End-to-end wireless security: Integrated solutions that ... · A truly effective, future-proofed...

IBM — End-to-end wireless securityDecember 2001

End-to-end wireless security:Integrated solutions that protect your business and your customers

Authors:The Wireless Security Acceleration Team

IBM — End-to-end wireless security

New wireless technology = new vulnerabilities = new risks“The growing corporate appetite for remote LAN, Internet, extranet/intranet and wireless access services will drive the need for advanced information security services as technologies for circumventing network security systems continue to keep pace with the technologies designed to defend against them. The growth in this market will come from clients who recognise the value of engaging third-party service providers skilled at developing customised security strategies that solve real business problems. By implementing a best-in-class security architecture coupled with continuous monitoring and management of the infrastructure, security service firms enable clients to mitigate the risks associated with their business.” Allan Carey, IDC Senior Analyst

Mobile e-business is here. Employees are bringing their personal

devices into the working environment; new technologies are enabling

on-the-move e-business transactions and access to information; and

corporations have an increasing interest in the massive opportunities

presented by wireless access service.

Airlines are piloting programmes where passengers can check up-to-

date flight details and even check-in using their mobile phone.

Businesses are equipping their workers with a variety of mobile devices

used for an infinite number of purposes: hot desking, selling and other

e-business transactions. Users’ expectations are increasing — they want

to receive work emails on their PDAs; they want to purchase items

using their mobile phones; they want to be able to use their laptops

to access a network from anywhere. The possibilities are as endless as

the expectations.

2 New wireless technology = new

vulnerabilities = new risks

8 End-to-end wireless security — the

IBM value proposition

11 Software for wireless security

17 Hardware solutions

24 Conclusion

26 About the Authors

Contents


Wireless technology is growing at an exponential rate. Companies that

want to lead in their market have already deployed mobile solutions. But

doing so is pointless unless you understand one vital concept: Wireless

e-business creates a whole new set of security risks and challenges.

Wireless expands the boundaries of your current IT infrastructure and

comes with an unprecedented degree of complexity — including the

need to manage the sheer range of devices and technologies and the

array of potential threats to your business.

Wireless e-business raises a new set of security implications that

need to be understood and addressed. Success in the mobile

environment is dependent on the development and deployment of

an end-to-end security solution that protects your wireless network,

devices, applications and data — continuously. If you can protect your

business and build trust with customers, wireless e-business offers

endless benefits — increased productivity, improved customer service,

streamlined communication with customers, employees and suppliers.

Fail to do this and your business will pay the consequences.

It’s not enough to merely decide that you’re going to equip your

employees with PDAs. How are you going to ensure that customer

information sent over a wireless network is secure and won’t expose your

company to a consumer backlash? Will your efforts to provide ‘always

on’ connectivity leave your customer information vulnerable? These

and a thousand other questions need to be addressed to ensure a viable,

sustainable business model for wireless e-business.

You know how your office is affected when your IT server goes down

for even a few hours. Imagine the consequences of a breach or failure

in your wireless solution. You need to know where your solution is

vulnerable and then know how to fill in those gaps. You need to ensure

that every conceivable security issue is covered without sacrificing

ease-of-use or customer access to your business.

Explores the security benefits of wireless

e-business.

Outlines key challenges and

developments in wireless security and

how to best address them.

Discusses the consequences of failed

security practices.

Details IBM’s end-to-end wireless security

solution, encompassing hardware,

software and services.

Describes tangible scenarios for IBM’s

solution and illustrates how the offering

can integrate with your existing business

practices and infrastructure.

Key Topics


Understanding the risks in wireless security

To address the potential risks in wireless security, you need to

understand them. Here are just a few risk-points in typical wireless

e-business infrastructures:

Weaknesses in WAP

Wireless Application Protocol (WAP) was the first technology that

enabled mobile e-business. But WAP received endless bad press because

of bandwidth and device limitations. Unfortunately, because of its slow

take-up, little attention has been paid to security. Because WAP does not

provide end-to-end encryption, unauthorised data could be available

without protection at the WAP gateway.

