Upload File

information security can enable mobile working

1
42 Infosecurity Today July/August 2006 c o l u m n I n response to increasing demand and the pursuit of greater flexibility and productivity, businesses are providing staff with devices that enable them to work anytime, anywhere. In fact, mobile devices and networks are now essential components of business life. In combination, devices and networks give users remote access to corporate resources, applications and information, from home, in hotels, airport lounges, trains and even in coffee shops. Providing ubiquitous remote access and allowing employees to communicate with each other, customers, suppliers and business partners may yield both quantitative and qualitative benefits. But it also means that sensitive information is often handled and stored outside the control of the organization.This can increase the many risks to which the company is already exposed. Many readers will already have one or more mobile devices, such as a laptop, PDA, smartphone or BlackBerry, that provide fast, simple access to the internet and hence corporate networks. Many of them are already feature-rich with support for business applications, and new, more capable models continue to emerge. Securing these devices and the data stored on them can be a major problem. It is made worse by weak security controls and inappropriate user behaviour. Furthermore, if personally-owned devices are used for business purposes, the problems may be compounded because imposing even a minimal level of security may be difficult. The range of connection technolo- gies is also growing.They include wireless networking based on the IEEE 802 standard such as WiFi, WiMAX and Bluetooth; and mobile phone platforms such as GSM, CDMA and 3G.These underlying technolo- gies, which are also not static targets, are also subject to a range of security threats such as eavesdropping, jamming and denial of service. Major challenge The major information security challenges are to provide reliable connectivity, meet legal, regulatory and business requirements to safeguard business information, and prevent the disclosure of sensitive personal information.The information security professional needs to choose the most suitable approach for their organization, based on a thorough risk assessment of not only the devices but of the corporate network and the method of connectivity. To embrace mobile networking while addressing the challenges, organizations need to secure four levels: the user, the access device, the data both in transit and in storage, and the access networks. Users and their behaviour are paramount. Even the best security wizardry is worthless if employees leave devices or passwords lying around. So, user education and discipline is vital to minimize the risks of security breaches. If they are applied rigorously, a range of existing technologies will secure devices and the data on them.These include encryption, firewalls and anti-virus software. Others are remote locking and deletion software and the use of digital certificates for authentication. Data in transit can also be protected using VPN solutions such as SSL or smartphone, or other mature technologies such as PGP. The same is true for protecting the corporate network. Logical segmentation, application security and technologies such as Radius, 802.1X and Network Access Control and its variants are all effective weapons against attack.And if an organization has wireless access points, these too can be made more secure by placing them in a DMZ, changing default settings and by using Wireless Protected Access (WPA), the successor to Wired Equivalent Privacy (WEP). Anytime anywhere access is not go- ing away,and neither are the business drivers and requirements for such ac- cess. Information security has to in- corporate this reality.There is no panacea, but a layered approach, us- ing a combination of existing tech- nologies, can and does already pro- vide security without compromising mobility. About the author Adrian Davis is a member of the Information Security Forum (ISF). www.securityforum.org Information security can enable mobile working Adrian Davis Help is on hand to protect corporate information and assist in the adoption of mobile devices and technologies. Adrian Davis “Securing these devices is made worse by weak security controls and inappropriate user behaviour”

Upload: adrian-davis

Post on 06-Jul-2016

212 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Information security can enable mobile working

42

Info

security To

day

July/August 2006

co

lu

mn

In response to increasing demandand the pursuit of greater flexibility

and productivity, businesses are providing staff with devices that enable them to work anytime,anywhere. In fact, mobile devices and networks are now essential components of business life.

In combination, devices and networks give users remote access to corporate resources, applicationsand information, from home, in hotels, airport lounges, trains andeven in coffee shops.

Providing ubiquitous remote access and allowing employees to communicate with each other,customers, suppliers and businesspartners may yield both quantitativeand qualitative benefits. But it alsomeans that sensitive information isoften handled and stored outside thecontrol of the organization.This canincrease the many risks to which thecompany is already exposed.

Many readers will already have one or more mobile devices, such as a laptop, PDA, smartphone orBlackBerry, that provide fast, simple access to the internet and hence corporate networks. Many of them arealready feature-rich with support forbusiness applications, and new, morecapable models continue to emerge.

Securing these devices and the data stored on them can be a majorproblem. It is made worse by weaksecurity controls and inappropriateuser behaviour. Furthermore, if personally-owned devices are used for business purposes, theproblems may be compounded because imposing even a minimallevel of security may be difficult.

The range of connection technolo-gies is also growing.They includewireless networking based on theIEEE 802 standard such as WiFi,WiMAX and Bluetooth; and mobilephone platforms such as GSM, CDMAand 3G.These underlying technolo-gies, which are also not static targets,are also subject to a range of securitythreats such as eavesdropping,jamming and denial of service.

