Corporations should think of wireless security as an add-on to their existing security architecture, not as a separate entity, according to analysts and vendors at the Wireless Security Conference and Expo. IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or take the opportunity to create a plan for the entire IT infrastructure, security experts urged Wednesday at the event, being held in Cambridge, Massachusetts.
Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group, based in Ashland, Massachusetts.
It used to be the case that corporations weren't embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence Inc. in Chester Springs, Pennsylvania.
Farpoint's Mathias agreed. "Most security solutions are much too difficult for most people to use and understand," he said. "Too often end users are required to be their own security systems integrators," buying a firewall from one vendor, a VPN (virtual private network) from another and trying to make all the products interoperate.
The situation is beginning to change, as vendors build more functionality into wireless LAN switches. Additionally, some companies are working on the ease of use issue. Mathias singled out Ann Arbor, Michigan-based Interlink Networks Inc.'s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. "It's a step in the right direction," he said. "Down the road, the industrial-strength security products will also go this route."
Mathias stressed that wireless will likely form only a small piece of a company's security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards. Companies need to keep updating their security policy and verify the solutions they have in place to counter attacks are doing their job.
In a large company, IT managers can establish a security operations center (SOC) where people watch out for any violations and attacks. Over time, Mathias expects to see automated tools aimed at smaller companies fulfilling the same functions as a staffed SOC.
How a company thinks about security alters over time. Rob Kermode, general manager, managed wireless services at Sprint Business Solutions, based in Kansas City, Kansas, pointed to his own company's experience. Eight months ago, the mobile communications firm considered wireless e-mail to be "very benign," he said, but all that changed with the December 2004 announcement of a planned merger with Nextel Communications Inc.
Suddenly, wireless e-mail became a cause for concern, given the potential for possible leaks of sensitive financial information relating to the planned tie-up with Nextel. Thus far, Sprint hasn