Weaknesses in GSM/GPRS networks

GSM and GPRS wireless wide area network protocols contain

cryptographic weaknesses that could allow data to be disclosed by

eavesdroppers.

Weaknesses in wLAN (802.11) and wPAN (Bluetooth) networks

Wireless Local Area Networks (wLAN) have already been deployed by

a number of companies to support hot desking, at-home working

and flexible provisioning of mobile services. However, by default,

wLANs offer no security and unless additional security measures are

deployed, networks are wide-open to outside intervention, or ‘drive-by

hacking,’ potentially exposing personal, corporate and business-critical

data. Bluetooth Wireless Personal Area Networks (wPAN) are also an

efficient, cost-effective way of connecting mobile devices and intelligent

appliances, but without adequate security measures in place, this too

could provide an opportunity for unauthorised access to data.

Meeting the Challenge of Wireless Security

Are you confident your organisation is

prepared for the security challenge of

wireless e-business?

These are just a few of the critical issues

companies now face:

• How can you ensure uninterrupted

access to your business?

• How can you be sure that your existing

security controls will hold up to your

long-term business plans?

• What security controls do you need to

implement?

• How can you leverage new methods

and technologies while maintaining a

high level of security?

• How can you prepare for an industry-

recognised security certification?


Limited security built into mobile devices

Most mobile devices have little or no built-in security functions.

Even something simple like a password can have endless security

implications — users who chose to deactivate their passwords could

inadvertently allow unauthorised access to applications and data should

the device be lost, stolen or tampered with. Additionally, wireless

devices may have Over The Air (OTA) remote configuration facilities

that could be exposed and abused. They are also susceptible to viruses

and ‘Trojan horse’ malicious codes.

‘Always-on’ connectivity increases the window of opportunity for hackers

While ‘always on’ connectivity is perhaps one of the more attractive

features of wireless technology, it is also one of the most dangerous with

regards to security. Not only does it increase the window of opportunity

for hackers to access your system, ‘always on’ means that this can be

done often without the user knowing it — if a device is in a purse, a

pocket or a briefcase, the user will not be able to detect that something

has gone amiss.

Privacy issues with location-based services

Privacy is not the same as security, but the two are inextricably linked:

you cannot manage privacy without sound security. Security relates to

the protection of the organisation’s assets. Privacy relates to the way

organisations handle personal information, such as customer names,

addresses, credit card numbers and spending habits. Location-based

services will enable businesses to provide relevant information to users,

be that retail, food, entertainment, telematics and more. But the very

nature of location-based services means that users’ movements must be

tracked in order to provide timely, appropriate information. However,

consumers are justifiably concerned about how this will impact their

privacy, as well as the confidentiality of their information. Companies

will need to win their customers’ trust by developing systems that offer

the highest levels of security and privacy.


Rapidly developing technologies, increased complexity and immature standards

Mobile technologies are evolving at a rapid rate, with new products and

services sometimes being offered on a daily basis. You want to stay ahead

of the game, but implementing a new service isn’t as simple as it sounds

— new technologies often don’t have full or suitably tested and verified

security measures in place. Immature standards for user and device

authentication, executable content security and stores data security

also create vulnerabilities. Additionally, you are often dependent on

third-party providers to exchange your data through multiple networks,

making it difficult for you to assure that all transactions and data

transfers are secure.

Existing ‘wired’ controls will be pushed to their limits

While a wireless application needs certain hardware, software and

services to run properly, these services may also be reliant on existing

‘wired’ controls that may not have been initially designed to support

wireless security services. It is not enough to simply attach wireless

hardware and software to your existing infrastructure — while many of

your current e-business investments can be leveraged for use in your

mobile network, you need a strategy for how all of these components are

going to link together.


