Wireless is less secure because the boundaries are unknown

As the debate around whether security in wireless environment is
over hyped or grounded in logic, Akhilesh Tuteja, executive director, KPMG gives
Dataquest an insight into the real security issues at hand for a mobile
enterprise and how they need to be addressed.

In your interaction with CIOs and IT heads, what do think is
their perception of security in the wireless environment?

We have generally come across two sets of reactions and mindsets. There is a
set of clients who think that anything in the air is insecure. They are aware of
the wireless technology at the macro level but dont know much about it at the
micro level. And, there is yet another set of clients who dont go by the
over-hype around security issues in the wireless domain and truly get into the
details of workability and un-workability. Even though the growth in the second
category of CIOs and IT heads has picked up in the last three years, the first
category still accounts for the majority.

But, do you think they are justified in this extreme perception
of wireless security?

This perception is more hype than reality. However, at the same time it will
not be completely right to say that security in the wireless domain is as robust
as in the wired. Wireless is certainly less secure because the boundaries are
unknown. Security was not thoroughly addressed in the original IEEE 802.11
standard. When Wired Equivalent Privacy (WEP), which was the basis of privacy
for wireless, got hacked people lost some confidence in it.

What are some of the basic risks and security issues in
enterprise mobility?

Compromise of authentication vectors, physical security, eavesdropping, user
and network impersonation, and malicious attacks are the key security issues
arising in the enterprise environment. Some of the very basic risk factors can
be mobile devices misplaced, left unattended, or stolen resulting into loss of
confidential information, unauthorized access to data in transit caused due to
transit information unencrypted/encrypted with weak protocol, unauthorized
access to mobile network due to weak user authentication mechanism, unauthorized
access to mobile network and communication link with the user leading to loss of
users confidential data.

What are the guidelines you suggest for effective security in an
enterprise mobility environment?

Device security, communication security, and system access and
authentication are the three pillars of security for enterprise mobility. The
keys to device security include device authentication, data, file system or
complete hard disk encryption; and protection against virus, malwares and Trojans.
The keys to communication security include access control, user authentication,
encryption and VPN tunnels and message authentication. The keys to system access
and authentication are predetermining and authenticating the users, applications
and network components accessing the corporate network.

The basic and fundamental guideline is to include the
wireless/mobile platform as part of the overall security program and formulating
a security policy to address the risks associated with mobile computing. The
framework needs to span across application, network, device, and user aspects.

How critical is user awareness?

All said and done, user education and awareness is very critical for secure
enterprise mobility. There are Bluetooth-enabled phones and with more and more
corporate information lying in these phones they pose a threat to enterprise
security. The end users need to be made aware of things like the need for
physical security, a strong password, what kind of information needs to be
stored on the device, procedure to be followed if device is lost or stolen, and
maintaining records.

Shipra Malhotra

shipram@cybermedia.co.in