Defensive Measures
Posted: 10.01.05 - By Teresa von Fuchs

Between homeland security, identity theft and the continual assault by worms, viruses and Trojans on our PCs, security is the hot word in the enterprise today. I don’t have to go into the all the dangers—lost devices, easily hacked data and wide-open networks—mobility brings with its added productivity gains. Just mention security and CIOs cringe.

In order to simplify the overwhelming subject of enterprise security technologies, we’ve broken the idea into two parts: securing the device and the data on it and securing the connection. Many technologies, as well as solution providers, invariably cross and blur those lines, but we’ll try to make clear how some major solutions throw themselves at these tasks.

Securing the Device

Biometrics is no longer the stuff of spy movies and sci-fi stories, according to Matthew J. Wagner, senior manager of product marketing for security and wireless with HP. Biometrics is still an emerging technology, but “we’ve seen fingerprint authentication technology evolve to the point where it is ready for much broader deployment and adoption in the industry.” As part of HP’s Protect Tools, a biometric fingerprint reader was integrated into the nx6125 notebook in June of this year. Users can configure the fingerprint reader to access Windows, the network, a specific application or as a key to unlock other usernames and passwords. Some iPAQs also include fingerprint sensors. IBM’s PC Division, now Lenovo, also offers integrated biometric fingerprint readers.

Other PC vendors are also beefing up device-level security measures with device tracking systems. Gateway announced a partnership with Absolute Software, integrating its CompuTrace technology into the PC’s firmware. CompuTrace works like LoJack for notebooks, locating lost or stolen
computers and enabling sensitive data to be discretely deleted from a missing PC. After the customer activates Absolute’s CompuTrace Complete service, in the event a computer is stolen, Absolute guarantees recovery of the computer within 60 days, or, after that, compensation.
There are many other add-on security products aimed at securing the data on your device through encryption. One product, DESlock+ from Data Encryption Systems (DES), uses a USB key and software that encrypts individual files, folders, e-mails or whatever you choose using AES, 3DES and Blowfish encryption algorithms. The key controls login and user-rights and manages passwords and authentication.

Securing the Connection

Mobile devices are often only as good as their ability to record, send and receive field data. Between your device and the e-mail server is a network-operating center, or NOC, which authenticates the device before passing on info to or from the server.

For other applications there are virtual private networks (VPNs). IPSec VPNs predate mobility and began as a less expensive option for secure branch-to-branch communication. A client, loaded on every device, speaks directly to a backend server sending encrypted data through a secure tunnel. IPSec VPNs have not made a seamless transition into the mobile space because of the need for a client—something else to load, keep track of, update, manage—which can be seen as a hassle for a mostly mobile workforce; so, the SSL VPN was created.

SSL stands for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL VPNs work much like traditional IPSec VPNs, only instead of loading a client onto each device, network access is browser-based. SSL VPNs do work to solve other mobility issues; most desktop applications, for example, are designed for constant connectivity, which just isn’t a reality out in the world. Most SSL VPNs understand this and work to keep the VPN acting like it’s connected, even when a connection has temporarily been dropped.

Of course, IPSec vendors such as NetMotion Wireless also understand this issue and built session persistence; updated clients that are easier to manage and install; and IT-friendly configurability into its secure mobility solution.

Even device-clients have changed. Once thought of as a drawback, there are some added security perks to today’s clients. Ian Williams, technology analyst with Datamonitor, explains, “First is a perceived benefit; the fact that you have an application gives a feeling of greater security. It’s also a form of host authentication right on the device. With an SSL VPN you could be connecting from any device at all.” Checking the status of policy enforcement on a device is a trend that blurs technology and solution boundaries. But in the case of VPNs, when a network talks to a client, it can scan the PC and make sure the antivirus software is up to date and ensure the computer isn’t infected before it connects. “The SSL VPN vendors have countered by doing integrity scanning,” says Williams. This essentially means the same thing, only the device scan is Internet-based.