Implementing wireless security — partnering with a trusted provider

The key to tackling these challenges is to work with a trusted partner

whose understanding of wireless security comes from developing

pioneering solutions and tackling real security problems for a range of

global businesses. Security is about trust — your customers trust you to

protect their confidential information, your employees, customers and

business partners trust you to provide uninterrupted, quality service as

promised by your brand. Any breach or glitch in security will affect the

perception of your brand, therefore you need to trust that your provider

has covered all the bases.

A truly effective, future-proofed wireless security system is an

end-to-end solution that offers integrated security technology

(hardware and software), processes and organisational solutions. Your

partner also needs to be able to manage your security over time.

Changes in the business and political environment as well as new

technologies and developments, come with new security implications

and your partner needs to be able to address these quickly, while

ensuring that your business service is uninterrupted. You also want a

partner who is able to provide you with pioneering research, enabling

you to implement new services ahead of your competitors, and counter

security issues before they’re even raised.

Read on to discover how IBM’s innovation, research and global expertise

and experience can meet all of the challenges presented by wireless

security.

Covering all the issues

Knowing that you can provide end-to-

end wireless security is knowing that you

can cover all of these issues:

Authentification

Ensuring that users, clients and servers

establish their identity.

Confidentiality

Preventing eavesdropping during data

communication or disclosure from

applications or storage media.

Authorisation

Prohibiting the improper use of data

and services by allowing only authorised

users to have access to information.

Data Integrity

Verifying that data has not been altered

in transit by a third party, preventing

forgery, tampering and unauthorised

alteration.

Non-repudiation

Preventing parties from falsely denying

data transactions after they were

supposedly done, enforcing

accountability for electronic transactions.

Privacy

Providing methods that allow users

to control what personal information

is provided to applications and other

parties and how it is used.

Trust

Ensuring that your solution partner and

third-party providers can be relied upon.


End-to-end wireless security — the IBM value proposition

“[IBM’s offering is] a pretty complete solution for mobilisation. It’s

indicative of the complete package people are looking for.”

Mark Plakias, Kelsey Group Analyst

As we have established, an effective security strategy is crucial

for organisations that wish to exploit the opportunities of wireless

e-business. You need to protect your business and your brand,

by ensuring that all customer and business-critical information is

protected. You also need to ensure that all information is used in

such a way that it provides superior service without compromising the

trust of your customers, partners or employees. You need an integrated,

end-to-end solution that leaves no stone unturned, which also leverages

your existing IT investments.

IBM is responding to customer demand for an end-to-end package

that allows security policies already in place for wired networks to be

extended to wireless networks. Using a strategic approach to ensure all

security issues are covered and applying a range of industry-leading

products, methodologies and services, IBM can now offer an integrated,

comprehensive solution that meets the security needs of all companies

entering the wireless domain.

Defining the challenge of end-to-end security

For IBM, end-to-end means exactly what it implies; seek out the problem,

devise a solution by integrating the best combination of products and

services, implement that solution, then manage it continuously to ensure

that as the market and technologies change, the solution holds strong.

IBM has identified a number of key dimensions that need to be

considered in designing end-to-end security solutions for wireless

e-business:

The technology span

An end-to-end security strategy needs to encompass an increasingly

complex technology chain, including mobile phones, laptops and

PDAs from multiple vendors, multiple operating systems, various

network standards, wireless e-business applications, and IT management

frameworks. Naturally, all these components need to be addressed by a

coherent, integrated solution.

Field Force Automation

Challenge

A large, online courier company wanted to improve its services in the competitive delivery marketplace. Other companies were simply able to deliver faster and provide greater security for high-value items.

Solution

When a customer places an order online for a package to be collected and delivered, a consignment number is given. The courier picks up the item, which the customer signs for electronically on a WAP-enabled PDA supported by WebSphere Everyplace Server.

Through the WAP browser, the courier accepts and transmits details to a central processor, alerting them of the existence of the package so they can start arranging for further movements. This process seamlessly tracks the package’s movement and improves delivery efficiency. All data is encrypted, ensuring that all content and insurance details, addresses and personal information are safe.


