Mobility puts more pressure on secu

As the mobile market continues to heat up, even surpassing that of the desktop, it is important for corporations to maintain a high level of security around these devices.

Companies will have to deal with the many standards that surround mobile security, not to mention the decreasing costs, according to Steve Rampado, a security analyst at professional services firm Deloitte & Touche.

As prices of laptops and personal digital assistants (PDAs) continue to decline, there is not much stopping employees from heading to Future Shop or another retailer and buying a portable computer – thereby foregoing IT completely, Rampado said from his Kitchener, Ont. office.

“This will bypass all efforts to secure devices to a gateway – if people are just bringing them in from outside and plugging them into a boardroom,” Rampado said. “(Mobile devices) are coming out of the box and they are not security-enabled.”

Many laptops geared to home users are making their way into corporations, Rampado said, adding that Deloitte’s message is simple: “Please take precautions.”

Jason Conyard, director of wireless product management at Symantec Corp. in Cupertino, Calif., said the first part of building a secure wireless infrastructure is to make sure you have a secure wired infrastructure.

“Building or adding on wireless capabilities to an infrastructure that is not secure, is not healthy,” Conyard said. He added that mobile devices seem to be outpacing networks, in terms of technical ability. He cited the increased power of the devices, their inherent flexibility and drastically improved memory as three areas where mobile devices outperform network elements.

Toni Rosati, vice-president of marketing for Mississauga, Ont.-based Certicom, a wireless security solutions company, said enterprises want to port desktop applications over to a mobile environment. He noted this is a good thing because people generally use portable computers the same way they used desktops – for e-mail, calendaring and Web browsing.

Rosati said virtual private networks (VPNs) allow enterprises to extend networks over the Internet through secure tunnels.

Doug Cooper, country manager for Intel of Canada, said IT departments should incorporate profiles and access codes for people wanting to sign onto a network via a mobile device. It is also important to have a firewall protecting sensitive internal information from not only intruders, but also from prying employees inside the office.

Conyard suggested using authentication software or even taking advantage of biometric technology embedded into devices, such as fingerprint readers, to keep networks safe, even when mobile devices are attached to them.

The practice of war driving – whereby crackers literally drive around in search of vulnerable wireless networks via a mobile device – remains a prime consideration, according to Conyard and Rampado.

Conyard advised companies to encrypt not only on-device data but also the air connection between the device and the network. He said 802.11b, an air connection, is not inherently secure and requires extra protection to keep the network safe.

Rampado called war driving one of the biggest concerns.

“It is out there. You can go on the Net and there are access-point mapping sites. It’s turning into a hobby for hackers,” he said.

Along with encryption, VPNs and authentication to the networks, fighting an insecure wireless infrastructure takes frequent monitoring and frequent auditing. Rampado said there has been talk of wireless intrusion detection systems, but he hasn’t come across any yet.