The job of security is to protect systems from their weakest link and most experts agree that if there is human involvement with a system, then the people are bound to be that weakest link. This can be especially true for mobile workers.
Whether devices are being misplaced, left in the open while connected to networks or misused, the buck still stops at humans – and technology can only go so far in relieving any of these problems.
Dan McLean, director of outsourcing and IT utility research for IDC Canada Ltd. in Toronto, said companies can automate antivirus updating, firewall sign on or other aspects of security. But the problem with tools that attempt to direct human behaviour is that they try to prevent people from doing things, and that may not be conducive to employees doing their jobs.
“There are two main components to security,” McLean said. “One is behaviour and that is hard. The other is tools, which is the easier one.”
Malcolm MacTaggart, president and CEO of Kanata, Ont.-based CRYPTOCard Corp., which makes smart cards and security technology, said we as humans and are not very good at caring about security procedures.
“People sometimes have an aversion to security. They will say, ‘Oh God, I’ve got to use upper and lower case and numbers,’ and then people write it down.” At this point, he said, your system and password protections become useless.
MacTaggart said he once walked through a cubicle jungle on his way to a meeting and saw more than 20 desks with passwords written on pieces of paper.
Kelly Kanelakis, director of networking technology for Mississauga, Ont.-based Enterasys Networks, said mobile computing is not going to be as secure as traditional systems, and cautions companies to work harder to keep telecommuters safe.
“Some enterprises are casual about home workers. They are not worrying about securing a pipe for workers to use to log on to the network,” Kanelakis said.
Providing clearly understood security options for the mobile worker can get tricky, and yet it is something many companies have to deal with.
In the last three years more organizations have been encouraging and wanting people to work from home and have access to work from home and from mobile devices, MacTaggart said.
McLean said the mobile workforce is one of the strongest driving forces for security in the enterprise. “It’s the trend that defines the way people are building competing infrastructures.”
But, before building that infrastructure, organizations have to help employees with security by writing it all down. Mobility creates an inherent threat with respect to security. Organizations are providing access to corporate IT sources from conceivably any location.
“There are a number of issues. First, who are the folks that you are going to grant permission to access corporate networks and information? What types of permission or access will you give? How will you limit access?” McLean asked.
Policy is the first step for any security system, mobile or wired. A company must assess risk. Companies have to understand distributed computing and understand what resources they are trying to protect. What are the threats out there that could conceivably come in?
There have to be rules put in place that direct people to behave in a certain way, McLean said. “Policy is really around trying to drive that human behaviour.
“Technology doesn’t control human behaviour. Human behaviour has to direct how technology is going to work.”
Kenneth Smiley, an industry analyst with Giga Group Inc. in Cambridge, Mass., said policies are being implemented, but that it is a long, slow and very political process, as “effective policy requires action outside of IT’s control.”
He added that those who have done policy well have seen a reduction of theft, loss and other related security issues. “Those that haven’t done it well are still facing the same problems as they were yesterday, and it isn’t getting any better.”
A mobile security policy is key to establishing a mobile workforce and avoiding pitfalls along the way, according to Jack Sebbag, vice-president and general manager of Canada with Network Associates Inc. in Toronto. Sebbag said doing a vulnerability assessment and building a policy from there can save a lot of headaches.
McLean noted that part of a policy assessment should be knowing the value of the assets you are trying to protect. “Don’t implement a $10,000 system to protect a $10 asset.
“From there you might need to think, ‘What are the threats and how likely are they? How vulnerable are we?'” This, he said, will give an indication of how vulnerable an organization is.
Kanelakis said he often gives clients policies for mobile computing, which they can use as a starting point for building a security policy. He suggested a good first step is education.
Michael Murphy, Symantec Corp.’s general manager for Canada, said people’s desire for connectivity is adding to the need for a mobile workforce. They want to have access to the things they access in the office.
“I think in general…the accessibility people have today is forcing corporations to extend their security policies to incorporate outside workers.”
