FIVE STEPS TO SECURE MOBILE DATA

Mobile and wireless technology is revolutionizing how businesses use and profit from information. Employees outfitted with mobile devices, such as laptops and PDAs, can access valuable enterprise information when they're away from the office, which improves productivity, streamlines operations, and creates new revenue sources. But security is lacking.

While mobility is a competitive advantage, it means your data can travel beyond your secure LAN firewall and over public networks. Your security strategy needs to address the managing and securing of pervasive mobile data from end to end: whether it's stored on a mobile device, traveling over a wired or wireless network, or being sent back to the enterprise.
Organizations need to carefully consider mobile data security as a part of their mobile application development plans and work carefully with technology vendors that offer a complete security infrastructure for protecting mobile data, wherever that data may be. You should consider these five mobile security issues when developing and implementing mobile business solutions:

1. Protect against unauthorized users:

The cornerstone of any security strategy, mobile or not, is user authentication. Any device attempting to exchange information with your corporate systems needs to have its identity verified. Each time the user goes deeper into a new area of sensitivity or functionality, your application and middleware infrastructure should know who they are, and whether they should be there.

Only the chosen may enter:

A password should be required before a mobile user can synchronize with a back-end database or browse information stored on a company server--no exceptions. Use mobile device management software to ensure that users have not circumvented security measures or stored their password in a file on their device.

Rights and privileges:

Define what clients can and cannot do. Depending on the application, specific rights and permissions are configured on a per-user basis. For example, a sales force automation application might allow a sales representative to submit orders, but not approve them. A sales manager's password would carry with it the authorization to view orders and approve or deny them.

2. Protect data transmissions

You might not be paranoid, but they are out to get you. Mobile applications require an exchange of information across a public network that is full of potential predators. When transmitting data, you need to ensure that it is secure from end-to-end. Any mobile middleware solution should operate on a secure connection for both data synchronization and client/server communications. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols allow a client application to verify the identity of a server, and ensure that they communicate only with servers they trust.

Tales from the encrypt:

One of the simplest ways for someone to gain access to your data is to simply read the data stream between the mobile device and your server. Leverage strong 128-bit communications encryption to protect the confidentiality, integrity, and authentication of data packets as they pass between the client device and the server. This way, an identity thief who is reading a mobile banking customer's communications will hear only noise, not her bank balance, address, and PIN.

Know who you're talking to:

How do you know that it's your bank on the other end, and not a server set up by a 16 year-old? Be certain that only authorized clients can connect to your server and that clients are connected to the correct server. During synchronization, or client/server connection through a browser, a password entered by the user indicates to the back-end system that they are an authorized user. A certificate on the internal database server tells the user's device that it is connected to the correct bank or hospital system. If your middleware doesn't provide this sort of functionality, it's like broadcasting your credit card information over the radio.

3. Protect data on lost devices

Mobile devices are small and expensive, so they are easily lost or left in taxis, and are a favorite target for thieves. If you don't want the new owner to have access to your corporate systems or view sensitive data, precautions must be taken.

Persistent data needs persistent protection:

There are two precautions that you can take to prevent disclosure of the data stored on a mobile device: encrypting sensitive data, and encrypting the entire file system (this may be useful when using data outside of a database, such as in a spreadsheet). Protect data that is stored on hard disks, in persistent memory, or on removable flash cards (whether they are in or out of the device).

Always on duty:

Even if the data store is protected, you risk exposing the information to unauthorized users if the application has cached data. Data that is stored in an application's memory is more difficult to access, but may also be exposed. Further, if your application sends updates that appear on-screen, the data contained in them may be available to anyone who turns on the device. Include a password-protected timeout in your applications but do not store it on the device; otherwise, anyone who has access to the device may be able to access your data.

4. Protect mobile assets

Safeguard your mobile assets such as your machines, devices, and data through centralized management. From a central location, you can simplify the enforcement of your security policy on devices that are beyond the reach of traditional wired LAN management techniques.

The enemy within:

Often the biggest threat to the security of your corporate systems and data are your own users, who disable security mechanisms and configurations in order to save a few seconds when logging in or synchronizing data. Protect and enforce system configurations by automatically identifying and correcting devices where users have defeated password protection by storing the password on the device, or changing security configuration options.

Stay up-to-date:

Mobile devices that send and receive data such as e-mail are just as susceptible to destructive viruses as desktop machines. However, it's difficult to get busy mobile workers to stop working long enough to download virus updates and security patches, especially on a slow connection. You require a management tool that will push out virus updates and security upgrades, and automate their installation without the need for user intervention.