People, processes, culture and organisation

Security is also not just about technology — it’s also about people.

Often, the bigger security breaches are just as much the result of

human error as they are about technical vulnerability. The question

is, how can you minimise the security risks associated with human

oversight? IBM can address the technical and cultural aspects of security

in wireless e-business, helping your company to manage changes within

work culture, organisational transformation and corporate policies.

Managing change, minimising disruption

The pace of change is also a key consideration when planning security

solutions for wireless e-business. As new technologies arrive, new

vulnerabilities and risks will inevitably need to be addressed. IBM’s

global team of IT and business experts can help ensure your security

systems and policies keep pace with change and that your day-to-day

business goes uninterrupted as you anticipate and manage new threats

to your security.

Your security systems and processes are only as strong as the weakest

link in the chain. That means an end-to-end approach is the only way

to protect your business and safeguard relationships built on trust with

your customers.

Leveraging world-wide expertise, cutting-edge innovation and an array of world-renowned business partners, IBM’s end-to-end offering covers all wireless security needs, including software, hardware, services and maintenance.


A company-wide initiative

Given the scope and scale of the security challenges associated with

wireless e-business, organisations need to tap into a vast breadth and

depth of expertise encompassing a range of IT and business disciplines.

IBM’s wireless solution offering represents a major company-wide

initiative to help businesses identify mobile and wireless vulnerabilities,

and to develop robust end-to-end solutions with the highest levels of

in-built security.

IBM is already working with leading organisations around the world on

wireless security engagements to plan, develop, implement and manage

secure wireless e-business applications in the field. As a result of this

pioneering work, the end-to-end wireless security offering leverages

IBM’s global assets and intellectual capital, including:

• Pioneering research that includes the development of the industry’s

first wireless LAN security auditing tool, Wireless Security Auditor*

• Intellectual capital — expertise and experience captured from the

world’s largest IT services company, with a global representation

• New wireless e-business security service offerings from IBM Security

and Privacy Services, extending its expertise in security to specific

business issues, risks and opportunities in the wireless environment

• A suite of security-optimised software for wireless e-business,

including WebSphere* Everyplace Server, Domino* Everyplace

Access Server and Tivoli* wireless e-business management solutions

• Security-enabled hardware for wireless e-business, including

embedded security subsystems for ThinkPads* and NetVista* PCs

• Valuable support and expertise in specific regions, markets and

technologies from IBM’s unrivalled community of business partners

IBM’s extensive expertise and work processes, innovative wireless

security software and hardware are combined to offer the most

comprehensive, end-to-end wireless security solution on the market.

Let’s now look at these essential components in greater detail.

Sales Force Automation

Challenge

A large insurance company wanted to utilise technology to enable its salesforce to process customer orders in the field. It had the back-end system to support these transactions, but the system needed to be optimised to ensure security in the transactions. The company also needed to provide its sales professionals with secure devices.

Solution

WebSphere Everyplace Server enabled the company to take existing sales applications and make them available on a mobile platform. Salespeople are now able to securely connect to every sales resource within the company from any device over a virtual private network. The devices used in the field are equipped with Embedded Security System (ESS) and all customer data (billing address, credit card information) is encrypted when sent over the network. Transaction authorisation is processed through Tivoli Policy Director, while potential security breaches are monitored using Tivoli Risk Manager.


Software for wireless security

“IDC, 2001 rate IBM as the broadest scope vendor with the highest market share.”

Ongoing security management

The complex mix of technologies and processes that need to be constantly

monitored, plus the range of new threats that arise in wireless e-business,

create a massive challenge. You need automated systems and policies

for managing authorisation, subscription services, and detecting threats

and system abuses — systems that can be easily managed from a central

point of control.

IBM has developed an integrated solution that provides centralised

security management through a strategic combination of products offered

by its software divisions, Tivoli, WebSphere and Domino: security

management, including intrusion detection and identity management, is

provided by Tivoli Risk Manager and Tivoli Identity Director; wireless

gateway, authentication and encryption functionality is provided by

WebSphere Everyplace Server and Domino Everyplace Access Server;

authorisation is provided by Tivoli Policy Director.

