article

Mission Possible



THERES A BIG BUZZ
about wireless security and the inherent risks of deploying mobility initiatives across both the enterprise and SMBs. But what does wireless security really mean? Why is wireless security a critical issue to businesses? How can channel partners help SMBs understand how to implement a solid wireless security strategy for their networks?

The transformation of wireless networks from tightly controlled voice platforms using the PSTN at the core to IP networks that are faster, more efficient and reliable has introduced many more ways in and out of a mobile network and, thus many more points of vulnerability. Furthermore, the transition to 3G, which delivers high-speed data to increasingly sophisticated equipment makes security hazards, such as distributed denial of service (DDoS) attacks, viruses and worm outbreaks a real concern for mobile platforms. When you think about it, smartphones essentially are small form factor PCs, and with their interconnections to the network comes a new set of security risks both as a target and source of potential hacks, worms or viruses. Even without fancy gadgets, just the use of wireless modem cards in laptops for peer-to-peer applications presents a threat.

Calculating all of these changes in the mobile network combined with the changes in how businesses use and access that network, it is clear that wireless dealers and their customers must understand how to take precautions to ensure their data integrity. A secure mobile business strategy requires a layered approach. Wireless security impacts a companys IT infrastructure in several ways from managing the applications (e-mail or GPS, for example) that reside on a mobile device or laptop to the management of the devices themselves, including policies to handle theft or loss, to the network links that allow for the transmission of data between nodes on the network wirelessly.

Gaining control over the security risks of deploying mobile initiatives is a high priority for enterprises and SMBs, according to a survey of 1,500 telecom decision makers conducted by Forrester Research Inc. According to Info-Tech, small and medium businesses spent close to one-third more on mobile voice and data in 2006 than 2005. There was a simultaneous increase in spending on VoIP, mobility and security, the research showed. This article will focus on the SMB space as the segment where channel partners have the most influence, traction and success to date.

Applications.

Wireless e-mail is still the most widely adopted wireless application. It is the gateway wireless app that opens up the need for security policies as corporate information is now accessible on small, very powerful smartphones. In 2006, the wireless e-mail adoption rate was at 28 percent with calendaring at 25 percent, according to Info-Tech. E-mail and calendaring apps are predominantly found on smartphones, which are simply phones with a highly sophisticated operating system, such as the BlackBerry or Treo models. While Research in Motion, the company behind the BlackBerry, has its own proprietary e-mail platform and servers offering government-approved levels of security; Palm Inc. manufactures Treos, which typically are coupled with Good as an e-mail middleware to deliver e-mail and calendaring functionality. Smartphones represent an undeniable business advantage by providing anywhere, anytime access to information, but they also create a risk factor to companies as they are vulnerable to loss, theft or malicious attacks potentially compromising sensitive corporate data. These micro-computers now hold gigabytes of data which make security policies and compliance at the user level paramount for keeping corporate security.

Devices.

Some 250,000 devices are left at U.S. airports every year, according to Business Management Magazine. This opens up security risks by rendering these devices vulnerable to unauthorized viewing of user IDs and passwords to corporate servers and applications. According to the RSA Security Password Management Survey conducted in September 2005, 22 percent of users keep a list of passwords on their devices. As a result, research firm IDC predicts mobile device security software spending in 2008 will reach $993 million. At the same time, IDC expects a surging increase of both the sophistication and number of attacks at mobile devices.

Links.

Wireless network infrastructure and the network links used to access corporate information round out the last major component of security concern. These network links can be wireless local area networks (WLANs), wireless access points (one or more wireless radios that allow any user with a wireless computing device to access the Internet), mobile broadband routers or any type of method of remote access to corporate data utilizing a wireless network to send and receive information.

Click to Enlarge

A malicious attack sent to the smartphone can go on to infect the corporate LAN.

WLANs use radio frequency and the IEEE 802.11 specification (known as Wi-Fi) to wirelessly network any type of wireless client such as a mobile device, laptop or computer over the air to a base station or access point. The access point can be broadcasting off a wireline data connection or from a cellular connection such as a wireless modem card. WLANs represent freedom and flexibility for the user to access corporate tools and information anywhere the signal is broadcast.

