Wireless Compliance

By David Haskin

(Back to article)

Locking down wireless LANs (WLANs) is hard enough for network managers, but regulatory compliance makes wireless security a dicey issue for CIOs.

That's because making enterprise applications and data available to mobile and wireless users is becoming a strategic initiative in an increasing number of enterprises. Such applications range from making e-mail available in real-time via BlackBerry devices to more complex applications like nurses wheeling wireless laptops into patient rooms in hospitals to record healthcare data on the spot.

However, wireless and mobile applications also open up a beehive of security concerns that didn't occur when using traditional networks. These concerns not only could compromise enterprise data but also threaten compliance with regulations like HIPAA (Health Insurance Portability and Accountablility Act), Sarbanes-Oxley and Gram-Leach-Bliley.

"From a strategic point of view, wireless brings many rewards to an organization," said Jon Ramsey, vice president of Internet Security Services for SecureWorks, an Atlanta IT security firm. "So a CIO has to understand both the level of reward for wireless and the level of risk and make decisions to mitigate that risk."

"If CIO's aren't worried about wireless security, it will never filter it's way down," added Mark Rasch, a senior vice president and chief security counsel for Solutionary, a vendor that provides security consulting and services.

Multiplying Risks

Wireless transmission is inherently less secure than standard wired network transmissions because it involves data flying through the air where it is easier to intercept. As a result, enterprises have been wrestling with WLAN security since the technology first emerged several years ago.

Solid, standardized security solutions, such as equipment that supports the recently-approved 802.11i standard, are just now becoming available. But that doesn't mean that enterprise wireless networks are uniformly secured.

"We've seen cases where a doctor will run to the store and install a wireless router in his office just so he can have wireless access," said Wayne Haber, also a vice president for SecureWorks. "That opens up the hospital's entire network." Haber recalled one case in which somebody walked into a hospital and surreptitiously installed a wireless access point and gained access to the network.

Both cases, of course, threaten protected health information (PHI) as specified by HIPAA. Superficially, these sorts of security breaches might seem like an opportunity to apply best practices, but cases such as these mean that may not be enough."If you follow best practices, you're only getting rid of 95 percent of the risk," said Jeff Hall, a director in the Technology Risk Management Services group of RSM McGladrey. "If somebody really wants to come after you and sets your organization in his sites, there are hundreds of ways to get you."

Rasch, however, believes this situation really is more of an opportunity rather than a threat.

"You can look at it as a problem, but it's really an opportunity," Rasch said. "It means that, if you spend a lot of money creating information assets, you're taking the effort to protect them."

What's a CIO to Do?

Lower-level IT managers, who traditionally focus on the nuts and bolts of issues such as wireless security, typically can't marshal the resources needed to handle the combination of strategic and compliance issues posed by wireless access to data.

"You need the resources to do it properly," Rasch said. "That has to come from management because the technical people will see this as a technical problem and it's not just a tech problem."

As a result, CIOs must be involved, for instance, in the risk analysis stage of compliance, a need that is magnified with wireless data applications. Plus, there are three other key things a CIO must do to make sure that strategic wireless initiatives don't threaten regulatory compliance.

First, CIOs must support and help enforce wireless security policies. That means, among other things, creating clear policies involving not just network architecture but also relating to end users, Rasch said. The case of the doctor installing his own access point is hardly a rarity, so users must understand how their actions can compromise security and compliance efforts.

Second, technology executives must make sure their company has the right skill sets available to insure security of wireless access to data. Finally, adequate financial resources must be made available to secure the enterprise's wireless infrastructure.

All these issues are on the table for virtually all technology initiatives, the experts agreed. However, they are particularly important when it comes to wireless access to enterprise data because of both the potential risks to that data's integrity and to your organization's compliance efforts.

However, with proper leadership from an organization's top technology executive, the strategic benefits of wireless access can be achieved without compromising compliance efforts, they agreed.