Previous | Table of Contents | Next |
Ralph R. Stahl, Jr.
Information Technology Professionals today are unsure of themselves in a strange new environment. However, end users are telling security practitioners that they can no longer perform optimally and beat the competition if their access to information and processing power is restricted by the mainframes in the corporate data center.
The days when security practitioners arrived at the office to find a stack of computer printouts on their desks are gone. Paper has been replaced by computers on the desktop in the environmentally correct and secure office. In addition, users today expect to be able to connect their notebooks by modem from any location to the server at headquarters. Tomorrow, mobile users may expect connectivity for their notebooks in the air as they fly and on the ground as they drive to their next destination. The business traveler may anticipate that all applications will behave in exactly the same manner on the road as in the office.
Large companies like AT&T are encouraging employees to telecommute for three major reasons:
LINK Resources Corp., a New York City consulting firm, reports that Americans bought for home use a record 5.85 million microcomputers last year. One out of three American households already has a microcomputer. BIS Strategic Decisions estimates that 45 million workers in the United States are considered part of the mobile work force. Other surveys estimate that, in addition to the time spent in the office, the average white-collar worker spends six hours a week working at home.
Against this backdrop, the challenge for the application developer is to develop systems that may be used in any environment. The information architecture for the enterprise must also accommodate many methods of remote connectivity (i.e., dial-up, Integrated Services Digital Network [ISDN], Cellular Digital Packet Data [CDPDI, Internet, wireless, video, and image transmission) in addition to the traditional local area network and wide area network connectivity.
Exhibit 1. Model of Security Services.
This chapter is divided into four major sections: availability and continuity; integrity; confidentiality; and new technology considerations, which briefly reviews the security implications for some of the emerging technologies. The architectural model of the security services in Exhibit 1 provides a high- level view of the interdependence of identification and authentication, authorized privileges, availability, continuity, integrity, and confidentiality in providing a trustworthy environment that supports non-repudiation and mobile power user security.
In this chapter, availability is defined as the assurance that an authorized users access to an organizations resources will not be improperly impaired. Achieving such assurance involves properly categorizing information privilege keys and ensuring that the mobile users authorized privileges are properly associated with these privilege keys. Availability also involves physical considerations (e.g., theft prevention, device identification, mobile uninterrupted power supply), notebook connectivity (e.g., a power source, telephone communications tools), and miscellaneous toolkit necessities.
Information availability is an operations scheduling issue, although some organizations believe that all availability needs are covered by their business resumption practices. The security practitioners must be aware of the need to maintain operational schedules. If the backup and batch processing is scheduled to end at a precise time so that the online or remote transaction processing may start, then the credibility of the central staff to meet their commitments to the field are tested every day. Although capacity planning is not a security issue, the complete information protection plan will make sure that the topic is adequately addressed by the appropriate operational staff members.
Concerns associated with the desktop microcomputers in the corporate office also apply to notebooks for the mobile user. However, with respect to mobile computing, security practitioners may need to be more creative to achieve the desired results.
Theft-Prevention Devices. Such theft-prevention devices as cabling and bolting plates can be used to minimize the potential of notebook theft by opportunity. The cables are designed so that they may be looped through an opening in a stationary object to tie the laptop down while the user is traveling. Resistance to these devices exists because many users feel that having these devices gives the impression of not trusting coworkers or business associates. However, security administrators who use theft-prevention devices in their companies indicate that they have experienced a significant decrease in loss. Although the products are effective, corporate procedures with strong enforcement practices are usually required before these products are put into use.
Device Identification. Device identification is critical to the ability to identify a misplaced or stolen notebook. In addition to traditional identification methods (e.g., serial number registers, tags, labels, and engraving), microcomputers can be marked by using invisible ink to record the companys name and the notebooks serial number on the inside of the lid just under the monitor display area. The invisibly inked number must match the serial number recorded in the corporations asset inventory register. This practice can also be used to resolve disputes associated with ownership of the microcomputer.
Mobile Uninterrupted Power Supply. Mobile uninterrupted power supply implies that each mobile user should have a portable surge protector with sufficient electrical outlets for each device that is connected to the microcomputer or notebook. Electricity follows the path of least resistance, and it will reach the microcomputer through any device cable if the power source for the device is not protected. Surge protector plugs are available at most hardware and electronics retailers. It is also recommended that the user carry a fully charged spare battery pack for the notebook. Usually the battery can be purchased from the dealer that sells the notebook.
Previous | Table of Contents | Next |