FCW Wireless Security/RFID Conference Roundup

FCW Wireless Security/RFID Conference Roundup

Once or twice a year, I get a chance to look at wireless issues in the federal sector, hear and talk to CIOs and executives of various government agencies such as DHS, DOD, GSA etc. It provides a unique view into a different world that is both impressive and befuddling at the same time. Though there are similarities to the Enterprise Mobility segment, it is a difference universe where things are driven by mandates and missions, directives and discourses. While there is a sense of urgency, there is also stifling bureaucracy and ineptitude.

I made my annual pilgrimage to Federal Computer Weekly’s (FCW) Wireless Security and RFID Conference in Washington DC earlier this week (courtesy of Compubahn). Also, spent some time at an event on Capitol Hill hearing some of the CIOs and their underlings on their future IT plans. At the conference, I got an opportunity to moderate a very knowledgeable panel on wireless security matters. We will get to the panel discussion a bit later.

I think it is quite relevant to discuss federal wireless related issues within the enterprise context as there are several lessons to be drawn it can help various organizations who are going through some of the similar challenges or are simply unaware of the problems they have. The most fundamental problem that most agencies (and by the same token most companies) have is lack of a coherent and detailed wireless security policies that considers “all” wireless devices whether they are operating within a WLAN that is controlled by the entity or for the device that is using a foreign network to access internal resources or for the device that is not connected yet but has significant and sensitive information stored on the device. How do you manage these devices? What if the device gets lost or hacked? Is the data encrypted? Does the data that gets copied on the SD card encrypted? How is the policy enforced? Can you use the same policy enforcer that you use for LAN on wide range of devices – PDAs, Symbian phones, BREW devices, etc. What’s the policy on Bluetooth? Do you permit Bluetooth devices in your enterprise? (in some agencies, Bluetooth enabled devices are not procured at all) Are you aware that there is no encryption? What ports get disabled and when? There are plenty of questions but no clear answer. For government, a good starting point is DOD wireless security policy (8100.2). Any enterprise who hasn’t really laid out their wireless policy could benefit from the same as well.

However, the policy needs to be laid out with plans that take into account scenarios 2-5 years from now. The reality today will get outdated really fast and for sure before your current implementation gets done. Once you have the policy, then what? Well, Audit and Enforce it.

One of the keynotes was given by Ron McKenzie who is the point person for American Red Cross IT and wireless implementation (disaster and rescue response units deal with wireless technology and related applications all the time) and reports to SVP and CIO Steve Cooper. He discussed the challenges that Katrina posed to the operations, logistics and IT. The main technology used are Satellite, 2way radios, and Cellular. The main applications are registration, family linking, bringing shelters online, and connecting with financial institutions to issue cards. One of the biggest challenge is scaling up and down of operations. As we are painfully aware – Katrina was a shameful disaster of significant magnitude. One of the basic problem was that communication (ok, so it is not that basic) was woefully lacking. Wireless industry clearly responded well but we could do more. The initiative really needs to come from Red Cross. Ron was looking for feedback from the industry as how they can improve their solutions and processes to better address emergency needs and minimize discomfort and chaos. I bet there are a number of people reading this who have great ideas or experiences that can help in pushing the dialog further. Red Cross is planning to finalize its “lessons learned” booklet by July 06 and thus prepare a process plan that can be replicated in the event of similar or worse disasters in the future. You can help. If you have ideas on emergency preparedness and execution, please send them along and I will compile and pass them on to Ron who has promised to give good consideration to all proposals. A few months back, Tsunami in SE Asia created damage and destruction of epic proportions. I always wonder as to how can the technology be applied to reduce the impact of natural disasters or make rescue and recovery operations more tenable. But, it is clearly not the technology that is a challenge but the people who use (or don’t use) it to streamline the processes. With Satellite, WWAN, WLAN, WPAN technologies, there isn’t a place on earth that can’t have connectivity for communication or data exchange.

One of the more telling problems (and I see this echoed in the commercial world as well) is the lack of user input into solutions or product roadmaps. There are plenty of vendors who are touting cutting-edge solutions to various agencies but they are selling to buyers and not users who typically are busy doing the real work.

