This article originally appeared in the March issue of INTERNET TELEPHONY magazine
Bruce Schneier tells us that notions of security are meaningless unless linked to specific threats. He also points out that security policies are tradeoffs: increases in security are often at the expense of usefulness or usability. This also holds in the opposite direction.
Mobility is so useful as to be indispensable, but introducing mobility adds several categories of vulnerability to enterprise networks: Smartphones and laptops taken off the company premises can be lost or stolen; when a device is lost or stolen the data on it can be stolen; if the device is connected to a network other than the corporate network its traffic can be looked at, and it is more vulnerable to being hacked, since it is outside the corporate firewall. When you add Wi-Fi to the mix, additional threats appear; for example, even on-premises traffic can be vulnerable to interception by somebody parked outside, and hackers have demonstrated that a malicious transmitter can gain control of computers with vulnerable Wi-Fi device drivers.
Compounding these vulnerabilities, an increasing number of organizations have thrown in the towel on smartphones and iPads, and now allow users to bring their own devices to work. This means a vastly increased variety of devices with company secrets flowing through them.
Mobility doesn't change the greatest security vulnerability: people. Again, Bruce Schneier gives the uncomfortable truth: “Amateurs hack systems, professionals hack people.” The disquieting consequence is that if your network isn't already compromised, then it is likely to be, regardless of your countermeasures.
So you need measures to mitigate the damage when the inevitable happens. Much worse than getting hacked, is getting hacked and remaining unaware of it. Fortunately there is something you can do about this: Intrusion (News - Alert) detection systems monitor your network traffic and issue alerts when they encounter suspicious behavior.
To be adequate, your mobile security plan must include not only conventional measures like firewalls, AAA, VPNs, storage encryption and remote wiping, but also explicit user training and intrusion detection.
Edited by Jennifer Russell