As workers add ever more devices to their arsenal of mobile tools, IT organizations are faced with the unenviable problem of securing these devices, many of which come over the transom and are not issued by IT.
Wireless devices such as cellular phones, PDAs (personal digital assistants), and pagers are inherently less secure than their wired counterparts. This is due in part to their limited bandwidth, memory and processing capabilities. Another reason is that they send their data into the air where anyone with the technology can intercept it. Whereas tapping a wired network either calls for direct access to the building or some 007-type gear in a van parked outside, wireless networks are forced by their very nature to be more vulnerable to security problems.
“The major issue with wireless security is the interception of information as it travels over the airwaves,” says Dave Dawson, chairman and CEO of security vendor V-One, in Germantown, Md.
Dawson points to an incident a few years ago when Secret Service pager transmissions were intercepted and messages about the location of the President and his family were posted on the Internet. In a separate incident, New York City police officers’ pager messages were intercepted, he notes.
These incidents and the increasingly sensitive nature of data sent over the airwaves makes wireless security of paramount importance.
Consider the medical community, for example. Though many doctors use PDAs, medical information about individual patients must be kept secure. When provisions of HIPAA (the U.S. Federal Health Insurance Portability and Accountability Act of 1996) take effect in October 2002, the fine for improper handling of patient data will rise to a maximum of US$50,000 per incident, which can go higher if done under false pretenses or done with the intent to sell, transfer or use the information. For a provider with thousands of patient records, the cost of even a minor slipup could quickly reach millions of dollars.
Several vendors offer encryption technologies to prevent the possible interception of data over the airwaves. Encryption also can prevent the integrity of the data from being compromised or altered before it reaches its destination. Unfortunately, encryption places a significant burden on wireless devices, using battery, memory and processor resources that are scarce to begin with.
Wireless technology, by its nature, violates other fundamental security principles as well, including authentication – ensuring the identity of the user and the device – and non-repudiation – making sure the sender of the message cannot deny sending it.
The sheer volume and variety of devices and networks make it harder to achieve authentication and non-repudiation, says Ian Hobbs, vice-president of product line management and access for Toronto-based 724 Solutions, a software solutions vendor that caters to wireless technology for financial institutions.
“We propose analyzing the best possible security solution for each device channel pair,” or combination of device and network, he says. “For each pair you need different security.”
Hobbs says that companies should bet their businesses on tight security. Banks and financial institutions are doing a good job of implementing wireless security. But other enterprises are lagging behind.
“Enterprises will need to begin working on this [wireless security] soon,” Hobbes says. “We will see a lot of negative press articles around wireless security and breaches.”
Ensuring security in a wireless world is as much a matter of device management as it is a matter of encryption and protocols. It’s one thing to control access to a wired network, but how do you stop sending data to a lost or stolen device? Companies that have a hard time today with workers making personal use of company PCs will have an even bigger problem in the wireless future.
Wireless security may seem like a contradiction in terms, but users and vendors will have to share the responsibilities for years to come. Whether our fears inhibit the adoption of wireless technology or encourage the building of a more secure infrastructure is the question to be answered.