Archive for June, 2010

This week, VPN Haus talks to Peter Brockmann, tech analyst and president of Brockmann & Company. In the first in this two-part series, Brockmann weighs in on the security of mobile devices.

VPN Haus: How are connectivity security issues different for iPhone OS mobile devices vs. the Blackberry or Palm devices?

Peter Brockmann: Modern smartphones are really pocket computers. As such, they exhibit each of the same security risks as their larger computing relatives. They have passwords, sensitive emails, files and critical business applications in their multi-gigabyte on-board flash storage. They can be easily lost; easily stolen. They support WiFi and, as such, can be vulnerable to eavesdropping and Access Point spoofing attacks. Vendors of the leading devices – BlackBerry, iPhone, Windows Mobile, Symbian, Palm (3rd parties offer it for Android devices) – offer products and services to overcome these security risks and enable the device to be a solid platform for mobile business computing and communications.

Devices need to be able to be remotely wiped clean including lock out secrets, passwords and public key infrastructure credentials. Devices need to support encrypted data transmissions over WiFi and over 3G/4G/LTE wireless services. Enterprises need to be able to support rollouts of hundreds or thousands of devices at a time and need to update software remotely and implement corporate-wide security policies.

Unfortunately, each of the manufacturers has implemented different server software to achieve the same result. This is unfortunate because the remote access administrator has to use different apps that do the same thing to support these leading devices, which can introduce process errors and slow support responses, not to mention be the cause for administrator error.

VPN Haus: Do you think any mobile device is more secure than the others?

Brockmann: We have no evidence that one is more secure than the other. These three vendors offer back-office management applications effective for large scale enterprise management of mobile devices. They all support encryption for data in transit, local data protection through passwords, remote wipe and data and directory backup services.

VPN Haus: People are now connecting to their corporate networks from hotels, airports, coffee shops, fast food chains, at bars, and even from the mall. What does the proliferation of remote access locations mean for organizations’ network security. Should they limit where their employees can log-in from and is that really enforceable?

Brockmann: Business needs to happen wherever and whenever business can happen. Only the most paranoid of organizations, where the risks to national security or billion dollar transactions are very large and very real, need to be overwhelmingly sensitive to where users do business. For the rest of us, it would be silly to prevent employees from doing business in some public areas versus others, provided that best practices for privacy, eavesdropping and remote wiping can be maintained. Good security policies always have to balance convenience and security.

Stayed tuned to VPN Haus for more from Brockmann on the proliferation of mobile devices, as well as Mac security.

[tweetmeme source=”vpnhaus” only_single=false]

[tweetmeme source=”vpnhaus” only_single=false]

First, we want to congratulate Information Week’s Marianne Kolbasuk McGee on what Haus thinks is the finest coverage of the EMR technology issue of the major IT weeklies. Job well done! For those of our readers who aren’t familiar with the meaningful use stipulation, here is a rundown culled from McGee’s reporting.

The healthcare industry is scurrying to implement electronic health record (EHR) systems with the hopes of taking advantage of the government’s $20 billion-plus meaningful use incentive program.  But what remains questionable is – what exactly is “meaningful use”?  Although this hasn’t been finalized by the government, the proposed definition includes movement towards using certified EHR technology to improve healthcare quality, efficiency and patient safety.  However, the ambiguity of the working definition has delayed the industry to move forward with implementation.  More details on the proposed definition can be found on the Centers for Medicare & Medicaid Services’ (CMS) website.

Dr. David Blumenthal, national coordinator for health IT, explains the privacy and security issues commonly associated with digitizing health records in a recent June 15 interview with McGee.  He explains that the HITECH act enacted a whole series of provisions to tighten the privacy and security laws under HIPAA, and the Office of Civil Rights has already issued an interim final rule on breach notification that requires the notification of patients or other individuals whose data is exposed.  Dr. Blumenthal also explains that healthcare IT departments are concerned about the technical challenge of putting EHRs into practice and possible lost of initial productivity.

If we could make one suggestion, it would be that McGee explore what meaningful use has to say about secure transfer of data from point-to-point, i.e., what’s the scoop on VPN here?  Will the requirement be simply that encryption is required? What about endpoint security, etc? Healthcare tech is increasingly going wireless and thus a hot topic.

[tweetmeme source=”vpnhaus” only_single=false]

[tweetmeme source=”vpnhaus” only_single=false]

Ben Ruset is systems administrator at Princeton University. He speaks to VPN Haus about how graduation and new school seasons can disrupt provisioning. See Part 1 of the Q&A here.

VPN Haus: Does the size of the university matters in how to deal with provisioning?

Ruset: I think that the size of the university may present some logistical challenges, but this is where having set policies and well-documented workflows are crucial. Basically, it boils down to managing expectations. You have the expectations of the students (that they will get an account), the expectations of the people in IT (that they will have the information they need to create the account), and the expectations of the registrar’s office (that the students will be taken care of.) The only way that this will happen is with clear communication.

So to turn this back into the corporate world, when a new employee is hired it’s important to make a good impression. So things like having an account provisioned for them, a PC on their desk, etc. is absolutely crucial. If they walk in and they don’t have a place to sit, don’t have a way to receive emails, etc. it doesn’t paint the organization as a whole in any good light. By having a policy in place that says “when a new employee is hired, IT should be notified at least X days prior to the employee start date, and IT should confirm with HR that the account has been created”–  it sets the level of expectation. Now, if the workflow isn’t followed, it becomes a human problem (oversight, laziness, being overworked, etc.) and not a technological problem. Ideally then the organization can then address the issue with the person and prevent the issue from happening again.

You can essentially reverse all of that for account de-provisioning.

VPN Haus: Are the influx of mobile devices on campus impacting network connectivity issues (bandwidth, provisioning, network access, security)?

Ruset: I’d say that wireless networking is probably the biggest thorn in the network group’s side right now, but is also the area where the campus really has to invest in. I think that now there’s an expectation that WiFi will be ubiquitous throughout campus, and that involves a heck of a lot of infrastructure to make that happen. Just by walking through Frist Campus Center at lunch (if you watch House MD, it’s the building they use to show Princeton Plainsboro Hospital), you’ll see dozens of students with their laptops open, working or relaxing. Add phones that have WiFi built in (eg: iPhone, Android, etc.), and things like iPads it’s not going to be uncommon for students to have two or three wireless devices on the network at any one time.

One of the really big challenges is IP space. Princeton uses routable IPs for all of their devices, and they’re in short supply. That’s one of the reasons why the network team is so proactive at looking at traffic and blocking devices that misbehave.

Ben Ruset is systems administrator at Princeton University

Related Reading:

Q&A with Ben Ruset, Princeton University PART 1

De-provisioning is Just for Former Employees, Right? Wrong!

IT departments should make the case for corporate resources

Combating Data Breaches with Provisioning

[tweetmeme source=”vpnhaus” only_single=false]