Securing the great beyond

Research from Framingham, Mass.-based IDC Corp. indicates that by the year 2003, the number of mobile Internet subscribers worldwide will jump from 535 million to 720 million. With that many people accessing, sending and receiving information wirelessly, enterprises have more than their regular network’s security to worry about – wireless security is just as big of a concern.

The financial industry has had to step up to the plate, first with securing transactions on the Internet, and now with wireless devices. It has set an example, which most wireless security firms say will be followed by enterprises.

In the case of the Bank of Montreal, its customers are able to access banking information through three mobile and wireless methods: wireless application protocol (WAP)-enabled telephones, Palm OS-enabled devices, and Research In Motion (RIM) Blackberry pagers. The bank offers these options through a service called Veev.

Toronto-based 724 Inc., which offers security solutions for the financial industry, was chosen as a partner by the Bank of Montreal when it decided to take applications out to the wireless world.

Mark Dickelman, vice-president, m-commerce and wireless for the Bank of Montreal Group in Toronto, explained that the primary concern for the bank was to ensure that it understood the nature of the technologies, where the possible exposures were and how to mitigate those. It was also important to partner with customers to ensure they understood their devices and how to use them appropriately.

Each of the different technologies that the bank offers access through requires different networks and security solutions, according to Dickelman. In the case of the Palm, he explained that there are digital certificates contained in the software deployed on the device, enabling a secure end-to-end banking session.

“The Palm is somewhat unique as a wireless device because we are able to install our own software on the device,” Dickelman said. “That is not the case with other devices. So, for example, with the browser-enabled cell phones, there’s two very different kinds of security – they’re very strong forms of security – but they’re very different.”

One form is between the handset and the carrier gateway, and the second is between the carrier gateway and the bank. There is, however, an issue with this security measure, he explained. Inside the carrier or WAP gateway, there is a translation in that handset security and bank security, or content provider security, which results in a brief instant of the content becoming visible in clear text.

“What we have to do is ensure that the controls and procedures around that are such that it doesn’t expose our customers to potential privacy or security exposure,” he explained. “So what we do is work with our carrier partners to ensure that they have the appropriate procedures, security controls, et cetera, in place to manage that.”

But with the constant threat of new risks, the security measures and practices are constantly reviewed and updated.

“It is a constant, ongoing activity, (in which) we involve device manufacturers, gateway manufacturers, carrier partners, 724 Solutions, and banking regulators,” he explained. “There’s a continuous range of activity and dedicated resources on our side to make sure that we’re constantly assessing, testing and ensuring that we have appropriate controls in place.”

A personal touch

When it comes to the enterprise, there are many issues a network administrator has to face, especially surrounding the use of personal digital assistants (PDAs).

Presently, most PDAs are used for communications with the PC that they are synched with, according to analyst Eric Hemmendinger, with Boston-based Aberdeen Group. The risks with this scenario are that the data on the PDA could potentially be wiped out due to a virus, or that the data on the PC could become accessible to someone who should not have access if, for example, the PDA was lost or stolen. There are several offerings on the market right now for antivirus protection, designed specifically for the Palm OS and Windows CE, he said.

So what happens if an enterprise wants these devices implemented across the network, to all the employees?

“The problem you’re running into is [that that is] a question for which there is no good, clean answer for,” Hemmendinger noted. “In other words, there is a whole variety of tools for the network administrator who’s confronted with security for PCs and notebook computers. Those tools just really aren’t available for PDAs.”

The best way to then deal with security in this type of situation is to take a look at what a network administrator might be concerned about. One, according to Hemmendinger, is preventing the data that is going to be on the devices from being compromised – meaning altered.

“The primary way that is probably going to happen is through a virus of some sort, so [there are] some alternatives there,” he said.

The next issue is whether or not there is any way to prevent that data from being accessed by people who shouldn’t have access to it.

“The answer to that is, unless there is some sort of encryption on the PDAs – and there are offerings available for that – or some sort of password required to actually access the information or applications that are on it…barring either of those, there is no way to keep someone from touching what is on there,” he said.

