Corporations should think of wireless security as an add-on to their existing security architecture, not as a separate entity, either integrating the new wireless piece into the overall company security policy, if one already exists, or taking the opportunity to create a plan for the entire IT infrastructure.
Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, Craig Mathias, principal at advisory and systems integration company Farpoint Group, said at the recent Wireless Security Expo in Cambridge Massachussets.
It used to be the case that corporations weren't embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence Inc. in Chester Springs, Pennsylvania.
Security is too complex
Farpoint's Mathias agreed. "Most security solutions are much too difficult for most people to use and understand," he said. "Too often end users are required to be their own security systems integrators," buying a firewall from one vendor, a VPN (virtual private network) from another and trying to make all the products interoperate.
The situation is beginning to change, as vendors build more functionality into wireless LAN switches. Additionally, some companies are working on the ease-of-use issue. Mathias singled out Interlink Networks' LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. "It's a step in the right direction," he said. "Down the road, the industrial-strength security products will also go this route."
Tools stand in for full-time staff
Mathias stressed that wireless will likely form only a small piece of a company's security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards. Companies need to keep updating their security policy and verify the solutions they have in place to counter attacks are doing their job.
In a large company, IT managers can establish a security operations center (SOC) where people watch out for any violations and attacks. Over time, Mathias expects to see automated tools aimed at smaller companies fulfilling the same functions as a staffed SOC.
Users fear mobile email leaks
How a company thinks about security alters over time. Rob Kermode, general manager, managed wireless services at Sprint Business Solutions, based in Kansas City, Kansas, pointed to his own company's experience. Eight months ago, the mobile communications firm considered wireless e-mail to be "very benign," he said, but all that changed with the December 2004 announcement of a planned merger with Nextel Communications.
Suddenly, wireless e-mail became a cause for concern, given the potential for possible leaks of sensitive financial information relating to the planned tie-up with Nextel. Thus far, Sprint hasnt done anything specifically to address the issue, according to Kermode. Like any large company, "were slow to move," he said. "Were trying to place one bet in security and live with it. We'll research it fully and then do something."
No such thing as absolute security
Ultimately, any company needs to be aware that there's no such thing as absolute security and there never will be, in part due to the human element.
"We have a saying (here) that if you could just get rid of the end users, you could have perfect security," quipped Jim Burns, senior software developer at Portsmouth, New Hampshire-based network authentication software developer Meetinghouse.
What's needed is for companies to establish a "culture of security," according to Mathias, and to provide training and support to their users so that employees understand how to use wireless technologies safely.