Is your company ready for 4G mobile connectivity?

Security Strategies Alert By M. E. Kabay and Gordon Merrill, MSIA Gordon Merrill, MSIA, Network World
July 06, 2011 12:05 AM ET

The long view of security strategies for your network.

. What's this?

Gordon Merrill, MSIA, continues his series on security aspects of operating systems mobility and the cloud. Everything that follows is Mr. Merrill's own work with minor edits.

* * *

Here are a couple of anecdotes to get us thinking about the shift from company-issued computers to personally-owned mobile computing:

• I had a class of students one day time their smartphones to determine the time from when they pressed the icon for Facebook until login occurred. They averaged less than two seconds and not all of them have 4G service yet. When, not if, your company moves to the mobile device over the traditional client-server model, you will have to compete with a less than two second connectivity the mobile generation has become accustomed to.

Related Content

• At a coffee shop, I had to smile as I looked at a customer who was working on his company-issued laptop with a boldly displayed label on the lid warning that no other applications were allowed on the device but those installed by the company. What I chuckled about was that
1. Companies are already losing control over which devices are connecting to their business to do business; and
2. Companies will not be able to control what is on these personally owned devices.

So how do you move from the old corporate lock-down-security approach connecting only devices owned and issued by the company and with only software and applications installed by the company?

The model we have grown accustomed to has three levels. The network
• verifies the user,
• verifies the device, and
• verifies that the device is free of known malware and vulnerabilities.

The new model now has to perform these steps at the speed of 4G, and at the swipe of a finger. Since all phones are now app friendly, what app will your company require to be installed on any mobile device to check and verify all three levels of verification before connection? Will the app need to connect regularly behind the scenes to remain current? Will the app need to update pre-screening algorithms so it can scan the device for any new malware prior to the swipe of a finger and the expected two-second connection? Will this need to be pre-authenticated every time the user picks up the phone or turns it on? Does this system require the user to log-in every time they open the phone?

Everybody wants the latest new device and technological toy. Everyone wants to be able to use their toy to connect for work and fun and personal reasons either now, or soon. But can they connect securely with our current business and security models? And are we educating our users to understand the importance of extending security to their personal mobile devices?

I know of a regional hospital where the medical director of a certain department has a new iPhone and wanted his hospital e-mail and medical charts to be available on his phone. The hospital allowed him to do so, but on every connection it scanned his device for malware. On his phone was a video of a grandchild sent to him by his son. However, his son had picked up some malware on one of his systems and the video the doctor received contained a virus. Understandably, the hospital security software removed his grandchild’s video. To the amazement of the IT staff, the doctor was irate: he said that IT had ruined his phone and lost his video!

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Professor of Information Assurance & Statistics in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.