Wireless Security: What's Good Enough?
Despite strong advances in WLAN security, a survey found that many organizations don???t take even basic precautions. Here are some wireless security best practices to allay your concerns.
September 26, 2005
Without a doubt, wireless LANs have had a black eye when it comes to security. Early missteps with static keys in Wired Equivalent Privacy (WEP) encryption have been repaired, and today's WLANs can be deployed with Advanced Encryption Standard (AES), the strongest encryption available in the U.S. Even so, reports of RF jamming and wireless service theft still have many organizations unwilling to deploy wireless service beyond lobbies, conference rooms, and other convenience areas.
But with the encryption problem essentially solved, what are the key concerns about security today? Just how much security is enough? And is yesterday's bad reputation still stopping organizations from deploying WLANs? These are just some of the questions the editors of MobilizedSoftware.com set out to answer in a survey on wireless security that targeted readers of MobilizedSoftware.com, MobilePipeline.com and other CMP technology web sites. The survey, which was conducted in August 2005, had 217 valid responses.
Fear of hacking, as it turns out, is the most cited concern among organizations that have not deployed WLANs; however, organizations that have already deployed mobile solutions understand that the greater risk lies in the loss or theft of mobile devices. And while the vast majority of organizations use VPNs to ensure the privacy and security of their wireless communications—and increasingly are adopting industry-standard 802.1X and AES encryption—a significant number of companies taking a big risk and deploying mobile solutions without even the barest of precautions.
The Top Line
The first discovery of the MobilizedSoftware security survey was that security concerns appear to be on the rise. More than half (59 percent) of the 217 respondents' organizations use mobile software solutions today. Of those respondents whose companies hadn't yet deployed wireless, concerns over security was the most frequently mentioned deterrent (43 percent), followed by no clear return on investment (37 percent).
Regardless of whether or not wireless was currently deployed, leakage or theft of confidential and private information was the most frequently cited concern. The second greatest concern was loss or theft of the mobile devices, although this was cited much more among those with deployed wireless (64 percent) than those without (39 percent).
The source of the greatest security risk to mobile differs between those with wireless deployed and those who have not yet taken the plunge. One-third of respondents without wireless deployed in their organization envision hackers as being the greatest security risk. While one quarter of respondents with wireless deployed feel that employees who lose their devices—along with the business-critical information they contain—pose the greatest security risk.
Yet despite the fears, half of the respondents say that no security breach has occurred because of mobile and wireless solutions. And only 11 percent of the respondents' organizations admit to actually experiencing a security breach that can be attributed to a wireless network.
Best Practices from the Field
Companies that have mobile software solutions deployed were asked to rate their company's process and practices for mobile security. The majority (84.5 percent) rated their company as good or better. Close to one-third feel their company is above average, but only 9 percent would say their company's process and practices are world class.
Respondents were asked how their organization assessed the business value of the mobile data to ensure the right level of security. Most relied on only one assessment method. Close to half (47 percent) of respondents performed internal risk analysis, and only 15 percent hired consultants to perform a risk analysis.
When asked how they will know they have attained their mobile security goals, the most frequently cited gauge was meeting corporate security policies (48 percent). Over one-third said they would have to pass an external audit and/or comply with industry and governmental regulations.
Authentication and Encryption
Authentication and encryption are essential to ensuring the privacy of wireless communications. Two-thirds of organizations used IPSec or SSL VPNs for authentication. About a third used IEEE 802.1X, which is the gold standard for authentication for 802.11 WLANs, and is part of the WPA 1.0 and WPA 2.0 specification. Only 8 percent are using biometrics.
Most respondents' (57 percent) organizations relied on IPSec or SSL VPNs for encryption, followed by one third adopting AES encryption as part of WPA 2.0. Surprisingly, 16 percent use static WEP for encryption, which is the weak encryption method that gave WLANs a bad reputation. And 11 percent don't use any encryption at all, which is virtually inviting an information breach.
Despite the somewhat bleak outlook in terms of implementing strong security for wireless networks, the survey seems to suggest that at least people are aware of the issues and technologies involved. It may take upper management buy-in or other obstacles to overcome before enterprise wireless networks become airtight against the threats that loom.
You May Also Like