Security - The Necessary Evil
Security - The Necessary Evil
By: Bob Pinna
May. 1, 2001 03:22 PM
Handset and PDA manufacturers love me. That's because in any given year, I'm likely to lose, and therefore buy, at least three cell phones and two PDAs. I really don't know where they go. I suspect they get left behind in rental cars, airport lounges, and hotel rooms. Once I even found a cell phone that my one-year-old son had dropped in the john.
My CIO hates me. He's the one that has to worry about security breaches that result from my lost PDAs and handsets. He's not much different from other IT professionals. Web seminars conducted by Mobilize found theft and employee termination to be the security issues that most concerned IT workers.
Think about this scenario. Public company CEO loses laptop with this quarter's sales data. Sales data gets published on the Internet. Internet surfers think company is behind on revenue targets. Stock price free-falls. Shareholders sue. SEC investigates.
So what security issues need to be considered when launching a mobile enterprise application? That's the focus of this month's article. In particular, we'll look at five key security issues:
Security is not free. It puts an administrative burden on end users that they dislike intensely. It increases the costs of application deployment, and it creates long-term cost-of-ownership issues, as IT must maintain complex security rules.
Security may not be optional. If information is sensitive in nature, such as the health records of customers, it must be protected. If transactions such as stock trades, which may have significant consequences, can be entered, they must be tightly controlled. So the first order of business is to assess the level of desired security, from low to high. The following questions are critical:
Theft and Employee Termination
IT professionals have a range of options available to address employee termination and theft, including the following:
Access control is closely related to personalization. It turns out that most end users don't want to be distracted by information that isn't relevant to them. For example, the government systems' sales representative in New Jersey cares only about a small section of the company intranet - the part that keeps information on his or her territory, accounts, and product line.
To address access-control issues, look for mobile applications that have strong personalization support, specifically:
Authentication refers to validating the identity of the end user. In low-security environments this is accomplished with a simple user ID and password. In a more secure environment, a Secure ID can be used.
Secure ID is a technology that changes passwords every minute. End users carry a keychain or other device that displays the current password. The same password algorithm also runs on a back-end server in synchronization with the end- user device. Secure ID provides both authentication and theft control. It also has the advantage of being multi-device in nature since the same password can be used for laptop, PDA, and phone.
Higher protection authentication mechanisms require end users to keep some type of physical key on them. This could be an actual physical key, a smart card, or ultimately, a biometric key, such as a fingerprint. While biometric solutions are advancing and provide the ultimate authentication solution, at this time they're limited to laptop devices. In general, end users dislike physical or smart card key approaches, so expect some impact on application acceptance and usage.
When encryption is necessary, the key question is if it's end-to-end in nature or if it relies on the native encryption of the transport mechanism. Consider the different "segments" of the network that data must traverse. Data may begin on a corporate information system, travel via virtual private network to a hosting center, be stored on a server at the hosting center, and then be sent out via a particular cellular carrier's wireless network.
In this example, IT can rely on the encryption technology of each segment or can "overlay" an "end-to-end" solution that encrypts data before it ever leaves the corporate information system, and does not decrypt it until it reaches the mobile device. The end-to-end solution is a stronger approach that gives the IT professional more control over bandwidth versus protection tradeoffs. All of the wireless infrastructure service providers have integrated good end-to-end encryption solutions into their offerings.
One problem with end-to-end encryption is that today's cell phone handsets do not have sufficient local processing to support encryption and decryption on the handset. This means that the link from cell phone to carrier must rely on native encryption technologies. In very secure environments, it means the device should not be used.
Wrapping It Up
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week