According to Amit Sinha, fellow and chief technologist for Motorola AirDefense who recently helped write the new wireless security guidelines for the Payment Card Industrys Security Standards Council, mobile wireless devices are often the weakest link in the enterprise security infrastructure.
While this is an old, familiar refrain there are new challenging wrinkles. Tech-savvy employees often circumvent security measures. Employees are increasingly using their private devices rather than enterprise owned-devices. Hotspots are extending the edge of the network on an increasing scale; and, pervasive wireless networks such as municipal Wi-Fi are invading the enterprise perimeter.
All Together Now
Indeed, staffers and IT can find themselves very much at odds over mobile priorities. In the one corner is IT, focused on security and regulatory compliance. In the other corner is the rest of the team who is focused on speed, agility, revenues and quotas. Rather than duke it out (no matter who delivers the knockout punch the company loses) the better strategy is to plan security around real world use.
Companies should certainly explain the very real dangers to the company from just one person using an airport hotspot, said Rene Poot, international systems engineer at NCP Secure Communications but they need to also understand that locking down remote employees and imposing very stringent access restrictions will only frustrate end-users, which in turn may lead them to attempt to circumvent the policies.
This does not mean that traveling employees can hold IT hostage for watered down mobile security policies, however. Poot said enterprises can take a number of proactive steps including implementing security "pat-downs," or endpoint security compliance tests. By doing so companies can ensure traveling employees are connecting to known, friendly environments and the corporate security rules can then be applied. These pat-downs can be enforced centrally where different security components can be tested to see whether they're active or up-to-date prior to permitting full remote network access.
Moving beyond pre-connect measures, companies are advised to automate policies rather than depend solely on manual implementation by users. According to Douglas Brush, owner of The Digital Forensic Group, if a user views a security measure as something that they have to implement themselves they will almost always look for a way to circumvent it. Further, he said, if the measure fails to balance security with computer and network performance and the user's work flow is interrupted they will again look to get around it.