Major challenge The major information security challenges are to provide reliable connectivity, meet legal, regulatoryand business requirements to safeguard business information, andprevent the disclosure of sensitivepersonal information.The informationsecurity professional needs to choosethe most suitable approach for theirorganization, based on a thoroughrisk assessment of not only the devices but of the corporate networkand the method of connectivity.

To embrace mobile networkingwhile addressing the challenges,organizations need to secure four levels: the user, the access device,the data both in transit and in storage, and the access networks.

Users and their behaviour are paramount. Even the best security

wizardry is worthless if employeesleave devices or passwords lyingaround. So, user education and discipline is vital to minimize therisks of security breaches.

If they are applied rigorously, arange of existing technologies willsecure devices and the data onthem.These include encryption,firewalls and anti-virus software.Others are remote locking and deletion software and the use of digital certificates for authentication.Data in transit can also be protectedusing VPN solutions such as SSL or smartphone, or other mature technologies such as PGP.

The same is true for protecting the corporate network. Logical segmentation, application security andtechnologies such as Radius, 802.1Xand Network Access Control and itsvariants are all effective weaponsagainst attack.And if an organizationhas wireless access points, these toocan be made more secure by placingthem in a DMZ, changing default settings and by using WirelessProtected Access (WPA), the successorto Wired Equivalent Privacy (WEP).

Anytime anywhere access is not go-ing away, and neither are the businessdrivers and requirements for such ac-cess. Information security has to in-corporate this reality.There is nopanacea, but a layered approach, us-ing a combination of existing tech-nologies, can and does already pro-vide security without compromisingmobility.•About the author Adrian Davis is a member of theInformation Security Forum (ISF).www.securityforum.org

Information security canenable mobile workingAdrian Davis

Help is on hand to protect corporate information and assist in the adoption of mobile devices and technologies.

Adrian Davis

“Securing these devices is madeworse by weak

security controls andinappropriate user

behaviour”

http://www.securityforum.org

Secure Mobile Working 1.0

How geofences enable better mobile ad targeting

Technology to Enable Collaborative Working

New Empowering your workforce through mobile working · 2018. 1. 17. · Empowering your workforce through mobile working. Capita’s mobile working solution enables workers to be

Enable Tomorrow's Mobile Workstyles - Intel · Enable Tomorrow’s Mobile Workstyles | Solutions Brief citrix.com Enable tomorrow’s mobile workstyles ... you can easily create or

Fusing Mobile, Sensor, and Social Data To Fully Enable Context …€¦ · Fusing Mobile, Sensor, and Social Data To Fully Enable Context-Aware Computing Aaron Beach1, Mike Gartrell1,

Working with mobile app developers to enable indoor location based services

An Architecture to Enable Spontaneous Mobile Spatial Interaction with Pervasive Services

Mobile working with no compromise

How to really enable Mobile Commerce by James Lovell

COMOS Mobile Solutions - cache.industry.siemens.com€¦ · COMOS Mobile Solutions Operating Manual 10/2015 A5E36172497-AA Introduction 1 Working with COMOS Mobile Solutions 2 Working

Using Technology to Enable Smarter Working

How to Mobile Enable your Enterprise Application

Fusing Mobile, Sensor, and Social Data To Fully Enable

Research Cyberinfrastructure Alliance Working in partnership to enable

1400-1430 York Weyers How do I Mobile Enable my Company

How$Do$ILeverage$Mobile$to$Enable$the$ …...How$Do$ILeverage$Mobile$to$Enable$the$ Business$withoutSacrificing$Security?$

Enable Secure Mobile & Cloud Collaboration

Mobile Wireless Working Group Report

Mobile Working Group Session

WhatNOW : A System to Enable Videostream in a Mobile Network

Mobile and Sensor Systems Lecture 3: …cm542/teaching/2010/mobile-pdfs/mobile-lecture3… · Lecture 3: Telecommunication ... • Telecommunication services enable voice communication

Master Mobile Working

09 Simple SIMD with ISPC - software.intel.com · technologies to enable game developers to succeed on mobile and desktop environments. Jon Kennedy § Jon has spent his career working

Enable flexible working

Working Session - Mobile Marketing - GROUPM

How Enable 2-step Verification using Mobile App at GoDaddy

Head and Body Motion Prediction to Enable Mobile VR

Mobile Working Platforms

5 Reasons Why You Should Mobile Enable Your Sales-Reps

MOBILE APPS Here to enable you AND WEBSITE · Here to enable you MOBILE APPS AND WEBSITE best mobile app

GSMA Green Power for Mobile Bangladesh specific Working group€¦ · GSMA Green Power for Mobile Bangladesh specific Working ... GSMA Green Power for Mobile Bangladesh specific Working

Control Pc Via Bluetooth Enable Mobile

Is your organization ready to enable a mobile workforce?

any How can we enable ubiquitous mobile video services?ctw2010.ieee-ctw.org/tues/Foerster.pdfHow can we enable ubiquitous mobile video services? Communication Theory Workshop, May