Suppose I were to say to you that there's really no such thing as wireless security. That would sound pretty silly, especially since (a) data is clearly flying through the air, in range of anyone nearby with the right equipment, and (b) wireless security has historically been the number one concern of IT managers and often a roadblock to the deployment of mobile and wireless computing solutions. Silly, indeed.
And yet, when we look at wireless security as part of the overall value chain between client and server, the wireless part suddenly seems small and insignificant. This is because wireless deals only with that portion of the chain known as the airlink – the connection between a wireless client and (typically, in the case of wide-area mobility) a cellular base station. But consider all of the other connections between the cellular base station and your server -- a collection of equipment within the cellular network and the Internet or other wide-area connectivity -- and you'll see many points of vulnerability that far outweigh those of the airlink.
I am a big believer in end-to-end security. This means that, subject to a given enterprise's security policy, sensitive data is always stored securely and appears in the clear only to authorized users. And this doesn't just mean end-to-end over the airlink but rather end-to-end between the client device and the server that stores the data.
This further implies two key requirements:
- : This means that all sensitive data is encoded while stored and during transmission, so it cannot be read by unauthorized users, legitimate or not.
- Authentication: This means that users must identify themselves to their devices and the network before any access is allowed. Ideally, authentication is mutual, so a user cannot be fooled into sending sensitive data to a spoofed server.
If we put this together, the core requirements are that all sensitive data must be stored encrypted on the server and the mobile client device (notebook computer, smartphone, memory key, etc.). It also means that authorized users must authenticate with the server before any data can be obtained. I recommend "two-factor authentication" using (typically) a hardware key and a password. That way, if one is lost or stolen, the data is still secure.
Now comes the hard part.
I also recommend that authorized users authenticate with their mobile device. This means at a minimum having to log in to one's notebook and use a PIN or similar mechanism on smartphones. Lots of users just hate this, but they need to understand enterprise security policies and also develop what we call a "culture of security" -- just as those "loose lips sink ships" posters used to remind everyone of the need for security during World War II.
As it turns out, modern digital cellular networks include basic data security, and user traffic is by default encrypted over the air. I recommend, however, that enterprises use their own virtual private network (VPN) techniques on all wireless links; security really should be under the control of the enterprise, not the carrier.
Basic security really isn't all that hard to plan, implement and manage. But again, it's not a matter of wireless security alone. Rather, it's end-to-end security across the entire network. Secure the whole value chain, and wireless security almost comes for free.
Maybe there really is no such thing as wireless security after all.
This was first published in April 2006