My wireless security panel “Technology Fundamentals for End-to-End Security” constituted of Sumit Deshpande, VP, Wireless, CA (Computer Associates), Dean Knuth, National Manager, Northrop Grumman, and Jeff Watts, Sr. Engineer, Smartronix. These guys have dealt with very strict security requirements for most of major agencies esp. DOD. I asked the panel “Is security a technology issue?” Answer was an emphatic NO. Security is a process in which technology plays an important role. Education, training, awareness, audit, and enforcement are as or more critical than the technology implementation of whatever solution you might have. Bruce Schneier explains this in his books and articles better than anyone else.

There has been a lot of talk about 802.11i (WPA2) standard which is supposed to be a lot more secure than current WPA/Tkip implementations. Device management and device security is an important issue that is mostly overlooked. The other aspect that is hardly considered is that there is more to security than just LAN/WLAN – WWAN and WPAN powered devices all need to be managed if security is a concern. Though it hasn’t been a big issue yet, wireless security issues will become important for Sarbanes Oxley compliance as well. How does company keep track of corporate SMS/IM/data on wireless devices? Can it be audited? What are the risks? What are controls in place? Another point to remember – though FIPS 140-2 is becoming the norm for encryption, the certification process is arduous, so plan accordingly.

Amid the discussion about security, one can also go overboard in cases where information being transmitted or stored isn’t sensitive and security provisions only help in alienating the user and they get fed up of the steps required, reduced speeds and investment goes by the way side. Security to some extent is also a balancing act of user convenience and corporate priorities.

There seems to be a trend that CIOs of various agencies are coming from the industry these days. I think a great trend but there are many agencies that lack leadership and initiative and still rely on the big consulting companies to run their shop.

RFID – A good overview report can be downloaded free of cost here

Though there are a lot of privacy and security concerns (just like for Bluetooth), consider the following:

  2005 2010 2015
RFID Tag Pricing $0.23 $0.06 $0.01
Number of RFID Tags in Use 6.3 million 80 billion 10 trillion
Growth of overall RFID market $3 billion $10 billion $25 billion

Source: IDTechEx (2005)

RFID (and similar WPAN technologies) are going to be pervasive. Applications range from logistics to defense. Though I have been skeptical, human implants are also showing up. Recently a senior executive at one of the biggest software company I was working with told me that I am underestimating the growth in RFID implants in mobile workers in the next 5-10 years. Maybe there is a point, time will tell.

Also, ran into Iridium booth. I thought the company evaporated after their spectacular flameout but they are still hanging their hat and focusing on government, public safety, and on workers that require remote coverage.

My colleague and friend Sunil Jain raised a few interesting questions recently. Right now there are vendors like Symantec who license and manage security and policy on desktops and laptops and then you have vendors such as Pointsec, Mobile Armor, Credent and host of others who focus solely on the wireless device space. With the two worlds converging rapidly, how soon before an enterprise asks Symantec to add a few hundred licenses to their agreement to cover mobile devices as well. Do the (now) niche players get gobbled up by the big boys? or would the reverse be true? Likewise, how do you extend your HP Openview, CA Unicenter, BMC Patrol, or IBM Tivoli to do wireless device management as well. Also, whose responsibility is security anyway? OS Vendor, Handset guys, Network or carrier, enterprise (consumer?). And along the same lines, should security be handled at the network or at the device level? Gartner advocates network level protection. They contemplate that mobile world shouldn’t follow the PC deployments of anti-virus and other risk mitigation tools but rather network should have these services and only go to devices as a last resort. I think both are required, because there are is so much that can happen in a disconnected (from the enterprise but still connected) mode.

For most new technologies or products, security is generally an after-thought. We as an industry need to get better at designing systems, protocols, and technologies with security built-in rather than going through the alphabet soups of new versions to patch-up the mess.

Another area that is gaining traction is the concept of Managed Security. Security is getting complicated and so companies rather than deploying staff are interested in outsourcing device management and security of their mobile assets. Would you do it?

Finally, there are several other interesting federal initiatives like Location Specific Digital Signature (LSDS) and WiMax development work with Intel, Integration of RFID with WLAN, Biometrics, Locating users using WLAN/WPAN. These will trickle into the commercial sectors in the next 2-3 years.

 Your comments are always welcome.