Securing Mobile Workers

The wireless debate has moved from demonstrating that wireless is a viable technology to solving the associated management issues. New software and upgrades may hold the answer.

Many companies have extensive policies regarding which online resources employees can (and cannot) access. For many companies, productivity is also an issue, and for an employer, work-issued computers should be used for work matters, at least during business hours. Whether or not that happens, however, many companies tell workers that the e-mails they write and Web sites they visit may be monitored.

Enter wireless. According to Jupiter Research, today more than half of U.S. companies actively support at least one wireless network, and 22 percent plan to implement wireless technology by the end of the year. As companies continue to upgrade employee laptops with built-in wireless technology, the desire to connect wirelessly in hotel rooms and conferences—if not the workplace itself—is increasing.

While mobile technology continues to proliferate, however, and security managers pay better attention to wireless security issues and actively manage rollouts, content filtering and monitoring just haven’t kept up. When workers log onto hotspots, corporate policy enforcement can’t, technologically speaking, be enforced; they’re off the grid.

The information security implications are clear: mobile workers are a weak link in network defenses. Users can download from sites security administrators might otherwise block with extreme prejudice—say, music download sites offering software known to harbor spyware—and as a result, bad software can potentially worm its way through the enterprise.

"Wireless hotspots are the new danger zones for corporate Internet policy management,” says Jim Murphy, Web filtering product manager for SurfControl, a Web and e-mail filtering company.

Iain Gillott, head of wireless and mobile research firm iGillottResearch, notes that "Network managers are demanding ways to control the security of wireless devices, just as they do their wired networks." It goes beyond just ensuring network encryption is on.

More software now has the ability to block mobile users from sites or restrict what they see. Novell, for example, released a new version of its remote access security VPN software, BorderManager 3.8. In addition to providing role-based access to enterprise applications, the software can limit users’ Internet activities, restricting their access to sites and also using other companies’ content filtering tools to limit what they see. The software also integrates with Novell’s Nsure Audit software for logging; security administrators can review sites employees visit.

Another option should be available soon from SurfControl. Dubbed Project Nomad, it’s thin-client software for mobile user Web and e-mail filtering. Its goal is to allow a company to restrict access to, and monitor access attempts of, employees even when they’re mobile.

“Until now, the wireless debate has centered around infrastructure issues—making the technology work, and demonstrating to the enterprise that wireless is a viable technology to solve business requirements,” says Murphy. Now, however, companies are buying in and management issues come to the fore, especially in regulated industries. Companies don’t want social security numbers getting sent through e-mails, for example.

Murphy says most companies share four initial questions when it comes to wireless rollouts: “Is this stuff enterprise ready, can I administer it, are there real benefits to it, and is it secure?” Not long after, he says, organizations seek to extend “acceptable usage policies for not only the people inside your organization, but to all workers in the field.” Wireless networks introduce new security concerns, especially if rollout isn’t actively managed.

Protecting wireless workers from the same Internet content risks that are filtered from those inside the corporate network is especially important in regulated industries, which don’t want to ever see, say, social security numbers going out through e-mail. Even “an honest mistake” isn't acceptable—regulations make no such distinction.

SurfControl thinks it has the answer. The company is currently soliciting beta users for Nomad from its current customers (which can contact their account representatives to volunteer). The product monitors workers even when they’re mobile—a server watches Nomad client software on a user’s computer to filter and monitor all access, and also block users from accessing the Internet in unapproved ways—a third-party browser, for example. “SurfControl's philosophy is it doesn't matter how the user gets to the content; the organization needs to … [be] able to manage the access to all content,” says Murphy.

As with SurfControl’s other products, Nomad checks all content requests—e-mail and Web sites—against policies. Those policies can block specific Web sites, filter Web sites, or spam e-mail messages by referencing keywords in dictionaries maintained by SurfControl, or also use custom dictionaries specific to the client company. If the request doesn’t violate a policy, it’s transparent to the user. If not, a message says the site is blocked. Organizations can set policies tied to groups of users or to individuals. Behind the scenes, databases track users’ activities.

“Our customers are concerned about … things going on in the field,” Murphy notes. Mobile workers have “all the same risks, but with fewer protective layers” than people not on wireless networks.

Another risk also drives the need for logging all activities. “If employees violate the corporate [access] policy, the implications are much larger outside the corporate wall,” he says. For example, “if you're a consultant and someone potentially sees that you've got pornographic material on your machine, that could have a different effect if you’re outside the company, at a customer site—even worse than if you were inside your own company.” Hence the push by companies to close the current mobile worker content filtering gap.

SurfControl hopes to release Nomad by summer 2004 for Windows 2000 and XP laptops.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.