Welcome to my blog

Welcome and thank you for visiting my blog....

This is where I will pen my thoughts on Enterprise Mobility and other wireless technologies based on my learning’s/ experience over the course of my IT career.

The wireless world has been a very exciting place to be over the last few years. We have seen the introduction of ground breaking products and technologies have reached a never-before-seen level of maturity. The rate of enterprise adaptation to wireless technology is only accelerating day by day.

This is a personal blog and will focus on my thoughts and perspectives on wireless technology. Please feel free to share your opinions and viewpoints so that it can be discussed and debated. Though I would like to, I won't be able to post to this blog each day. Will try my best to write whenever I get time.

I hope that you will return often to this blog. Thanks again.

Wednesday, August 13, 2008

Evolving security needs for Enterprise Mobility

Enterprise Mobility Solution– How secure are they?

by Purushottam Darshankar

In today’s marketplace, enterprise mobile solutions have become necessary for businesses as competitive advantage and as a productivity improvement tool. With traditional low end monochrome devices giving way to sleeker high resolution handset packed with high processing power and high memory, the enterprises have started using these devices beyond voice calls and SMS and focus on delivering the critical front-end application for mobile workers.

Safety and security are of paramount concern for any enterprise in an increasingly uncertain and unsafe world, and have both a financial return in terms of cost of avoidance towards lost time, litigation and compensation, regulatory compliance, repair cost etc. as safety improves and intangible benefits related to improved working conditions for the workforce.

The wireless medium through cellular network has certain limitation over the wired medium such as open access, limited bandwidth and system complexity. These limitations make it difficult although possible to provide security features such as authentication, encryption, integrity and confidentiality. Since the communication is on the wireless channel, there is no physical barrier that can separate the attacker from the network. The principal sources of attack could be either end terminals or operator’s own backbone network. Issues may arise in mobile device OS which might open security holes that can be exploited. If a device is stolen or lost, it needs to be protected from unauthorized access to confidential and sensitive information such as enterprise data, e-mails, contacts etc.

Due to open access to cellular network and in turn to enterprise IT system, there are variety of attacks the infrastructure is open to. Denial of Service (DOS) is most potent attack that can bring down the infrastructure network, caused by sending excessive data to network, more than the network can handle, resulting in users being unable to access the network resources. Unauthorized access, if proper method of authentication is not implemented, provides free access to attacker to enterprise IT system and can use it for services that he might not be authorized for.

If data communication between handheld device and backend server is not encrypted then the attacker can eavesdrop and intercept sensitive communication such as e-mails, documents, other critical enterprise data etc. The attacker can sit in between the handheld device and access station of cellular network to intercept the message in between and change them. Going further, the attacker can hijack an already established session, and can act as legitimate user to gain the access to enterprise IT system.

While there are several security mechanisms available in Wireless network, continued research is going on to provide new and even more secure mechanism for cellular security as we look forward to 4G next generation services.

Enterprise Security Strategies

Every enterprise should have a security strategy to protect the availability, integrity and confidentiality of data in an enterprise’s IT system. Organization needs to decide on how much time, money and efforts need to be spent in order to develop appropriate security policies and control. Listing the threats helps the security team to identify the various methods, tools, and techniques that are used in an attack and can then develop proactive as well as reactive strategy.

The proactive or pre-attack strategy is a set of steps taken to minimize existing security policy vulnerabilities and develop contingency plans. Determining the amount of damage that an attack will cause on an IT system and the weaknesses and vulnerabilities exploited during this attack helps in developing the proactive strategy.

The reactive strategy or post-attack strategy helps security team to assess the damage caused by the attack, repair the damage or implement the contingency plan developed in the proactive strategy, document and learn from the experience, and get business functions running as soon as possible.

Enterprise Security Goals

The enterprise mobile solutions that run on the handheld devices are developed by independent software vendors that distribute these as freeware or license ware. The IP address of the servers which hosts these applications, for user download, are advertised so that they can be accessed by the intended users. However, it can be downloaded by any consumer over-the-air on the device without any control by operator. This may become a launching pad for attack on operator network as well as enterprise’s IT system.

Every enterprise mobile solution must provide a bundle of security functions that assure the security of system and can be referred as the goals of security system.

  • Authentication - Before the data is being exchanged between the receiver and sender, their identity must be verified.
  • Secrecy or Confidentiality-Only authenticated users based on their privileges should be able to access and interpret the data.
  • Integrity - Data being communicated is assured to be free from any type of modification between the end points (sender and receiver).
  • Non-repudiation- will ensure that neither the sender nor the receiver can falsely deny that they have sent certain data.
  • Service Reliability- Since the systems usually get attacked by intruder, which may affect it availability. The IT system should be robust enough to provide a way to grant their users the quality of service they expect.

Most of the mobile middleware’s available in the market provides the secure connectivity between handheld and backend server that supports HTTPS connection. The OMA device management specification suggests the use of client credentials (ID, Password and nonce) and server credential to confirm the authenticity and integrity of data being exchanged. Additional encryption algorithms (DES, AES or RC4) could be used to secure the data between sender and receiver by using either symmetric or asymmetric encryption. However these techniques slow down the enterprise application performance and balance has to be struck between security and usability.

The enterprise should ensure the proper end user registration and enrollment procedure to allow access to enterprise services. The end-users need to initially authenticate through a self-service registration web portal using their username and password credentials. Once authenticated, users are provisioned for enterprise application and are provided with a pin code that is used during the download of the enterprise application from the device browser. In addition, the firewall and IDP (intrusion detection and prevention) system can be used to tackle the security threats.

Enterprises must develop a security strategy and build policy that reflects this strategy. Security must be the responsibility of the entire user community and appropriate communication needs to be put in place to emphasize its importance. The expansion of mobile devices such as PDA’s, phones, and converged devices into the enterprise present several challenges to IT managers regarding security and manageability. A balance of security and usability must be reached considering the limited processing power of handheld devices.