The perks and drawbacks of each, however, are not really as important as understanding how it’s going to be used in the field and what types of applications, connections and devices your mobile workers will be using. Williams explains that many IPSec vendors are now also making SSL VPNs, essentially offering more flexible solutions, depending on what the enterprise’s needs are. He cites Juniper as an example in this space; originally NetScreen (an IPSec VPN and firewall vendor) acquired Neoteris for its SSL VPN technology, and now Juniper Networks can offer both solutions.

Securing the Endpoint

Philip Marshall, director of wireless mobile technologies with the Yankee Group, says, “The biggest issue around security is policy management and enforcement. There’s a lot of well-established protocols and technologies that are reasonably effective, [the issue is] how they are implemented and used. The most interesting thing I’ve seen is the ability to manage security across multiple environments from the endpoint.”

Endpoint Security is a buzzword, as well as an umbrella of security technologies covering the endpoint—essentially the device and the information on it. Unlike device-level solutions, endpoint security encompasses ideas of policy management.

“Making sure security policies and tools are being enforced and used properly may seem like common sense, but frequently companies don’t have a good way of enforcing security tools,” says Doug Neal, VP of endpoint policy management and security services with iPass. “Many companies we talk to are not sure if they even have the latest antivirus definitions on their computers, and they don’t have a way of making sure those are updated before the user connects to a VPN.”

iPass, historically a hotspot aggregator, has added a series of endpoint security services to its remote access toolkit. The bundle includes patch management tools, endpoint policy management and a device ID component. Before a user can connect to the network, wirelessly or wired, the iPass solution checks to make sure the appropriate patches, virus definitions and firewall tools are in place to prevent a user from connecting to the VPN until everything is updated. iPass also runs authentication on the device ensuring it’s a company-sanctioned tool. “Because we’re giving them the key to connect, customers are looking to us to make sure we’re helping enforce [security] policies that are dictated by the enterprise,” says Neal.

Pat Patterson, from Nortel’s enterprise security solutions, explains its perspective on the endpoint: “It doesn’t matter what type of device is trying to access the network; that device is interrogated to make sure that it is allowed to access the types of application content it’s trying to. And before they’re given access, the device is also interrogated to make sure it has compliance with the security policies that the enterprise has set in place.” Similar to iPass, Nortel scans devices to make sure security measures such as patches are up-to-date. But rather than a security add-on, Nortel also offers both types of VPNs as well as other security components.

“[Enterprises] really need to focus on total lifecycle security planning,” says Patterson. “It’s not good enough to look at security like a project, it’s a process, it’s continuous. You need to look further into the future than just the wireless part of your network. Threats continually evolve, so you have to continue to evolve your protection against those threats.”

Nortel also suggests multiple layers of security, which is a pervasive idea among security vendors. Credant has a three-part approach in its Mobile Guardian solution. According to Jason Jaynes, director of product management at Credant, three things make mobile security distinct: the first is a sometimes-connected environment; second is the heterogeneous nature of the environment; and third is a lack of central device control. Credant’s solution works to counter all these issues with an enterprise server that works as “the command and control center” for all devices, an endpoint policy management component and device-level encryption agent called the “shield” and the “gatekeeper,” which protect the network from unauthorized access and enforce security policies on any and all devices connecting to the network.

Continuity and Compromise

There are numerous products akin to those mentioned above. Datamonitor’s Williams recommends approaching security from a needs-based perspective: “It’s about understanding exactly what you need, thinking about what you may need in the future, looking at all the options, all the various threats, and then looking at solutions that can counter them.”
One way to avoid security issues is to deploy a solution with security already built in. Williams recommends, “Try to have levels built into the solution rather than trying to bolt it on afterward. Often, when [security] is built into the application it understands the threats associated with the application, whereas, you may find some gaps by applying a generic solution on top.”

And there are other issues around security besides just technology, such as business continuity. According to Yankee Group’s Marshal, one of the major concerns of today’s CIOs is business continuity. “You don’t want to disrupt people’s business processes in the mobile environment as a consequence of security mechanisms unless it’s necessary, and when it is necessary you need to minimize that disruption,” he advises. “It’s always a compromise.”•


Leisure Publications