Covering all the issues

IBM’s end-to-end wireless security

offering is made available through IBM

Global Services. The company is also

tapping into technology, products and

services from multiple business units:

IBM Research, IBM Software Group and

IBM’s Personal Computing Division.

This company-wide initiative aims to

help companies identify mobile and

wireless vulnerables, establish security

policies, provide secure authentication

and authorisation of users, protect the

integrity and confidentiality of business

transactions from origin to destination

and provide security management of the

technology and organisation.


This software combination is also the first to include security

authentication and authorisation capabilities for both Wireless

Application Protocol (WAP) and iMode devices in one solution.

Tivoli, WebSphere and Domino provide specialised security functions —

a company’s need for these functions will vary based on unique business

requirements and the results of IBM’s wireless security assessment.

Tivoli Risk Manager

Part of IBM’s overall wireless security framework, Tivoli Risk

Manager is an enterprise-wide solution enabling organisations to

centrally manage attacks, threats and exposures by correlating security

information from multiple, heterogeneous firewalls, intrusion detection

sensors, vulnerability scanning tools and other security measures. One

of the sensors provided for Risk Manager also includes the IBM Wireless

Security Auditor (WSA), which audits wireless LAN networks for proper

security configuration.

Security benefits of Tivoli Risk Manager:

• Centralised, automated risk detection and management

• Intelligent correlation engine prioritises alerts, enabling rapid

response

• Adaptors available for integration with Wireless Security Auditor

• Ease-of-use for both problem identification and resolution.

Tivoli Policy Director

IBM is delivering secure access management (authentication and

authorisation) software for the delivery of secure mobile transactions

and access to e-business applications over wireless network channels.

The latest version of Tivoli Policy Director is the industry’s first

software that enables organisations to provide Web single sign-on and

authorisation to mobile transactions and applications accessed through

both WAP and iMode devices. As part of IBM’s end-to-end wireless

security solution, Policy Director enables organisations to deliver a

consistent security policy and secure end-user experience extending

across both their wired and wireless enterprise applications and portals.


Policy Director provides fine-grained access control for Web

applications and resources without requiring any modifications

to a customer’s existing Web-based applications. It also enables

organisations to authorise and secure the IBM messaging system

MQ Series by providing protection for both messages and the message

queues.

In addition, Tivoli Policy Director helps companies protect Web

resources including URLs, scripts and data that can be accessed by

traditional Web browsers or WAP-enabled devices. Giving companies

the power to control access to e-business applications and data accessed

through WAP devices reduces the cost and complexity of extending

e-business to Web phones and other WAP devices.

Tivoli Policy Director for WebSphere

Policy Director’s authorisation service can also be integrated into

IBM’s WebSphere Application Server environment, providing access

control to WebSphere-based resources. Policy Director is compatible

with WebSphere Transcoding Publisher and is a leading solution for

secure access to e-business applications from a broad range of pervasive

devices.

Security Benefits of Policy Director:

• Web single sign-on and authorisation to mobile transactions and

applications accessed through WAP and iMode

• Access control management centralises network and application

security

• Compatibility with other platforms, including WebSphere

• Delivers secure remote access and personalised access.


Tivoli Identity Director

Tivoli Identity Director provides policy-based identity management

across legacy and e-business environments. Intuitive Web administrative

and self-service interfaces integrate with existing business processes

to help simplify and automate managing identities, while improving

administrator productivity. It incorporates a workflow engine and

leverages identity data for activities such as audit and reporting.

As your organisation moves forward with e-business initiatives and

continues to grow due to mergers, acquisitions and partnering, there

is a need to increase the efficiency and reduce the cost of managing

user information and provisioning of user services. Employee turnover

and fluctuating user populations only make user lifecycle management

more costly and complex. In these dynamic and diverse environments,

ensuring that only the right people have access to the right data and

applications within your organisation can become a security nightmare.

