Does Wi-Fi Network Compliance Equal Corporate Data Security?
If a network is compliant with regulations, does that mean it’s secure? Unfortunately for both IT professionals and businesses, no it doesn’t. Why? Compliance is not security, but security can be compliant - with a set of requirements and guidelines that ensure data is confidential to authorized users, has integrity, has not been changed or modified, and is available on demand.
Compliance is about making choices to implement security controls in your organization aimed at keeping data safe and secure, but available. After all, critical data like customer lists and corporate secrets would be useless if you were not available to your employees.
Using Threat Models to Prepare for the "Worst Case Scenario"
To make data available is to necessarily put it at risk of being stolen, compromised, or even destroyed. To protect it, first put on your Hollywood screenwriter's hat and think of all the bad things that could happen to the data, the devices it’s carried in, and the networks that carry the devices. This process is designed to identify risk and build a set of requirements that will mitigate it - in a threat model.
Threat modeling identifies resources of interest to hackers and thieves and brainstorms the feasible threats, vulnerabilities, and available security controls. The model includes the likelihood of an attack or series of attacks on resources and the impact on an organization when an attack is successful. Yes, assume there will be attacks, because you need to make data available for use, and that one or more attacks will be successful.
If you look at security as a process, it becomes a series of battles where you will win some, lose some, and hope you don't lose a lot. Otherwise, you will be out of data and out of business in a short period of time. Let's look at some guidelines for managing and securing mobile devices in the enterprise.
For any mobile device on your company's site, enterprise IT should:
- Restrict access to hardware and software.
- Manage wireless interfaces.
- Monitor and report exceptions.
- Require authentication to access company resources.
- Restrict app installation.
To meet the above goals, first identify the devices that you intend to support in terms of their features, e.g., network services such as cellular, wireless, Bluetooth and Near Field Communication; built-in vs. non-removable storage. Also consider external, removable storage (Flash memory, USB) and one or more digital cameras. Then build a threat model for the mobile services. To simplify, let's take one aspect of a threat model: Wi-Fi. What if:
- Use of untrusted networks.
- Interaction with untrusted systems.
- Use of untrusted content over the network.
- Use of Global Positioning System and Location services.
Now you see how difficult it is to begin to develop a compliance policy (and this one is just for mobile devices and, within that, Wi-Fi security!). Look out for my next post where I will address security technologies available for each of the above threats in mobile device management as well as intrusion detection and protection systems.