Gone, but not forgotten:

Data encryption is not the only safeguard against unauthorized data access on lost devices. Fight back with your centralized management software by enabling a self-destruct policy that destroys confidential data on a lost device.

5. Protect your existing security investment

Whether you are creating new mobile applications or extending the reach of existing systems, your mobile deployment should be as secure as applications running on your corporate LAN. Integrate your mobile applications with existing security infrastructures through open standards and flexible architecture.

Another brick in the firewall:

Any mobile application should work with your current firewall, virtual private network (VPN), and PKI technology to integrate user authentication and permission functions with your existing systems. Browser-based communications between handheld devices and corporate systems should be encrypted using wireless transport layer security.

Regardless of protocol:

Your wireless application server technology should enable secure synchronization, encryption, and server-side authentication over whichever wireless protocol you choose.

The e-mail of the species:

E-mail is one of the most frequent points of entry for potential security threats, whether inside or outside the office. As you do with desktop e-mail systems, encrypt all incoming and outgoing messages between your corporate e-mail server and mobile devices that are outside your company's firewall. Your mobile mail application should also enforce password entry, and harmonize security configurations with LAN e-mail systems.

SECURITY FOR WIRELESS DEVICES AND WIRELESS NETWORKS

Many organizations and users have found that wireless communications and devices are convenient, flexible, and easy to use. Users of wireless local area network (WLAN) devices have flexibility to move their laptop computers from one place to another within their offices while maintaining connectivity with the network. Wireless personal networks allow users to share data and applications with network systems and other users with compatible devices, without being tied to printer cables and other peripheral device connections. Users of handheld devices such as personal digital assistants (PDAs) and cell phones can synchronize data between PDAs and personal computers and can use network services such as wireless email, web browsing, and Internet access. Further, wireless communications can help organizations cut their wiring costs.

While wireless networks are exposed to many of the same risks as wired networks, they are vulnerable to additional risks as well. Wireless networks transmit data through radio frequencies, and are open to intruders unless protected. Intruders have exploited this openness to access systems, destroy or steal data, and launch attacks that tie up network bandwidth and deny service to authorized users. Another risk is the theft of the small and portable devices themselves.

NIST Guidance on Security of Wireless Networks and Devices

The National Institute of Standards and Technology, Information Technology Laboratory, has published recommendations to improve the security of wireless networks in NIST Special Publication (SP) 800-48, Wireless Network Security, 802.11, Bluetooth, and Handheld Devices. Written by Tom Karygiannis and Les Owens, NIST SP 800-48 discusses three aspects of wireless security:
security issues associated with wireless local area networks (WLANs) that are based on Institute of Electrical and Electronics Engineers (IEEE) standards 802.11;
security issues related to wireless personal area networks based on the Bluetooth specifications, which were developed by an industry consortium; and
security of wireless handheld devices.

The Risk Environment

Wireless networks and handheld devices are vulnerable to many of the same threats as conventional wired networks. Intruders who gain access to information systems via wireless communications can bypass firewall protection. Once they have accessed systems, intruders can launch denial of service attacks, steal identities, violate the privacy of legitimate users, insert viruses or malicious code, and disable operations. Sensitive information that is transmitted between two wireless devices can be intercepted and disclosed if not protected by strong encryption. Handheld devices, which are easily stolen, can reveal sensitive information.

Before establishing wireless networks and using handheld devices, organizations should use risk management processes to assess the risks involved, to take steps to reduce the risks to an acceptable level, and to maintain that acceptable level of risk. Using risk management processes, managers can protect systems and information in a cost-effective manner by balancing the operational and economic costs of needed protective measures with the gains in mission capability to be achieved through the application of new technology.

Wireless Technology and Standards

Wireless devices communicate through radio transmissions, without physical connections and without network or peripheral cabling. Wireless systems include local area networks, personal networks, cell phones, and devices such as wireless headphones, microphones, and other devices that do not process or store information. Other wireless devices being widely used include infrared (IR) devices such as remote controls, cordless computer keyboards, mouse devices, and wireless hi-fi stereo headsets, all of which require a direct line of sight between the transmitter and the receiver.

Two standards for wireless technologies are discussed in NIST SP 800-48. One is the IEEE 802.11 group of standards for WLANs, which were developed by a voluntary industry standards committee. The IEEE 802.11 standards provide specifications for high-speed networks that support most of today’s applications. The Bluetooth standard, which was developed by a computer and communications industry consortium, specifies how mobile phones, computers, and PDAs interconnect with each other, with home and business phones, and with computers using short-range wireless connections.