Tivoli Identity Director addresses these business issues by providing a

single point for managing users and a consistent access control policy that

integrates with existing environments. Tivoli Identity Director provides

self-service interfaces that integrate with the processes for managing

individuals and their interaction with your business, while the embedded

workflow engine automates the approval and submission processes.

Security benefits of Tivoli Identity Director:

• Reduces costs: enables efficient management of users and their

access to resources

• Increases productivity: provides automated workflow and

delegated administration

• Quickly realise ROI: brings users, systems and applications online

faster.

IBM has leveraged Tivoli Risk Manager, Tivoli Policy Directors and

Tivoli Identity Director’s strengths in Web-based security monitoring,

securing transactions and user authentication, authorisation and

management in the wireless security space. By implementing Tivoli as

part of their wireless solutions, organisations can be confident that their

wireless environments are proactively monitored and managed to the

highest security standards.


WebSphere Everyplace Server Security

WebSphere Everyplace Server is a comprehensive solution that provides

tools and middleware infrastructures to enable customers to rapidly

deploy and manage mobile e-business services.

The solution has been designed to enable customers with existing

e-business infrastructures to capitalise on the wireless Web by reaching

out to new customers via mobile phones, handheld computers and other

wireless appliances.

Security software enables secure connections between pervasive

devices and applications across mobile and land line networks.

It provides authentication and single sign-on for users of all

functions within the WebSphere Everyplace domain, including Domino

applications. It can also be integrated with Policy Director to provide

authorisation and fine grain access control and limits application access

through limiting user access.

Security Benefits of WebSphere Everyplace Server:

• Support for multiple authentication methods, including basic Web

authentication, forms-based certificates, as well as support for Tivoli

Policy Director

• Encryption of data transmission across wireless and land-line

networks.

• Support of authentication by other vendor gateways (e.g. Nokia)

• Client software available for laptop and PDA clients to protect the

confidentiality and integrity of data across wireless networks using

IBM’s two party key distribution protocol (TPKDP).

Domino Everyplace Access

Domino Everyplace Access provides wireless access to corporate email,

calendars, directories and WAP-enabled Domino applications. With

Mobile Notes and Domino Everyplace Access you can move beyond

wireless e-mail and into full service Personal Information Management

(PIM) capabilities and access to business applications such as sales force

automation, field service and customer relationship management. Now

you can rapidly enable Domino collaborative applications for wireless

access.


With Domino Everyplace Access server you can associate an authorised

user with each mobile device, track what network a device is used

on, encrypt data in transmission and more. Familiar, robust Domino

security features control who gets into your network and what gets out

over it. Domino Everyplace Access builds on this secure environment

with standards such as SSL and WTLS.

Security Benefits of Domino:

• Enhances wireless access to Domino, providing Mobile Notes access

from a WAP phone to critical business information

• Single-point access to e-mail, PIM and applications

• Customisable Mobile Notes homepage for a single point of access to

vital information and Domino applications

• Central administration through tight integration with Domino

administration and directory services, letting you configure and

manage all your wireless services and devices from a central location

• Leverages Domino security features for user authorisation and

encryption of data over wireless networks.


Hardware solutions

IBM provides a number of hardware options for wireless security.

Combining these with IBM wireless security software, and extending

IBM’s embedded security subsystem to encompass the NetVista desktop

and ThinkPad Notebook computer lines, IBM ensures that devices,

wireless e-business applications and data are safeguarded against

security breaches.

Embedded Security Subsystem (ESS)

The IBM Embedded Security Subsystem (ESS) provides hardware-

based protection of critical security information, including passwords,

encryption keys, and electronic credentials, protecting information

and PCs from ‘sniffers’, Trojan horses, and other potential invaders.

Embedded into both the IBM ThinkPad and the NetVista desktop, ESS

helps identify computer users involved in transactions, and ensures that

data transmissions are authentic, confidential, and intact.

