Introduction
If you go into a meeting these days, the chances are you will see people using, not just one, but several wireless mobile devices such as smartphones, tablets or laptops. Employees are increasingly using wireless devices in their daily business life. It’s part of an unstoppable wave of change, which is radically affecting the structure of our IT networks and taking us into a new wireless world of rapid and unpredictable developments, with ongoing operational and security challenges.
This won’t be a gradual evolution. It is being driven by users and will be a fundamental change, similar to some of the other seismic shifts in computing such as the arrival of PCs, which freed users from the dominance of mainframes
A key driver behind these developments has been the imminent introduction of the new wireless standard 802.11ac, followed in the next couple of years by 802.11ad. These standards will fuel the increase in mobile devices and BYOD, leading to wireless becoming the status quo instead of wired.
There are many elements supporting this change. 4G with faster and bigger data-handling capabilities will drive expectations in the office. Many home networks already have greater mobility capabilities than lots of offices. The growing deployment of mobile IPV6, with its significantly enhanced capabilities, enables better roaming. Cloud and virtualisation shift both the perception and the very nature of company boundaries, making mobility even more relevant.
The real dilemma is how do you secure, implement and manage what you don’t know? Already developments such as learning apps, Google Glass, payments from mobiles, Tizen 2.1 (multi-device operating system) and Cloud on (which “allows” users to run business apps on their mobile in the cloud) are all throwing up new areas to be defined and incorporated into security policies. Over the next few years, there will be many more innovations that will directly impact organisational structures and security.
Challenges
One major challenge for IT managers is how to navigate their way through a fluid and fast-evolving situation where network infrastructures are changing rapidly and where it’s very hard to predict what the changes will be.
Questions arising include how to develop the network so users can get the best productivity and other benefits from existing and new mobile devices. No business wants to be left behind and become uncompetitive. How do you go about moving to wireless in a cost-effective way that will mean least disruption to the business and minimise access point cabling changes? How do you track and manage the growing number of mobile devices? How do you maintain control of the network? And how do you keep the network secure in this rapidly changing environment?
The move to wireless
The new wireless standard 802.11ac provides initial WLAN throughput of at least 1Gbps and up to 7Gbps in the future. 802.11ad, with multi Gbps throughput, will provide up to 7Gbps, when it is ratified and introduced. And 4G, will provide up to 100 Mbps mobile. This gives the potential for radically improved wi-fi performance over what is available in the workplace today.
Many wireless deployments to date have been tactical, with more access points added, often unstructured, to meet increasing user demand or deal with cold spots. Usually, they haven’t been either fully pervasive or capable of handling multi-media, high volume and high density traffic. Of course, they are based on the higher range of the old 2.4 GHz access points.
802.11ac will deliver the unfulfilled promise of 802.11n, but with a focus on 5GHz rather than 2.4GHz. With 5GHz providing shorter range, but higher throughput, existing access point (AP) based systems will be inadequate for the new requirements.
To migrate to 802.11ac will require entirely new APs, new antennas, upgraded or replaced controllers, and new switches or PoE injectors. Similar to the evolution of 802.11n, there will be multiple versions and phases of 802.11ac. For some organisations, this will mean a rolling deployment, with the associated configuration and security risks.
An increasingly popular alternative to the AP approach is the modular array approach. With this method, an array can hold multiple directionally tuneable APs. Unlike traditional broadcasting, directional focus minimises interference and enables clear control over geo overspill.
This is particularly relevant given the challenges that 5GHz and beyond will create for the old AP-based approach to coverage. With 2.4GHz, providing more coverage typically involves adding more APs. However, that has been shown to be increasingly self-limiting because interference between APs reduces coverage, rather than increasing it.
A major benefit of an array-based or directional-based approach is that it can be easier to upgrade as traffic usage and capacity evolve, allowing companies to react swiftly to changing circumstances. Key to success in adopting or extending wireless networks will be deployment pre-planning, risk assessment and determining the policies to apply.
