Latchkeys for a Wireless World

Sizing Up the Wireless Opportunity

An IDC survey of more than 450 senior decision-makers and -influencers across North America identified improved operational efficiency and productivity as key factors in driving corporate investments in wireless and mobile solutions. The researchers found that nearly three quarters of the respondents invested in mobile applications to achieve improvements within a specific internal business process, such as manufacturing or inventory control.
PMP Research reports that 90 percent of financial services companies in the U.S. and Canada intend to increase their investments in wireless technology. Within a few short years, the researchers expect 100 percent participation in wireless implementation.

Getting to the 100 percent level, however, will not be easy. "Significant hurdles remain to be overcome in the short to medium term," according to the PMP study. These hurdles revolve "around the twin pillars of technology immaturity, including security, and business case development."
Security may prove to be a particularly serious obstacle. To date, organizations have focused their security primarily on the perimeter — implementing firewalls to prevent bad guys from getting into corporate networks. With enterprise mobility, the focus must shift to the mobile applications themselves. Typically, the users of these applications — outside sales representatives, field service technicians, and executives on the road — are beyond whatever protection the firewall and corporate perimeter can provide.

Enterprise mobility consists of wireless applications that enable the organization's workers to conduct business from wherever they are. Enterprise mobility applications encompass everything from mobile dispatch systems that direct and support field technicians to general productivity applications, mainly e-mail, for executives on the road. Whether the user is a field service technician running a Java application on a programmable smart cell phone, a doctor accessing patient records over a WLAN, or an executive responding to e-mail through his laptop over a WiFi network in an airport waiting lounge, security has emerged as a primary concern.

Untethered Brains

"When it comes to mobile applications, security is the first thing on everybody's mind," says Karen Panet, network system engineer at The Wireless Guys, Simi Valley, CA, a consulting firm that specializes in mobile applications. And for good reason: Wireless, it turns out, complicates security. "Wireless security is much harder than wired security," she continues. For example, it is much easier to capture packets passing through the air than over a wire. Someone intent on eavesdropping can simply sit in a Starbucks or in a car parked outside and view confidential e-mail sent by an executive working on his laptop at a nearby table while sipping a mocha latte. Relaxing? Yes. Secure? Not unless you make it so.
To solve the security concerns at Scripps Healthcare, The Wireless Guys put together a WLAN mobile system using Bluesocket WLAN technology to control 200 wireless access points and IPSec to enable Scripps workers to connect securely through a virtual private network (VPN). The Bluesocket technology also allows wireless users to roam around the facility, moving in and out of the zones created around the different access points without having to re-authenticate themselves each time. "It was really important that the doctors be able to move around without having to keep logging on," Panet explains.

In addition, the Scripps wireless application environment had to allow different levels of access for different people. Not everyone using it would be a physician. Guests, for example, are able to gain general Web access via the WLAN but cannot access any of the healthcare provider's medical data or applications.
Travel Inc., a corporate travel management company based in Duluth, GA, faced a different wireless security problem. It teamed with Adapt Technologies Systems, also of Duluth, to create a mobile travel alert application for the company's clients. The security challenge here was to make sure that the right information gets matched up with the right user. This begins with a unique profile for each individual, but that is just part of the solution.
Since the company couldn't control the kind of wireless access device an individual might use — any of various cell phones, pagers, laptops — it turned to Air2Web to provide middleware that would let a user connect regardless of the specific device. "The security risks associated with wireless devices are difficult to assess, because each device — PDA, WAP phone, cell phone, pager, or combination unit — has its own attendant set of risks, and each network supporting these devices has its own protocols and security limitations. The total risk produced by allowing wireless access to corporate networks is a combination of the security limitations of the devices and the security of the network that the devices use," explains Dale Gonzalez, CTO, Air2Web, Atlanta.

