Mobility puts more pressure on security

As the mobile market continues to heat up, even surpassing that of the desktop, it is important for corporations to maintain a high level of security around these devices.

Companies will have to battle the many standards that surround mobile security, not to mention the decreasing costs, according to Steve Rampado, a security services analyst at professional services firm Deloitte and Touche.

As the costs continue to decline, there is not much stopping employees from heading to Future Shop, or other retailers, and buying a laptop – thereby foregoing IT completely, Rampado said from his Kitchener, Ont. office.

“This will bypass all efforts to secure devices to a gateway – if people are just bringing them in from outside and plugging them into a boardroom,” Rampado said. “(Mobile devices) are coming out of the box and they are not security-enabled.”

Many laptops, he said, geared to the home user are making their way into corporations.

Deloitte’s message is for people to “please take precautions,” Rampado said.

Jason Conyard, director of wireless product management at Symantec Corp. in Cupertino, Calif., said the first part of building a secure wireless infrastructure is to make sure you have a secure wired infrastructure.

“Building or adding on wireless capabilities to an infrastructure that is not secure, is not healthy,” Conyard said. He added that the mobile devices seem to be outpacing the networks they should be running on, in terms of technical ability.

Toni Rosati, vice-president of marketing for Mississauga, Ont.-based Certicom, a wireless security solutions company, said enterprises really seem to want to find a way to use the applications they used for desktops. He noted this is a good thing because many of the different uses people have for laptops are those they had for desktops – e-mail, calendaring and Web browsing.

Rosati said virtual private networks (VPN) allow enterprises to extend networks over the Internet through secure tunnels.

Doug Cooper, country manager for Intel of Canada, said IT departments should incorporate profiles and access codes for people wanting to sign onto a network via a mobile device. It is also important to have an inside firewall.

“The good news for IT is that this is a pretty straightforward roadmap,” Cooper said.

Conyard suggested using authentication software or even taking advantage of biometrics technology embedded into devices, such as fingerprint readers.

The practice of war driving – whereby crackers literally drive around in search of vulnerable wireless networks via a mobile device – is another consideration, according to Conyard and Rampado.

Conyard advised companies to encrypt not only on-device data but the air connection as well. He said 802.11b, an air connection, is not secure.

Rampado called war driving one of the biggest concerns.

“It is out there. You can go on the Net and there are access point mapping sites. It’s turning into a hobby for hackers,” he said.

Along with encryption, VPNs and authentication to the networks, fighting an insecure wireless infrastructure takes frequent monitoring and frequent auditing.

Rampado said there has also been talk of wireless intrusion detection systems, but he hasn’t come across any yet.