Companies need to build it into their existing security architecture

Corporations should think of wireless security as an add-on to their existing security architecture, not as a separate entity, according to analysts and vendors at the Wireless Security Conference & Expo. IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or create a plan for the entire IT infrastructure, security experts urged yesterday at the event held in Cambridge, Mass.

Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group, based in Ashland, Mass.

It used to be that corporations didn't embrace wireless technology because of security concerns. Now, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence Inc. in Chester Springs, Pa.

Mathias agreed. "Most security solutions are much too difficult for most people to use and understand," he said. "Too often, end users are required to be their own security systems integrators," buying a firewall from one vendor and a [virtual private network] from another, and trying to make all the products interoperate.

But the situation is beginning to change as vendors build more functionality into wireless LAN switches. Additionally, some companies are working on the ease-of-use issue. Mathias singled out Ann Arbor, Mich.-based Interlink Networks Inc.'s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small-business and home office users. "It's a step in the right direction," he said. "Down the road, the industrial-strength security products will also go this route.

Mathias stressed that wireless will likely form only a small piece of a company's security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards. Companies need to keep updating their security policy and verify that the solutions they have in place to counter attacks are doing their job.

In a large company, IT managers can establish a security operations center where people watch out for any violations and attacks. Over time, Mathias expects to see automated tools aimed at smaller companies fulfilling the same functions as a staffed security operations center.

How a company thinks about security changes over time. Rob Kermode, general manager for managed wireless services at Sprint Business Solutions in Kansas City, Kan., pointed to his own company's experience. Eight months ago, the mobile communications firm considered wireless e-mail to be "very benign," he said. But all that changed with the December 2004 announcement of a planned merger with Nextel Communications Inc.

Suddenly, wireless e-mail became a cause for concern, given the potential for possible leaks of sensitive financial information relating to the planned tie-up with Nextel. Thus far, Sprint hasn't done anything specifically to address the issue, according to Kermode. Like any large company, "we're slow to move," he said. "We're trying to place one bet in security and live with it. We'll research it fully and then do something."

Ultimately, all companies need to be aware that there's no such thing as absolute security, and there never will be.

"We have a saying [here] that if you could just get rid of the end users, you could have perfect security," quipped Jim Burns, senior software developer at Portsmouth, N.H.-based network authentication software developer Meetinghouse Inc.

What's needed is for companies to establish a "culture of security," according to Mathias, and to provide training and support to their users so that employees understand how to use wireless technologies safely.

<< Back