Mobile broadband routers, in comparison, can create wireless WANs by connecting to the cell towers for Internet connectivity via a wireless modem card that is inserted into a PCMCIA slot or via an embedded cellular module. A few router manufacturers allow and embed Wi-Fi in the mobile broadband router to create a mobile hotspot. Other uses for Wi-Fi can include the wireless networking of multiple terminals to access the mobile broadband router or allowing Wi-Fienabled devices, such as surveillance cameras, to connect to the router without being tethered. The use of Wi-Fi, however, is the area of the highest security concern in a wireless network.

Although WEP is a security algorithm that can be enabled to secure the Wi-Fi network, it is susceptible to hacking. WEP is Wired Equivalent Privacy and is based on a 64-bit or 128-bit shared key algorithm. In comparison, WPA, Wi-Fi Protected Access, is an enhanced wireless encryption mechanism. However, even WPA can be hacked, too; although it is much more difficult to crack than WEP. The danger in this is if an AP is hacked, an evil twin scenario can take place. The counterfeit AP pretends to become the authentic AP and begins to intercept all the packets that may contain sensitive information, such as credit card numbers. There is a number of methods that can be utilized for both WEP and WPA to ensure higher barriers to hacking such as making sure you choose a pass phrase that isnt composed of common words as a Brute Force dictionary program will run all the common English words. If the hacker retrieves your pass phrase, they render the WPA security useless or at least very vulnerable.

In a wireless WAN environment, once the information hits the wireless router, a VPN tunnel can be launched via a carriermanaged solution, such as Sprints Datalink, which is a private IP VPN without external Internet access, and can terminate to a private IP or MPLS port. Another flavor is using the mobile broadband router to initiate an IP VPN tunnel using IPSEC, encrypt the data packets via 3DES (128-bit) or AES (256-bit) and terminate to the host VPN concentrator on an IP connection. This portion of the WWAN is business as usual in the wireline networking world and can pass some of the most stringent security-compliance mandates, such as HIPAA regulation, typically required of the financial and medical industries when handling sensitive patient/client information.

Click to Enlarge

Wi-Fi Security Breach

Channel partners have many areas of wireless security to focus on in multiple industry verticals and target markets. The key is to understand how your client is handling its wireless security policymaking and how it is ensuring compliance both company-wide and at the individual user level. A company-wide policy in the event of device loss, for example, might be that the employee must notify his or her IT department immediately. IT, then, might have policies such as locking the phone within one hour after the loss is reported, changing the handheld password two hours after the loss and a complete kill pill or wipe four hours after the loss. Each firm should, with the help of its channel partner/security expert, define similar policies for the organization. Training individuals to comply with the policy is crucial, so they recognize when security has been compromised and what roles they play in minimizing the fallout.

If you are a legacy wireline partner, you can opt to team up with a securityfocused wireless channel partner like MobileStrat without compromising your wireless activations revenue or residual income stream from the carriers. Master agents also are teaming up with security experts to allow channel partners to deliver end-to-end solutions outside of their telecom expertise.

Wireless security does not have to be your niche or area of expertise, but as a trusted adviser to your customer, you can identify the holes and gaps in your customers security infrastructure and can partner up with the right organization to deliver a comprehensive telecommunications package including wireless security.

Natasha Royer Coons is the founder and managing director of TeraNova Consulting Group, a new firm providing fully managed mobility solutions and wireless WAN products, services and expertise to channel partners nationwide. She brings a decade of experience as a former Solutions Consultant and SC manager advising partners on wireless and wireline products for Sprint Nextel Corp. Reach her at natasha@teranovaglobal.com.

Links

Business Management Magazine www.busmanagement.com
Forrester Research Inc. www.forrester.com
IDC www.idc.com
Info-Tech www.infotech.com
MobileStrat Inc. www.mobilestrat.com
NetMotion Wireless www.netmotionwireless.com
Palm Inc. www.palm.com
Research In Motion www.rim.net
RSA Security Inc. www.rsa.com
Sprint Nextel Corp. www.sprint.com
TeraNova Consulting Group www.teranovaglobal.com


Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 71151