ESS consists of a cryptographic microprocessor designed to interface

with common security protocols. Built into the system board of

an IBM NetVista desktop or ThinkPad notebook, the cryptographic

microprocessor is an advanced chip that employs encryption keys and

processes to help secure data, communications and identity. The chip

stores a user’s encrypted keys and supports Public Key Infrastructure

(PKI) operations, such as encryption for privacy and digital signatures

for authentication, within the protected environment of the chip.

Unlike software solutions alone, ESS is physically located on the

motherboard and protects PKI operations and other functions within a

secure and separate hardware environment. The encryption functions

are more secure because the operations are not performed in main

memory and the keys are not stored on the hard disk drive.

ESS can also be used in combination with embedded wireless LAN

interfaces, ensuring protection against potential wireless LAN security

issues. Select IBM ThinkPads with built-in WLAN capability are now

equipped with ESS.

Wireless Micro Payments

Challenge

A parking facilities management company wants to offer its customers the option of paying for parking via a WAP-enabled application.

Solution

Customers can now reserve or pay for parking using a WAP-enabled device, accessing the parking company’s WAP site via WebSphere Application Server. As in all wireless payment scenarios, authentication is an important issue. IBM therefore worked with a telecomm supplier to develop software that can authenticate accurately using the customers’ SIM/WIM card. WebSphere Payment Manager then handles the transfer of funds in a totally secure environment.


IBM 4758 PCI Cryptographic Coprocessor

IBM 4758 PCI Cryptographic Coprocessor is a hardware solution

for providing accelerated cryptographic operations on IT servers.

It incorporates specialised electronics to relieve a server from

time-consuming cryptographic functions while providing a tamper-

responding, secure computing environment for the storage of keys

and performance of sensitive processing. It is available for all IBM

server platforms and many personal computers, providing high-security

cryptography and secure computing.

Only digitally signed software that is validated by the Coprocessor

will be acceptable for download. Sophisticated code-loading controls

enable companies to employ signed software from IBM, other vendors,

or codes created using toolkits available from IBM. It also detects

physical attacks — probe, voltage, temperature, radiation. IBM supplies

two cryptographic-system implementations and toolkits for custom

application development.

Bluetooth-enabled solutions

IBM is already developing Bluetooth applications that enable people to

work flexibly in mobile environments, while also minimising the risk

of security breaches caused by human error. For instance, IBM has

developed a solution that uses a Bluetooth ID proximity badge designed

for low-cost, low-power consumption, short-range radio links between

mobile PCs, mobile phones, and other portable devices. This technology

operates in a range of one to 30 feet (up to 10m) and supports both

voice and data services. Bluetooth technology simplifies short-range

connectivity by doing away with the need for proprietary cables that

connect one device to another (hands-free head-sets, printer cables,

keyboard and mouse cables, etc). Additionally, no ‘line-of-sight’ is

needed between devices like with Infrared/IrDA.

IBM is implementing Bluetooth to enable improved security in everyday

business processes. For example, using IBM’s proximity badge, hospital

workers that need to access a patient file can walk up to any computer

and be automatically logged in once they’re within proximity. Bluetooth

saves users from having to remember or type a password, and it

automatically logs the user off when out of proximity to the device.


Harnessing global expertise

IBM’s wireless security offerings aim to help companies identify and

address mobile and wireless vulnerabilities, establish security policies,

authenticate and authorise users and protect the confidentiality,

integrity and availability of corporate information within a

wireless environment. IBM achieves this through comprehensive

implementation of hardware, software and services.

Implementing and managing an end-to-end security solution requires

careful planning and execution. IBM’s global team of wireless security

experts collaborate to provide businesses with the most relevant set of

products and services:

• Tried-and-tested methodologies for assessing risk, designing

appropriate security solutions and managing the environment

against ongoing threats

• Expertise from the world’s largest IT Services Provider, IBM Global

Services, plus the latest innovation from IBM Research

• IBM’s global expertise and solutions, providing an end-to-end

solution encompassing all areas of risk in wireless security.


