Securing the Network’s Portable Edge

Even as we speak, the mobile edge of your network is getting more mobile: multi-Gig thumb drives, iPods and other MP3 players, smart-phones, Treos, Blackberry’s, laptops, CDs, floppies (yes they’re still around) hard drives that fit into a pocket or purse, tablet PCs, etc., etc.

Of course, to your network administrator these devices are nothing new, but as they become more widespread and powerful, they also become more able to carry away sensitive data from your organization.

And with so many devices now accessing the network from so many different places (geographically via WiFi and 3G) and from so many different connections (WiFi, Bluetooth, USB, Ethernet, phone line, VPN, etc.) most IT folks really don’t have a good idea of just how many devices or of what type are actually connecting to their networks.

“The problem is, for IT administrators, is the network perimeter has increased …. and now you have all kinds of devices floating around with different access mechanisms,” said Sunil Jain, a senior consultant with Sprint Enterprise Mobility (SEM).

At some point, securing all these devices has to become a matter of high-priority. As luck would have it (well, not really luck since technology spawns yet more technology), securing mobile/portable devices is getting easier.

The best place to start is with centrally-managed policies thus avoiding the kind of hodge-podge development of security practices that marked the rise of mobility in the first place, said SEM’s Gareth Matthews, vice president of Marketing. Using a bunch of point-solutions that don’t interact or overlap well is not the way to ensure your network is safe.

“An important first step is really establishing a policy,” he said. “Most of the security issues that I think are outstanding are essentially inadvertent security lapses where people don’t know any better.”

On the network side, there are many ways to ensure your network is safe: policy managers that only allow certain types and brands of devices to access the network; data encryption; two-factor authentication; and thin-client solutions that do not allow data (outside of localized screen scraping) to be downloaded to the access device.

On the device side, there are “kill pills” that wipe device data if it is lost or stolen (of course, your network admin has to know that the device is missing for this to be effective) and Lo-Jack for laptops and other devices to help locate them after the fact. Also, laptop makers like Lenovo, for example, have incorporated biometrics into some of their laptops so two-factor authentication is built right in.

Ideally, said Nick Selby, an analyst with The 451 Group, you want to use multiple layers of these technologies working in concert for the best results.
But policy and encryption are the places to start.

“The answer is there isn’t any one thing you can do,” he said. “The real issue is coming up with a centrally-managed system that can understand what devices are being attached to network assets and making intelligent decisions about how to cope with them once they’re attached. If somebody brings in an iPod, does your IT guy know that an iPod is essentially an USB mass-storage device?”

This is the approach Mark McGill takes at Ellis Hospital in Schenectady, NY.

Dictating the access privileges of doctors can be a daunting challenge, so instead of just restricting access in an authoritarian way as McGill, Ellis’ network engineer, would have preferred to do, he decided on end-point security from SecureWave, which allows him to place restrictions on what types of devices can access and download data from his network.

“You really have to safeguard against the worst-case scenario: the doctor that’s not going to necessary listen to how you said to do it because it’s easier to do it his way or her way,” he said.

Ultimately, McGill is working towards thin-client approach that will keep all his data inside the firewall and give him the ability to manage every connected device in a way that suits his security needs and the flexibility needed by care-givers. This will hopefully give everyone the best of both worlds.

But, no matter what McGill and those in his position do, there will always be a new technology just around the corner that negates what they’ve done in the past and are doing today, said 451’s Selby. It’s just a matter of keeping a finger in the dike and hoping for the best.

“It’s a big headache for IT and will continue to be a big headache but it is not unmanageable and ignoring it doesn’t make it get any better,” he said.