Today, businesses of all sizes are concerned with corporate data being exposed due to lapses in wireless device security. With expansions to a mobile user base, companies must recognize wireless security as a valid concern.
The consequences of lost or stolen information can ultimately be detrimental to an enterprise. In fact, in this troubled economy (where many companies are essentially disappearing overnight), mass layoffs result in an increased likelihood that unprotected company data could get into the wrong hands.
Ensuring that all handheld devices are password-equipped and wiping devices clean of information after employees leave a company are two ways to help minimize some of the basic security-related anxiety. A company must, however, consider the additional loopholes. Essentially, security in the wireless space can be viewed in three categories: connectivity, data packets and IT policy enforcement. Let’s take a closer look at all three categories.
Security category No. 1: Connectivity
Connectivity deals with how the mobile device connects to a company’s mail/application servers. Some of the areas you want to take a look at include the specific firewall requirements, as well as the type of connection. For example, do you use a VPN or SSL (Secure Sockets Layer) connection? VPNs will encrypt traffic; SSL connections only handle traffic that is HTTP application-specific.
Do you know who has the ability to see data on your server? The optimal situation would be that only the IT administrators can alter and maintain IT policies. This would involve having control over the transfer of information among company servers, as well as the type of data a specific device can access.
Server data could possibly be susceptible to threats if a firewall port is opened directly into the mail server. Hackers can easily crawl into the server via this vulnerable port. Although one option involves the implementation of a front-end server, it only minimally protects the data. A better option would be a DMZ (Demilitarized Zone) that has both internal and external firewalls (see chart below).
Security category No. 2: Data packets
Data packets deal with the data itself being transmitted between a device and a server. IT practice dictates that transmitted information should always be encrypted. Oftentimes, IT managers will recognize this necessary security precaution for other electronics but, unfortunately, fail to realize that their mobile solutions must reflect the same.
Without a definitive MDM (Master Data Management) strategy, mobile wireless solutions are extremely risky for a business as the probability of having information stolen becomes amplified. Handheld devices require the same level of security as desktop and laptop computers.
Is the data in clear text or is it encrypted end to end? Ultimately, this will make a difference in whether or not your data is secure. Some strategies secure wireless data transmission using an SSL connection, but data files themselves remain unencrypted. This means the data files are sent out across a secure network but data stored on the device is left unprotected.
Alternate security precautions encrypt files during transmission and also when stored on the device. This is the optimal, desired method for all enterprise mobile wireless data solutions. The RSA public keys use an FIPS (Federal Information Processing Standard)-level security model, in which data encrypted by the server’s public key can only be decrypted with the server’s private key. Data is thus secured end to end.
IT Policy Enforcement
Security category No. 3: IT policy enforcement
Protecting an enterprise wireless network is not an easy task, but IT security policies mean little if they are not being properly controlled and enforced by the IT department. It’s not uncommon for those removed from IT at a company to believe that the IT department always has the knowledge and ability to enforce policies and maintain the necessary level of security in an enterprise wireless network. Unfortunately, this is not the case. There are many companies-large and small-set up for serious security risks, regardless of how strong their IT departments are.
There is a formidable list of considerations involved in managing IT policy. The first challenge, of course, is establishing a security policy that is both effective and accommodating to the needs of users. This in itself is difficult, but to make matters worse, IT departments are expected to keep up with and enforce the policy’s nuances-such as network access control, vulnerability assessment, patches, execution controls and configuration. IT departments are expected to do all this usually while wearing a number of other hats. As a result, policies often become outdated or ignored.
The truth is that it’s not always possible for an IT department to properly enforce IT policy. In the average company, there are few IT professionals on staff, and chances are they do not have the time or targeted expertise to ensure that policies are up-to-date and correctly put into place. In this situation, it is not a luxury for an IT manager to invest in outside help from a wireless support provider-it’s essential. A partner company can act as a wireless security consultant to ensure that IT policy is on the mark, while the IT department can go about its day-to-day tasks.
Dan Croft is founder and CEOof Mission Critical Wireless. Dan has been a leader in the wireless telecommunications industry for more than 25 years. Prior to founding MissionCritical Wireless, he was senior vice president of Marketing and Business Development at Motient, where he oversaw the company’s rollout of the BlackBerry and eLink service. He has also held senior positions in marketing and general management for Motorola, U.S.Cellular and Centel.
Dan holds an M.B.A. from Northwestern University in Evanston, Ill., and a B.S. in Business Administration from the University of Illinois at Urbana-Champaign. He can be reached at [email protected].