Corporations should think of wireless security as an add-on to their existing security architecture, not as a separate entity, according to analysts and vendors at the Wireless Security Conference & Expo. IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or take the opportunity to create a plan for the entire IT infrastructure, security experts urged Wednesday at the event, being held in Cambridge, Massachusetts.
Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group.
It used to be the case that corporations weren't embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence.
Farpoint's Mathias agreed. "Most security solutions are much too difficult for most people to use and understand," he said. "Too often end users are required to be their own security systems integrators," buying a firewall from one vendor, a VPN (virtual private network) from another and trying to make all the products interoperate.
The situation is beginning to change, as vendors build more functionality into wireless LAN switches. Additionally, some companies are working on the ease of use issue. Mathias singled out Ann Arbor, Michigan-based Interlink Networks Inc.'s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. "It's a step in the right direction," he said. "Down the road, the industrial-strength security products will also go this route."
Mathias stressed that wireless will likely form only a small piece of a company's security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards. Companies need to keep updating their security policy and verify the solutions they have in place to counter attacks are doing their job.
In a large company, IT managers can establish a security operations center (SOC) where people watch out for any violations and attacks. Over time, Mathias expects to see automated tools aimed at smaller companies fulfilling the same functions as a staffed SOC.
How a company thinks about security alters over time. Rob Kermode, general manager, managed wireless services at Sprint Business Solutions, pointed to his own company's experience. Eight months ago, the mobile communications firm considered wireless e-mail to be "very benign," he said, but all that changed with the December 2004 announcement of a planned merger with Nextel Communications.
Suddenly, wireless e-mail became a cause for concern, given the potential for possible leaks of sensitive financial information relating to the planned tie-up with Nextel. Thus far, Sprint hasn't done anything specifically to address the issue, according to Kermode. Like any large company, "we're slow to move," he said. "We're trying to place one bet in security and live with it. We'll research it fully and then do something."
Ultimately, any company needs to be aware that there's no such thing as absolute security and there never will be, in part due to the human element.
"We have a saying (here) that if you could just get rid of the end users, you could have perfect security," quipped Jim Burns, senior software developer at Portsmouth, New Hampshire-based network authentication software developer Meetinghouse Inc.
What's needed is for companies to establish a "culture of security," according to Farpoint's Mathias, and to provide training and support to their users so that employees understand how to use wireless technologies safely.