New security threats from every which way

Security for the mobility (and portability) layer

SOA already is intersecting with mobile devices at such companies as Delaware Electric. With one field-automation application, for example, workers there can order materials for system designs from wherever they are using tablet PCs. Using these devices, electrical-systems design engineers do everything from laser-surveying GPS points to designing and laying out the wires and meters.

"Enabled through SOA, we're able to expose the tablets to an XML interface, and push that data to an accounting and business platform that takes care of materials reservations and supplies," says Gary Cripps, the utility's CFO.

Mobility should foremost be handled through encryption, says Mark Burnette, executive director of IT operations and security at Gaylord Hotels, a hotel chain in the US. One need only look at the number and types of privacy breaches posted on the Privacy Rights Clearinghouse Web site to realize mobile laptops will continue to be a leading vulnerability. They are "a huge risk exposure," he says.

As part of its compliance efforts, Gaylord Hotels last year deployed Credant Technologies' FIPS 140-2-validated Full Data Encryption2 technology. With it, the company has encrypted data on its 800 Windows laptops.

Protections for mobile devices -- at least laptops and BlackBerries -- are more mature than those for virtualization and SOA. This is particularly the case with network-access control (NAC)-based endpoint management coming of age, says Rob Israel, CIO at John C. Lincoln Hospitals in the US. Last year, Lincoln Hospitals allowed browser access to patient charts, reports and documentation for 800 clinicians and processing partners over their desktops, laptops, BlackBerries and other PDAs. The organization is using Lumension Security's PatchLink Update (in combination with other Lumension NAC-based application- and device-security products) to manage updates.

Encryption also will merge with endpoint security management; earlier this month, for example, Symantec added endpoint encryption to its endpoint security suite. Overall, Gartner estimates endpoint security platforms will become a US$3.6 billion market in 2009.

Mobile phones already are accessing their employer networks to get e-mail and other functions, experts say. At Mercy Medical, the technology team is studying unified messaging services to roll out to its mobile phone user base this year. The goal is to replace its e-mail-only application.

If these types of applications are going out to user-owned phones, they'll be increasingly difficult to protect, says consultant Janulaitis, who predicts that over the next few years, US network carriers will be forced to uncouple their networks from their phones and follow the model that's happened outside the United States. "Then users will be using voice over IP over the cellular network, picked up by Wi-Fi hot spots wherever they travel."

Oh yes, let's not forget that layer, with Wi-Fi Protected Access the prevailing encryption and security standard for Wi-Fi networks.

Retailer Circuit City uses Wi-Fi standards to segment networks at store locations as a point of security, says Steve Alexander, information security architect at the US-based retailer. One network is for sales assistants who use tablet PCs to access only the public Web site and answer customer questions (they do not intake customer information). The Repairs department gets its own wireless network, which especially must be kept separate because computers coming there usually are infected with some type of nasty. And cash registers, for now, are wired.

"It's not a matter of 'do this, fix that,' and you're secure," Alexander says. "It's a combination of many layers of security at many levels, across your infrastructure."

Radcliff is a freelance writer covering computer crime. She can be reached at deb@radcliff.com.