Policies are being augmented to provide good computing practices with respect to remote access, according to Murphy. He included acceptable e-mail use, Internet use and personal use as some areas now covered more heavily by policy.
Bell Canada’s mobile security policy takes into account education and personal Internet use. Bill O’Brien, associate director of corporate security research and development for Bell in Ottawa, said the company encourages workers to surf the Internet in order to gain more e-literacy.
He said one moment of personal time on the Internet could leave a user’s machine exposed, but workers must then connect through a VPN to get to corporate information, which should keep things out of Bell’s network.
“We also monitor for inappropriate use. If we see a user doing something not appropriate, then we contact that user directly,” O’Brien said.
If the user says he is not using that device right now, there is one command the network administrator can input that closes down all access from that device to the network automatically. The same command would be issued if a user reported a lost or stolen device.
O’Brien admitted they are not always successful with these situations. “It’s a people issue,” he said. “We cannot control how fast they report these things. It may not seem as important to them as it is to us. We just have to be able to respond quickly when the need is identified.”
Every Bell laptop in the field has a personal firewall installed and connections to the network can only be made through a VPN connection. O’Brien said the minimum connection is a 128-bit tunnel through SSL or VPN.
Sebbag said personal firewalls are one of the first things mobile devices should have installed, along with antivirus software, which he noted should be a given in any security policy.
Many security experts list intrusion detection as a must-have. Murphy said many companies are looking at deploying host-based intrusion detection, which strays from the former trend of keeping these tools at the perimeter. He added that there has not been a wide-scale adoption of this.
Corporations can also look at installing monitoring systems for abnormalities, and all experts recommended this type of vulnerability assessment tool.
Sebbag suggested that security tools need to be managed through a central repository. “All of these things should be rolled up into a management tool.”
Benoit Jean, IT buyer for the City of Montreal, said the city uses an authentication tool, firewalls – with a cold standby unit at this level – and VPN technology. Its mobile devices also lock down when left unattended.
He said mobile users are more prone to security threats and that has to be taken into consideration when building a security infrastructure.
Giga’s Smiley said the tools that are most effective are those that recognize policy as a major component of any security solution and have the ability to integrate easily with the policy framework in place in any particular organization.
“Those that go above and beyond should be offering model policies and more than just ‘technical’ policies, but I haven’t run into a vendor that does that yet,” Smiley said.
McLean said more companies are using VPNs as remote access connection links, as they have levels of security built into them. “The other beauty of this is that they are typically cheaper than the alternative of, say, a leased line.”
we can make it stronger, faster, better
One of the key things in building a security policy and a secure mobile infrastructure is for people to be immediately identified to the network. One example of an authentication tool is smart cards, which go into the machine and ID users at that point, giving access with certain rights and privileges.
The chosen tools and the policy itself must be easy for the end user. They will get frustrated and try to find a way around authentication. Smiley said in personal polls he conducted, ease of use is generally ranked second or third in importance by users for setting up a mobile workforce.
Looking forward, McLean said security has to be built into hardware more and more. “Security will become more inherent components.”
He predicted that the security features already included on laptops and wireless desktops will make their way onto PDAs soon.
Kanelakis predicted that by the end of the year notebook vendors will include mobile access on laptops. He added that an increasing awareness of the need for security is helping to ensure that people are including it in their plans for the future.
At this point organizations seem to be over-exposed, according to Smiley. “People need to realize they are at risk and to what degree.”
Murphy agreed that many organizations are leaping into the mobile workforce fray without giving enough thought to security, but he added that the threat might not be as bad as people think.
He admitted that security threats for mobile information and devices are getting worse, but maintained that the largest threats are still to the wired world.
Bell’s O’Brien said there is no protection against everything. People’s devices are going to get sniffed. Phones and PDAs will get viruses. The most important thing is to use the tools – and keep an eye on those coming down the pike – to control what data people can see into, corrupt or take out.