More than Meets the Eye

Today’s mobile workforce creates more than just physical security threats

• By Tim Cranny, Ph.D., CISSP
• Apr 04, 2007

PHYSICAL security is an essential part of protecting a company’s mission-critical assets and information. Fortunately, it is a mature industry sector. While many understand the value of locked doors, cameras, alarms and security guards, However, physical security becomes more complicated when you start to look at how modern technology has changed the computer industry.

Once the perimeter of an enterprise has been secured with appropriate physical security measures, what happens when an employee takes a laptop outside the office, or connects invisibly and silently to a wireless network across the road? Users are now taking critical data far beyond the physical perimeter, and no number of cameras or locks can help because these physical security issues have quietly evolved into logical security threats.

Balancing Mobile Security
Critical intellectual property is quickly becoming more mobile, and most corporate data resides on endpoints such as notebooks, PDAs and smart phones. This increases the risks of theft and unauthorized access.

Protecting data in motion on endpoints and networks as it moves through and out of corporate environment is critical to successfully operating any business. Organizations must continuously look at innovations in mobile security approaches and decide how it can be customized to fit into their own operations and policies.

A mobile workforce gives a compelling opportunity for companies to reduce operational costs and move data out to customer interactions. But protecting data in and away from offices presents a unique set of challenges and risks.

Theft of intellectual property is a larger threat and concern for IT personnel as they work against wardrivers, spammers, hackers, pirates, spoofers, freeloaders and others who spend countless hours trying to gain access to records, files, documents and other related sources of confidential data.

If a laptop is stolen but unusable to an attacker, it’s a little more than an inconvenience. The owner has to replace the physical device and deal with some transient lost productivity. More often than not, the laptop will be covered by insurance and can be replaced.

But what if a laptop gets stolen and the thief has access to the data? What are the implications of an unauthorized user having access to confidential information such as Social Security numbers, birthdates, phone numbers and addresses? A single data security breach can easily cost a company millions of dollars—far more than the value of the devices themselves.

Staying Ahead of the Game
Company security policies cannot be applied once and then forgotten. Security needs to be an ongoing process, incorporating new technologies to build upon and fortify existing solutions. When implementing a security policy, don’t try to reinvent the wheel—harvest other people’s clever ideas. It’s not necessary to be blindingly original, just thoughtful and diligent.

The challenge with physical and logical security is that most people put up one line of defense designed to keep unauthorized users away from a keyboard by physically preventing access to a building or room. But companies sometimes fail to take into account a scenario that includes a bad guy getting past that initial barrier. An ideal situation includes multiple levels of countermeasures in the security framework, making it more difficult for unauthorized users to create havoc.

Customized Security Policies
A layered security approach makes it more difficult for unauthorized users to gain access to intellectual property. There are different types of security, that when implemented together, can create a wall of defense around a network—network access control, endpoint security and auto data encryption.

NAC focuses on people gaining access to a network. This access can be gained from the parking lot via a wireless connection or from people who manage to get on the network by physically accessing it from a PC inside the building. NAC prevents unauthorized users from accessing network access from either connection.

Endpoint security focuses on securing devices, such as laptops and tablet PCs, by giving IT and security administrators the ability to secure and control data in motion as it moves into and out of an organization. Different levels of access can be established based on user rights and location. For example, if an employee is traveling, access to the network can be shut off completely at the airport, limited at a coffee house and completely open at a remote office or client’s office.

The last line of defense is to protect the data itself via encryption. These measures pre-emptively take sensitive data and scrambles it before saving on network or individual drives. Unscrambling an encrypted document would be so costly and labor intensive that it would not be worth the effort.

Ultimately, every member of the organization has an important role to play in safeguarding intellectual property, especially those processes that are particularly sensitive and critical.

Security should be integral to any business plan, not just a reaction after an event.