The Air2Web technology acts as a gateway, inserting an extra layer of security into the process. It identifies the particular device coming into the system and handles it appropriately. It would, for example, secure a Java-based cell phone differently than it would a text pager. It also performs access control chores.
This approach simplified the security problem. "With Air2Web, all the security is tied to the individual cell phone or device. By combining our profiles with the device, we can be 99.9 percent certain that we have the right person," explains Eric Almond, the consultant who set up the system. To get the remaining certainty, the system also uses password identification; users will not be able to access information unless they also have the unique personal identification number (PIN) associated with their profile.

Policy: The First Line of Defense

With the identification and authentication problem under control, the last problem was what information to send out over the air. "One of the most critical decisions was what information to provide and what not to give out," Almond continues. Given the range of devices it had to support, encryption was not a practical option. Instead, the developers set up policies to keep confidential information off the system altogether. "We will send basic itinerary information or delay alerts, but we never send credit card information or financial data," he says.
Due to the complexity and importance of wireless security, it is not surprising that major consulting firms are tackling the issue as an integral part of every engagement. "Wireless must be managed like every other information system from a security standpoint," says Pierre Pureur, director of architecture and strategy at BearingPoint. For enterprise mobility, Pureur identifies WLANs as the biggest threat.

The WLAN opens a door into the enterprise network, a door that must be carefully guarded. For example, a manager can install an access point on his own for about $50 and inadvertently open up the entire network. The very portability of mobile devices presents other security challenges. The devices, along with the data they contain, can be easily lost or stolen. "Although most of the smallest devices don't store a lot of information, losing a laptop can represent a serious data loss," says Pureur.
The large consulting firms tend to approach wireless security holistically, addressing everything from security policy to architecture and design to the actual implementation, often working in conjunction with wireless vendors like Bluesocket and specialists like The Wireless Guys.

AMS, for example, takes an inside-out approach to security, focusing first on the application, the inside, rather than the perimeter, the outside. "Securing your high-risk applications and data will give you the greatest impact," says Matthew Caston, director of commercial, state, and local consulting for the AMS enterprise security group. Its inside-out approach encompasses a broad set of security principles for applications, development, governance, monitoring, and remediation. Applications security, he continues, must address the entire application lifecycle.
Cap Gemini Ernst & Young (CGEY) calls its approach Adaptive Security, which starts with the overall security model itself, says Barry Beal, alliance manager at CGEY's global security practice. By contrast, others might approach security with a tactical view, throwing bits of technology at various problems in reaction to immediate needs.
CGEY's Adaptive Security model breaks down the mobile security challenge into three areas: content protection, user-oriented security, and event-driven security. To protect content, it looks at perimeter security and technologies like encryption to guard content as it is transmitted. User-oriented security controls what a user can do once he or she gains access. It can be as fine-grained as needed. The event-driven piece watches what is happening, detects problems and exceptions, and responds accordingly.

EDS applies the same security principles to wireless, in terms of access control and confidentiality, as it does to conventional applications. "We approach mobile security as a key enabler that has to be solved before you can deploy the application," says Alex Froede, senior security specialist at EDS. "The difference [with mobility] is the tools. The mobile environment is less mature. Also, you have less processing power and bandwidth." These limitations constrain what you can do in terms of encryption, a key technology for protecting data from eavesdropping.

A Maturing Toolset

The tools and techniques for mobile security are steadily improving. The mobile devices themselves are gaining more capabilities, allowing them to more fully participate in security. In addition, the various players in the mobile process — the carriers, gateway providers, vendors, application developers — are becoming increasingly sensitive to the security risk and are taking the necessary steps to address it. As a result, security should not be a showstopper when it comes to deploying mobile applications.
"Security should be a concern, but it shouldn't be the number one concern. It shouldn't stop anybody," says Gonzalez.
What is needed now are the consultants to perform the same risk-benefit security assessments for mobile applications as they do for other enterprise systems. This entails comparing the value of what you are protecting with the risk it faces and the cost of protecting it against that risk. Security certainly adds to the cost of deploying mobile enterprise applications, says Caston, but the cost is manageable, maybe 10 percent, he loosely estimates.

Offsetting the cost is the considerable value of mobile applications. How important is it that your physician has instant access to critical medical information at the bedside while he or she is treating you? Well, it could save your life.