One of the things we do here at Shoreline Research is talk to a lot of IT managers and enterprise executives about their concerns, issues, plans and general mobile and wireless paranoia. We've learned that many still resist significant wireless activities and deployments due to concerns about security, management and control. These executives report that pressures are increasing from the administrative side to launch new wireless projects, or expand those that have been started as small pilot projects. The reason is that some budget money is slowly becoming available, and the people on the business end of things have long recognized to potential and strategic importance of mobile and wireless deployments.
Also, these execs have also been playing around with such things as Research in Motion's Blackberry, and even using the occasional airport or coffee shop wireless hotspot to retrieve email. They figure that if quick and easy access to email can make them that much more productive and information savvy, why not launch similar efforts throughout the organization? Damn the torpedoes, and wireless access points for everyone!
The problem is that while wireless access both inside and outside the corporate firewall is an effective means of tapping into your email and zapping quick messages to your colleagues, the practice becomes a bit more serious when you are dealing with mission critical corporate information, which can be anything from the latest pricing for fresh fish to the proprietary contracts and negotiations that are exchanged within the corporate legal department.
Since those in the IT department are usually saddled with the responsibilities of control and management and security of all this transmitted information, as well as for the wireless infrastructure, they are understandably careful about jumping enthusiastically from the company airplane and then checking to see if you have a parachute securely strapped on as you plummet to the ground.
Sometimes, these wireless demands are fairly unique, so concerns for security and management are obviously a bit different than your typical company installation. For example, one of the executives we talked to is involved in engineering and construction, and has been asked to consider establishing portable wireless networks directly at a job site so that his company and other companies can easily exchange data within the construction 'trailer park' and with workers in the field.
While this is theoretically possible, he is concerned about compatibility, security and management of such a mobile system. For this reason, he has decided to resist wireless until he is emphatically told to install a system by a client or his superiors. While the ROI potential for such a setup is clear, the security risks are enormous.
In talking with a sampling of IT managers from a wide cross section of industry segments, we discovered the following:
Most companies seem to be satisfied with current security tools and techniques, many of which are primarily designed for intrusion detection. That is, these systems will let you know when somebody has set up an unauthorized wireless access point, or perhaps is trying to tap into your wireless system with a rogue client device outside or inside the company's wireless perimeter. This is fine as a first level of protection, but what is really disturbing is that these intrusion reports are not generated in real time, and they are usually only checked once a week or in some cases once a month! This means that by the time you have discovered that a breach has occurred, the wireless perpetrator has packed up his equipment and fled the scene.
The companies that do actively scout around for rogue wireless signals and access, usually do so by using portable sniffers and sensors that can zero in on these signals. However, not a lot of this is going on, since the reason why companies do it in the first place is not to manage security, but perhaps to check fro the performance of a wireless signal, or reasons why you just can't seem to get a strong signal in the RF-saturated copy room.
There is very little integration happening between management in the wireless world and management on the wired networking side. That is, while security and control are great concerns among those involved in the telecommunications side, there is not a great deal of effort being made to integrate wireless management and security systems with established wired network management systems. Right now, most efforts are independent of each other, with very little linking between the wired and wireless management worlds.
A large number of IT managers and network honchos do not understand wireless management technologies and techniques, or realize that is available beyond their respective primary vendors. For instance, the Cisco users tend to look at Cisco for solutions, while those in the Symbol camp investigate solutions offered by that vendor. This is okay, say most of these IT managers, because these big companies do offer a wide range of solutions and alternatives, even though many of these are locked into their own private world of compatibility. But, there are a number of good and solid third-party solutions from such companies as XcelleNet, Inc., Mobile Automation, Inc., and others that provide strong management and control of mobile systems and systems as well.
Surprisingly, a fair number of companies have resigned themselves to the fact that there will always be unauthorized access attempts, hackers, and rogue clients lurking about your average wireless network. While WEP, or wired security protection is a pretty good deterrent in terms of letting these unauthorized users know they are stepping into restricted territory, and the coming wireless encryption protocols (currently being defined and developed by IEEE committees) will afford even stronger protective measures, these companies believe that unauthorized use or attempts will always be a way of life in wireless.
As such, many companies have established what we like to call wireless "mud rooms." That is, they operate non-mission-critical basic level wireless networks -- usually 802.11b -- that have standard security and can usually be accessed by those outside the company's protected sphere. Since these systems are not linked to the corporate information resource, they are limited basic Web access and do not offer a threat to the company's data.
We don't know about you, but this last alternative sounds more like placing a lot of diversionary cheese around the mousetrap, when it would be far better to focus on building a better mousetrap to identify, catch and punish unauthorized users. Alternatives like these also suggest that there is a fair amount of misconception and ignorance on the IT side in terms of what can and should be done to effectively lock down and secure wireless systems.
This, of course, means that vendors, systems integrators and solutions providers have an opportunity and responsibility to educate their enterprise clients in terms of what solutions are available and what exactly should be done to increase wireless security and peace of mind.
The end result of this would be more deployments and business in the wireless sector as IT managers drop their resistance to wireless projects as their concerns for security and management are lessened. More business means more sales, more development and more productivity as companies channel more mission-critical information over these wireless networks. In short, everybody wins.
Tim Scannell is the president and chief analyst with Shoreline Research, a Quincy, Mass.-based consulting company specializing in mobile and wireless technology and initiatives. Shoreline works with end users, looking to implement mobile solutions, and vendors, developing new products and seeking business and customer opportunities. The company also specializes in training and strategic planning projects. For more information on Shoreline Research and the company's strategic services please go to http://www.shorelineresearch.com.