Some wireless security options on the market include a recently launched product from JAWZ Inc. in Toronto, which last month released a solution designed to automatically encrypt data on Palm OS devices. According to Bob Raymond, product manager of Palm and wireless security products for JAWZ, DataGator is available in an enterprise version, which can be created and priced on a case-by-case basis. He explained that the product will protect all information on the PDA, on all applications, including third-party applications. He added that the code used for the product cannot be affected by a virus, and if it is, it will automatically shut down.

Another company that can help with security is Toronto-based Diversinet, which offers products and solutions for wireless device makers, wireless network operators and enterprises.

Diversinet specializes in security software based on Public-Key Infrastructure (PKI) technology designed for wireless environments including PDAs and WAP-enabled phones. The company last month announced an agreement with Openwave Systems Inc., to embed Diversinet’s WAP-compliant root certificates into Openwave’s UP.Browser microbrowser, and last year announced that its security technology would be integrated into the Wireless Minstrel family of wireless modems for Palms. It also offers various products, such as software, which sits behind a firewall to manage wireless security including permission, encryption and decryption.

The company’s vice-president of sales and marketing, Verne Meredith, said that the first step to take with wireless security is to map applications outside of the wireless world.

As an example, he took the case of a police officer who needs access to information. If he, for example, pulls people over, he will need to know if they have a criminal record, any outstanding tickets or even a warrant out for their arrest. That is all information that should only be accessed through authentication – the officer has to prove that he is who he claims to be to get it. That type of information is not something to be shared with the public.

“What the challenge really is in the wireless world is how to mirror the security in the bricks-and-mortar world,” Meredith said. “If it’s important to put a security process around access to information or applications in the bricks-and-mortar world, then it’s important to do it in the wireless world.”

Hemmendinger said that essentially what it comes down to for enterprises is an evaluation of whether or not it is worth it to have these devices distributed to employees. It becomes a matter of weighing the value propositions versus the risks.

“What do you expect to accomplish by having them in your population, and what sort of risks do you potentially take as a result of having them in your population? If the risks are more than offset by the potential benefit to the operation, then you’ll do it,” he offered.

One thing that is clear, according to Hemmendinger, is that in a lot of cases the initial use of PDA devices is not being sponsored by the enterprise. It is actually being sponsored by the employees themselves, who go out and purchase them and then utilize them for business purposes.

That can potentially be a hazardous situation, given that a lot of users may not take the initiative to go out on their own to implement some sort of security measure on the device or any PCs they are using. And if network mangers do not know how many of them are being used by employees, they will have a difficult time ensuring that all is well and safe.

On the other side of the coin, Hemmendinger said independent employee use could actually wake people up.

“What happens then is the enterprise realizes that there is a population of these available. [They realize,] ‘It’s a good platform for a series of applications we were considering deploying anyway,’ and now the question becomes ‘Is it the right platform, and what’s involved in deploying the actual applications if we decide to move forward?'”

Home is where the heart is

But where the real questions are likely to arise over the next year is not so much with the use of PDAs, and not with wireless devices, according to Hemmendinger. Instead, network administrators should be focusing their attention on remote access by company-issued notebook computers and telecommuters’ personal PCs, he said.

“There are a couple of different issues here,” he explained. “One is the fact that the communication between the remote users and the enterprise is basically over the Internet. Another is that there is some sort of authentication system that is warranted to determine whether or not that user is who he says he is before you actually let them onto the network.”

If network administrators are deploying remote access capabilities, Hemmendinger recommended that they should encompass the following:

– An encryption element for virtual private networking (VPN). “That’s a private circuit, if you will, between the machine and the target network.”

– An authentication mechanism to confirm the user’s identity.

– Some sort of protection against elicit applets that might wind up on the remote machines. “While you already obviously need antivirus products deployed, you probably also need something that is more specifically targeted at hostile applets, or mobile code, as it is sometimes referred to.”

He explained that the reason this is required is because if, for example, a Trojan is planted on a machine and the authorized user starts up their VPN and authenticates with the enterprise, there’s nothing with respect to authentication or virtual private networking that will to prevent that Trojan from going to work.

“And that Trojan is basically going to collect certain types of information and funnel it back somewhere else,” he said. “It’s the funneling back somewhere else that you need to stop.”