If wireless were simply a matter of business expedience, and we ignored security concerns, it would be as ubiquitous today as laptops and cell phones – especially for the growing number of workers who depend on mobility to do their jobs and can’t afford to be tethered to a desk, office or single location.
But guess again. Most companies are holding back on deploying wireless because they're not convinced wireless can be made secure, or be made secure at a cost they can afford.
Are the holdouts right, or are they sticking their heads in the sand while competitors deploy wireless and gain an edge? After all, the benefits of wireless are fairly obvious – faster cycle times, greatly improved employee productivity and enhanced customer satisfaction. The question is whether these undeniable benefits are outweighed by added security risks, complexity and costs. In more competitive terms, what do the early wireless adopters know about security and cost control that everyone else needs to know?
First, they know that wireless is an extension of the company's existing IT infrastructure, and not a standalone feature. While wireless adds risks of its own, it follows the same basic security architecture of the enterprise. Most important, the enterprise needs the same kind of access control system in place that identifies users and devices; controls access to specific systems, applications and data; and is flexible and broad enough to cover all identity needs. And all of these security controls need to apply as much to wireless users as they do to wired users.
Second, savvy wired enterprises recognize that they must have a security policy in place that discriminates between different levels of security for different kinds of applications and user needs. Higher level applications like financial, human resource and ERP systems require end-to-end encryption and airtight security. Wireless LANs, like Wi-Fi, which are now built on IEEE industry standards, can be used for these kinds of applications, but need to be part of a separate network segment that allows for wireless authentication and identity management, similar to requirements for wired users.
Without this level of internal control, wireless would be highly vulnerable to leaks. For example, anyone in a company parking lot could gain access to the internal network and roam undetected. Simply put, all wireless access points involving critical company applications and data need to be carefully authenticated and controlled, based on the company's security policy. Industry standards like IEEE 802.1x and LEAP make this quite possible.
Third, the wireless enterprise needs to leverage existing public wireless networks where they make sense – from a business and security standpoint. This includes Wi-Fi networks in airports, hotels and convenient locations like Starbucks. In this way, users can gain access to pertinent internal applications, but on a controlled basis. As wide area public wireless networks evolve to next-generation platforms, they will be substantially more secure. However, since that kind of wireless network is still years away; we need providers like Blackberry, which are offering excellent value for limited wireless applications, like email and short messaging.
A key question companies need to recognize is that wireless public networks do not provide unbreakable security. But do companies need end-to-end security for every enterprise application, including simple transactions like email? The answer is no. Perfect security would be desirable in a perfect world, but we don't live in that kind of world. IT administrators need to weigh the advantages of using less than perfect security for limited applications that appeal to most users – like email and short messaging.
While public wireless networks are clearly breakable, the advantages of using them for simple applications like email and order fulfillment outweigh their security risks. A mobile sales force, for example, should be able to access internal product data to serve customers easily and conveniently, but perhaps not sales and inventory systems. They should be able to complete customer orders without having to return to a secure location, even though such moderate-risk transactions are not encrypted end-to-end.
It follows that simple applications shouldn't require the same level of security as complex ones – like downloading customer account or inventory files. Typically, a sales rep should be able to do routine tasks over the pubic wireless network, and complete more complex tasks at a secure location.
Finally, the savvy wireless enterprise should look for wireless partners who can provide enhanced security and packaged services at reasonable cost.
Clearly, the future belongs to wireless, given the big advantages. The question for those who are still on the sidelines is how to build out enterprise IT to include wireless in ways that benefit different types of users and don't add undue risk and cost to the business. We would assert that since not all applications or users have the same needs or security requirements, the savvy IT executive will apportion wireless resources in a way that empowers users to do the things they need to, and that still provides affordable internal controls. This may not be easy, but it's quite doable.
Dr. Arvind Krishna is vice president of security products for IBM Tivoli Software (www.tivoli.com).