Security
Of course, a major consideration for IT managers is how to secure, control and manage a rapidly evolving wireless network, with a steadily growing number of mobile devices. And how do you protect the growing volume of data, which is a company’s most valuable asset?
There are some security problems on a wireless network which are not generally well known, such as issues around IPv6 mobility and 4G.
IPV6 will bring many benefits (and security challenges), but IPV6 mobility operates with location independent routing, i.e. a home address and a forwarding address. For organisations allowing BYOD, an interesting question is “Where is/who owns the ‘home’ address?”
4G isn’t just 3G with go faster stripes. It will drive change with its major speed enhancements, but this will bring a range of additional management and security threats, both around communications (video, etc.) and around the carrier networks.
Although the network scenario is changing rapidly, the approach to security is not new. Security history is littered with the challenges of trying to deal with the corporate response of ‘Draw, fire and aim’ to the business deployment of technology. It can be hard in many organisations to get risk assessment and security deployment built-in at the beginning of projects, rather than back-fitted two years later.
Security should involve -
* Risk analysis and acceptance of the level of risk
* Planning
* Embedding security
* Policies
* Processes
* Education and staff involvement
* Deployment
* Monitoring and feedback loop
* Analysis
* Forensics
* Containment
We can all write security policies. Many of them will be behind the curve and seen as well intentioned, hampering business and imposed from above. The real experts in this scenario are the techies, power users and the younger members of staff. They are often the ones using the latest apps and technologies. They are the ones finding ways around limitations, so it’s a good idea to co-opt them onto your policy-making team.
Multiple mobile devices necessitate multiple security solutions. These should include mobile device management (MDM), tracking and RF management, encryption, authentication, and behaviour management, as well as basic security measures on mobile devices. These basic measures would include running anti-virus on smartphones and treating them as if they were PCs, using the same level of data leakage protection, but with stronger controls over lost or compromised devices.
Mobile device management
Managing mobile devices is an absolutely critical security measure for wireless networks. A range of end point types, coupled with mobility, certainly ups the security challenges, Solutions can provide features such as ensuring device usage complies with company security policies, allocating access rights, managing configuration, updating policies, dealing with data leakage issues, and dealing with lost or stolen devices.
A range of solutions is available in this area (something in the region of 130+) so the challenge isn’t in finding a solution, it’s finding one that can grow with your requirements, as they inevitably increase. Solutions include Zenprise, Airwatch and Kaspersky End Point security.
However, one thing is clear. MDM is only one component of security, which will eventually be subsumed into broader security solutions.
Encryption and authentication
Amazingly mobility is still underserved by two basic and critical security solutions. Encryption and authentication are absolutely essential in the changing network infrastructure.
Encryption should be used for data stored on the network, data stored on mobile devices and data in transit. There are many useful solutions in this area ranging from the “PC on a secure stick” encrypted flash drives (particularly relevant for Microsoft users), encrypted external hard drives and encrypted optical discs, as well as encrypting data on SAN devices
A range of solutions is available in this area from suppliers such as Imation, Becrypt, Check Point, HP and Cisco.
The first essential authentication method for smartphones is that employees use PIN or pass-codes instead of the default factory settings. Secondly, two factor authentication is essential and should be used rather than insecure passwords.
Two factor authentication can involve hardware tokens, SMS and, increasingly relevant for mobility, mobile phone soft tokens. A further consideration is, with increased use of multiple cloud apps, alongside legacy applications, there is a need for single sign-on authentication. Solutions are available from suppliers such as SafeNet, RSA and VASCO.
Conclusion
Mobility brings a multitude of challenges, but it also brings great advantages. There is such a groundswell of demand for mobility, that it will be unstoppable. Securing data is key to benefitting from this change, with device security being a major element. However, perhaps more importantly, there is the need, as well as the opportunity, to change staff’s behaviour towards mobile security and protecting data.
With many organisations providing little or no personal security training for staff, and little evidence of it being applied at home, it is no wonder mobile device users have a low awareness of the risks of mobility. Educating staff on the risks and protection needed for personal devices, and the data on them, will help businesses to go forward and enjoy the considerable benefits of mobility.