Trends for 2004: Managing and securing your mobile workforce

We are quickly morphing into a mobile workforce. Users perform day-to-day business from places we never thought possible. Airports, coffee shops, hotels, convention centers and commuter trains have become extensions of the office. Even airplanes are beginning to offer connectivity to passengers, something unheard of only a few months ago.

In short, the Internet and wireless mobile networks have made information access available to users from nearly anywhere.

Mobility can offer huge gains in productivity, so we must embrace and manage it. A study on wireless LAN benefits conducted by NOP World Technology for Cisco Systems and published last month, for example, showed a 27% increase in productivity and an annual savings of almost $14,000 per mobile employee. Moreover, Gartner Inc. predicts that the number of North Americans using WLANs on a frequent basis will grow from 4.2 million in 2003 to more than 31 million in 2007.

Enterprises must be prepared. Wireless networks create another avenue for unwanted parties to access your network. To optimize the value of a mobile workforce, you must mitigate the associated risks.

To accomplish this, there are two key areas to focus on: tracking and managing a broad and growing mix of mobile assets, and protecting data stored on both mobile devices and in the corporate network.

Know your vulnerabilities

We deal with security risks every day. The effects of viruses, worms, Trojan horses and denial-of-service attacks, which can degrade or halt network performance by overwhelming the resources of a host or network device, are well known, and the risk of loss through data theft is very real.

Intrusions come from a variety of sources: internal or external, intentional or accidental, known or unknown. A 2003 security study conducted jointly by the Computer Security Institute and the FBI concluded that 78% of network attacks come through the Internet -- the remote mobile worker's primary method of network entry.

The risk of network infections introduced by nonstandard applications, by misconfiguring standard applications or by not staying up to date with the latest versions in mobile computing devices can't be understated. With the explosion of mobile devices, how do you avoid leaving large holes in an IT network that intruders can exploit?

Accept the fact that your employees will use the new tools on the market. Denial of this or reluctance by management to adapt to new technologies will only drive users underground to hide their rogue software applications, increasing your exposure rather than eliminating it.

Most company leaders I have spoken with agree that, except in the case of laptops, the business case for purchasing a mobile tool is an individual's decision. Few companies are issuing the tools centrally unless they're needed expressly for the job, such as tracking package delivery transactions with handheld devices. Each user will have different needs; products that best match those requirements are going to be purchased and used by the individuals.

Establish policies and support frameworks

From a corporate perspective, it's important to manage device configuration and mandate certain security rules and processes. Build processes to ensure that users are educated and trained on these policies. Register the mobile products and refresh them with the latest software versions and security updates, such as antivirus definitions, using automated update tools.

In short, building a manageable framework for mobility involves the following steps:

  • Impose a standard process of asset tracking and configuration management.
  • Standardize on software applications globally that can be managed centrally.
  • Establish a standard distribution tool for downloading and installing applications.
  • Mandate regular backups and restores via hot sync, docking or remote access to minimize data loss.

Safeguard against break-ins

When deploying wireless access, implementing a robust two-way authentication algorithm will authenticate users' identities and verify the legitimacy of the radio access point that connects a user to the wired corporate network. Mutual authentication disallows a connection to an unauthorized access point -- a potential launching pad for entry into the network.

When mobile users are off-site and using the Internet to access the corporate network, use encryption tools such as the IPsec protocol or SSL VPN technology. Data encrypted in the client device before traveling over the Internet access link (whether the link uses wireless, DSL, cable modem technology or something else) has a much lower chance of being intercepted.

On the mobile device side, consider software that encrypts all data on a device's hard drive, requiring users to log on with their credentials each time they reboot. You face trade-offs between usability and security here. So consider encrypting a subset of devices -- perhaps only those with highly confidential business information on their devices.

Filter 'bad' traffic

It's advisable to deploy traffic filtering at multiple points in the network using firewalls, network intrusion-detection systems and host-based behavior-anomaly-detection software. Firewalls at the perimeter of the network, where the LAN meets the WAN-access connection to the Internet, permit or deny access according to basic access-control lists.

1pixclear.gif
1pixclear.gif
Brad Boston is senior vice president and CIO at Cisco Systems Inc.
Brad Boston

Filtering in several network segments can greatly reduce overall risk. Note, for example, that enterprise WLAN users are generally inside the firewall, though radio links can extend through a building's wall, floors and ceilings.

Network intrusion-detection systems monitor copies of packets in transit, searching for known malicious traffic patterns. Host-based filtering using anomaly-detection software adds another layer of protection by anticipating normal traffic patterns (provided you have mapped your network traffic and can identify a "normal" pattern) and flagging when something breaks the norm. Although these anomalies aren't always a problem, it's to your network's advantage to identify and check them.

Conclusion

The days when corporate IT departments managed only stationary desktops attached to fixed ports on wiring-closet switches are over. Enterprises are moving to a mobile model of ubiquitous connectivity. Over the next year, we will see many new client devices emerge designed with mobility in mind. Anticipating the ramifications is critical to successfully enabling your workforce and maintaining a secure network.

Mobile tools will proliferate among our workforce. Accept the inevitable and build a core architecture that will make it manageable. The job isn't going to be easy, but with a few effective processes in place, your employees will be mobile, connected and secure.

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon