cabs, etc. Given the ease with which these devices are lost it is imperative that your security model include a means for securing and removing information stored on the device.
The list of possible threats might look something like this:
- Loss of the device
- Loss, compromise, or erasure of device based data
- Unauthorized access to the device
- Unauthorized access to the network
- Unauthorized access to server based data
- Unauthorized access to the applications (distributed and centralized)
While this is far from an exhaustive list, it provides a starting point for your wireless security model. With the right wireless infrastructure, technology, and processes, it’s possible to eliminate or greatly reduce the exposure provided by these everyday threats.
The Role of Process vs. Technology
Wireless security plans will include elements of process as well as technology. While it’s useful to have the technology involved in a power-on userid and password, you will also want to have a process in place for ensuring compliance at the end user level. End users will typically follow a procedure only if a) it’s easy, b) they understand the steps involved, c) they understand the value of what you are asking them to do, and d) it saves them time. If you have a technology which requires end user participation, please ensure that it meets these criteria.
Securing the Device
Ensure that your end users employ basic security mechanisms such as a power on userid and password. Ensure that they treat their userid and password in the same manner that they would treat a PIN number on their ATM card. Use more advanced features like Biometric security when appropriate. Block unauthorized network activity through appropriate security settings on the native device. Check settings for Bluetooth, Infrared, wireless and cellular networks to ensure that they are turned off when appropriate and otherwise secure.
Securing the Network
Use encrypted, authenticated VPN tunnels to ensure the privacy and integrity of communication between handhelds and connected networks. For devices that don’t have VPN client support make sure your communication solution provides an encrypted channel using industry standard encryption like AES or 3DES. The use of a Federal Information Processing Standard (FIPS) 140-2 compliant algorithm is highly recommended. Encryption/decryption should only occur on the device and at the server that is located inside the corporate firewall.
Use mobile firewalls to defend handhelds against port scans, unauthorized requests, unwanted peer-to-peer connections, and other network related attacks.
Securing the Data
Mobile devices can too easily fall into the wrong hands. In these circumstances, highly sensitive information can be compromised not only on the device but on the server as well if the user was logged on. For purposes of convenience, end users often need to store non-sensitive information on mobile devices. At the same time, there is plenty of information that you would never want stored locally. In cases like this, you should be able to decide when the end user can review secure information in a connected mode, and when they can save less sensitive information to the device.
When sensitive data is allowed to be stored on the device it is necessary to provide a poison pill application. A poison pill application is an application that when sent to the device removes all data and applications from the device. When a user reports the lose of a device the centralized administration tool will send the poison pill application to the device and revoke access to the server based systems from that device.
Securing the Information Systems
Information systems can be protected in a variety of ways. Access to the application itself can be granted or denied to end users, depending on the end user’s role and responsibility. If applications are dynamically downloaded to the device when the user logs on, this provides an added level of security. Once the application is available to appropriate groups of end users, the normal security mechanisms (like userid and password) ensure that unauthorized access is prevented.
Single Sign On (SSO) is a typical requirement for mobile and wireless applications. Participation in SSO provides convenience to end users because they only have to login to the system once and they can get access to all backend systems. When joining an SSO environment from a wireless device you should require different username and passwords than you use within the corporate environment. When a device is lost and security is compromised from the wireless channel you can simply change or remove the compromised username/password from wireless access without having to worry about the impact on the corporate access.
Wireless Security Checklist
The following checklist can be used as a reference when you are ready to begin your wireless project. Make sure you address all of the items on this list before deploying your solution.
- Have you ensured that all users have a power-on password and userid, and that the userid and password are well protected?
- Do your wireless applications utilize industry standard encryption algorithms like 3DES?
- Are you using a FIPS 140-2 compliant security algorithm, where appropriate and available?
- Have you ensured that wireless applications store only appropriate data on your mobile devices?
- Do you have a strategy for removing information and applications from your mobile devices, in the event that they are compromised?
- Is the information on the device encrypted so other applications on the device can not access?
- When participating in an SSO environment do wireless users use the same username/password from the wireless channel and the corporate channel?
While the most important goal of a security model is always the integrity of corporate devices, information, and networks, other considerations should include:
- flexibility for addressing a variety of needs across devices and end user demographics
- extensibility or room for growth as an organization’s security needs change
- a secure environment for mobile applications and data
- a more rapid implementation of new software applications
- a flexible security model that the organization can easily upgrade
The productivity and allure of mobile devices including cellular phones, wireless PDAs, and tablets guarantees a high level of attention for the next few years. Information technology professionals should encourage the use of secure wireless platforms, thus maximizing corporate ROI while minimizing the risks associated with these technologies. By following the guidelines in this article, you will have a good foundation for a more secure wireless deployment.