Security, like other bastions of business, prefers conflict to conformance when first faced with a new technology. Wi-Fi is no exception. In fact, wireless devices have received a corporate welcome every bit as warm as the one I reserve for the long-distance companies that interrupt my dinner to save me a nickel. However, like it or not, remote access technologies are infiltrating the enterprise and will change the direction of corporate security.
Technology adoption as discussed by CIOs and CFOs can sound methodical and leisurely, like a foursome chipping and putting their way through a deserted back nine on a late August afternoon. CSOs know better. Trendy electronic gizmos are the ready golfers of the workplace, driving their way through the corporation and sinking IT procedures in their wake — executive gifts the first year, management perks the next and the subject of Dilbert cartoons thereafter. This is the point where smart CSOs choose to remain noncombatants. They know assimilation is inevitable, especially as the devices devolve into features integrated into other products such as Intel's Centrino chip with built-in Wi-Fi. Another embedded remote technology is RFID chips, which will almost certainly replace bar codes for inventory control — providing a new headache for information security.
Protecting network space, where information is distributed across multiple machines, is a mammoth task. Comprehensive protection requires validation of every action and recurring authentication of each participant. Network space will never be safe because there are too many points of access. Locking up a few tapes or bolting down a computer room is a manageable process, but validating every piece of executing code on a network is not. Especially when much of it is provided by vendors and unaccompanied by source code. Sure, applications provide authentication mechanisms, but they will never be foolproof. Like the antiviral programs, they will always be reacting to the last exploit, not anticipating the next.
Wi-Fi makes it harder to constrain intranet access because physical proximity is all that it takes to circumvent a firewall. "War-chalks" on sidewalks and buildings showing the overlap area of someone's network access point have become common sights. RFID tags may not jeopardise assets, but they do provide insight into inventory if someone gets close enough to scan them. The presence of some tags can give away a secret ingredient for an industrial formula; an unexpected quantity of others may indicate expansion plans. Even the absence of some items may be noteworthy.
It may not take 10 years for this technology to reach critical mass; I'd guess it's more like two to three. Unfortunately, the security mind-set shift from physical prohibition to information control will take longer than that.
Here are some attitude changes for the evolving CSO to consider.
Presence is not permission. Don't assume someone on a network is a legitimate user any more than you would believe that walking through a hotel lobby certifies a person as a guest.
The smaller the granularity, the better the security. Packet and transaction authentication is effective; stream and session is not. Be aware of every device in an organisation that can transmit data, and know what could be done with that information if it's divulged to a knowledgeable person.
Packet-pickers aren't thieves. Bandwidth is often seen as a public resource, and people who would blanch at the thought of breaking into a computer room wouldn't think twice about jacking into wireless networks. Recognise that the motivation is not the same as hackers. Companies shouldn't condone the practice but don't need to be overzealous about stopping it either.
Be thoughtful, not combative when confronted with the rapid dissemination of wireless technologies—it's like quicksand, struggling will only drag you down deeper.
David H. Holtzman, former CTO of Network Solutions, also worked as a cryptographic analyst with the US Navy and an intelligence analyst at DEFSMAC.