That's why you must think "big picture" when devising a security strategy and implementation. That was the topic of my recent keynote address at the Wireless Security Conference in Cambridge, Mass. Although there is no such thing as absolute security, IT professionals can do a lot to improve their overall security plans -- wired and wireless -- to an acceptable level. During the presentation, my message was clear, CIOs must do the following...
to reach that level:
- Establish a culture of security within the enterprise. Every user of IT resources needs to understand the value and importance of secure corporate information on every device.
- Understand the threats. Professional information thieves are the ones who cause all the problems, and they do not use wireless for their nefarious activities; there are better means mostly related to countering physical security, such as stealing notebooks. All of your mobile devices must have authenticated logins and encrypted storage -- no exceptions!
- Have a written security policy in place. This defines what is to be protected, and who should have access to what and under what circumstances. This document drives the selection of particular solutions, not the other way around (as is all too often the case).
- Remember the end-to-end mantra. Most wireless security solutions focus on the airlink, (the connection between the client and the base station or access point), but do not ignore the rest of the value chain, all the way to servers and databases It's end-to-end, not only the airlink. The good news is that common techniques like virtual private networks and authentication (like 802.1x) work equally well on wireless links as they do on wire.
- Realize security implementations are too complex for most users to understand. This situation is slowly improving as vendors produce products that mere mortals can install and administer.
- Establish an auditable and verifiable security plan. CIOs must resort to being their own hackers in order to really find out just how good their security solution is. I recommend that larger firms have a chief security officer or equivalent.
Security will always be a cycle of policy-setting, threat analysis, solution definition, implementation, verification and, ultimately, back to square one with new requirements and defined threats. No matter how good we get, the bad guys are always out there looking to cause damage. Ultimately, access to enterprise IT resources via a broad range of wired and wireless links will become the norm, and, indeed, essential to success. It's vital to look at security solutions that cover the entire value chain between client and server, no matter the nature of the various links in between.
Craig J. Mathias is founder of Farpoint Group, an advisory firm specializing in wireless communications and mobile computing.