As wireless technology evolves, new devices are being developed to provide more features, functions, portability and ease of use. Mobile phones can provide multiple services including voice, email, text messaging, paging, web access, and voice recognition services. Newer mobile phones incorporate PDA, wireless Internet, email, and global positioning system (GPS) capabilities.

Recommendations for Secure Wireless Networks

The trends in use of information technology point to increased implementation of wireless communications networks and use of wireless devices. Each new development will present new security risks, which must be addressed to ensure that critical assets remain protected. Actions that organizations should take to protect the confidentiality, integrity, and availability of all systems and information include:

Assess risks, test and evaluate system security controls for wireless networks more frequently than for other networks and systems. Maintaining secure wireless networks is an ongoing process that requires greater effort than that required for other networks and systems.

Steps that can be taken to improve the management of wireless networks include:


Maintain a full understanding of the topology of the wireless network.
Label and keep inventories of the fielded wireless and handheld devices.
Create backups of data frequently.
Perform periodic security testing and assessment of the wireless network.
Perform ongoing, randomly timed security audits to monitor and track wireless and handheld devices.
Apply patches and security enhancements.
Monitor the wireless industry for changes to standards that enhance security features and for the release of new products.
Monitor wireless technology for new threats and vulnerabilities.

Perform a risk assessment, develop a security policy, and determine security requirements before purchasing wireless technologies.

The risks associated with the use of wireless technologies are considerable, and many products provide inadequate protection. Organizations should plan to protect their essential operations before they adopt wireless technologies. Common administration problems include installing equipment with “factory default” settings, failing to control or inventory access points, not implementing the security capabilities provided, and not developing or installing security architectures that are suitable to the wireless environment. The use of firewalls between wired and wireless systems should be considered. Other good practices are to block unneeded services and ports, and to use strong cryptography. Often the risks can be addressed, but the tradeoffs between technical solutions and costs must be considered as well. Organizations may want to postpone the installation of wireless networks until more robust, open, and secure products are available.

Organizations should perform security assessments prior to implementation of wireless technologies to determine the specific threats and vulnerabilities that wireless networks will introduce in their environments. In performing the assessment, they should consider existing security policies, known threats and vulnerabilities, legislation and regulations, safety, reliability, system performance, the life-cycle costs of security measures, and technical requirements. Once the risk assessment is complete, the organization can begin planning and implementing the measures that it will put in place to safeguard its systems and lower its security risks to a manageable level. The organization should periodically reassess the policies and measures that it puts in place because computer technologies and malicious threats are continually changing.

Apply security management practices and controls to maintain and operate secure wireless networks.

Organizations should identify their information system assets, and develop, document and implement policies, standards, procedures, and guidelines to ensure confidentiality, integrity, and availability of information system resources. NIST recommends the following steps:

The information system security policy should directly address the use of 802.11, Bluetooth, and other wireless technologies.
Configuration/change control and management practices should ensure that all equipment has the latest software release, including security feature enhancements and patches for discovered vulnerabilities.
Standardized configurations should be employed to reflect the security policy, and to ensure change of default values and consistency of operations.
Security training is essential to raise awareness about the threats and vulnerabilities inherent in the use of wireless technologies.
Robust cryptography is essential to protect data transmitted over the radio channel, and theft of equipment is a major concern.

Designing Next Generation Telecom Reform: ICT Convergence or Multisector Utility?

Continuously expanding applications of information and communication technologies (ICT) are transforming local, national, regional and international economies into network economies, the foundation for information societies. They are being built upon expanded and upgraded national telecom networks, the new information infrastructures. The point of entry to participation in these new economies and societies is through local communication networks, which determine the access possibilities and boundaries of opportunity for individuals, organisations and countries. The telecom reform process is directed to creating an environment to foster a massive expansion in the coverage and capabilities of the information infrastructure networks, with national telecom regulators as the key implementers of the policies of reform. The first phase of reform has focused on industry specific telecom policy and regulation, with mixed results and generally slower than expected progress. The second phase, now being formulated in most countries, is influenced primarily by experience to date and the rapid changes underway in technologies, markets and industry structures. This report examines the main alternatives being considered – ICT convergence regulation and multisector utility regulation.

Whatever structure of next generation telecom regulation is adopted, all countries will need to pay much greater attention to the need for increased coordination of policy directions and regulatory activities both across the industries and sectors examined here and with other countries. This report provides an assessment of evidence and a framework for analysis that will assist countries in examining the issues, options and implications, as they establish the policy objectives and design the structure of their particular next generation telecom regulation.