IBM’s structured approach to devising a security solution in the wireless

domain is to:

1. Conduct a security assessment

Organisations need to understand the risks in order to implement the

appropriate security controls. The first step in determining any kind

of wireless security solution is to assess the current security level and

understand the kinds of risks to which a company could potentially

be exposed. This can be achieved through security assessments that

combine business and IT issues, including ‘ethical hacking’ to pinpoint

possible points of weakness. All of these findings feed into devising the

security solution and define the security and privacy requirements in

the context of a company’s current and future business plans.

IBM’s Wireless Risk Assessment is designed to help companies

understand the information risks introduced by wireless e-business

infrastructures and how to effectively manage them. Threats and

vulnerabilities can be identified by assessing your wireless e-business

architectures, implementation plans and infrastructure. IBM can also

assess and validate the strength of an infrastructure using advanced

penetration testing techniques.

An integral part of IBM’s wireless security assessment is the Wireless

Security Auditor (WSA). WSA identifies all wireless access points across

the extended organisation and detects and analyses possible breaches.

WSA is the industry’s first automated auditing tool that can monitor

WLAN 802.11 to collect security-related information, allowing system

administrators to take proper actions to improve network security.

IBM has the depth of knowledge to cover multiple pervasive device

types (telephones, PDAs, laptops, embedded devices), operating

systems (Linux, EPOC, PalmOS, Microsoft** CE) as well as different

application environments (messaging, transactions, location based

services, infomedia, telemetry). It also covers wireless networking

technologies and protocols including wireless LANs (802.11), wireless

PANs (Bluetooth) and wireless WANs (GSM, GPRS, CDMA). IBM will

also develop an understanding of your business model, objectives,

organisation and processes. This enables IBM to assess the alignment

of wireless technology to your business goals as well as the impact on

the business of the threats and vulnerabilities. This will allow your

current information risk position to be accurately reported in terms you

will understand.


IBM’s Wireless Risk Assessment encompasses:

• A review of your wireless e-business strategies, plans and

architectures

• A review of the security management controls for the wireless

e-business solution covering policy, organisation, personnel, asset

classification and control, physical security, access control, network

and computer management, business continuity, system development

and maintenance and compliance

• A penetration test that attempts to gain unauthorised access to

the infrastructure supporting your wireless e-business solution

including networks, systems, applications and data in order to

validate the strength of your security infrastructure implementation

• An information risk analysis that assesses the impact of identified

threats and vulnerabilities to your business objectives and

requirements

• A report that details the strengths and weaknesses of security within

the wireless e-business solution along with recommendations for

short-term and long-term improvement.

IBM also offers a one-to-three day Wireless Security Workshop,

designed to help organisations understand the new security challenges

created by wireless technology and enable a quick-start approach to new

secure wireless e-business initiatives.


2. Implement security solutions

Based on the output of the security assessment, IBM can define security

policies, architecture principles and identify appropriate security

controls, including organisation, process and technology. From here,

IBM can assist in the implementation of these policies and standards

by defining formal security processes and designing specific security

solutions. This assists in selecting security products and services that

best fit your business needs. IBM will also ensure compliance with

corporate security policies or international security standards. This

end-to-end approach saves companies from having to rely on multiple

standards to link together various pieces of a patchwork wireless-

security architecture.

IBM has developed a Wireless Solution Design service to help

companies plan and implement security strategies and end-to-end

solutions for mitigating security risks. IBM has aligned its expertise

in wireless security to specific industry business problems and

opportunities in the wireless environment. The company can help

organisations plan, architect, design and build wireless e-business

solutions that meet their unique security and privacy requirements.

IBM helps companies build a security strategy and define the

necessary security requirements, functions and components required

for ensuring that your wireless e-business solution satisfies the business

requirements and acceptable levels of risk. Using the proven IBM

method for architecting secure solutions, the security functions and

components are built into a secure solution design that is fully

aligned with a company’s existing IT strategies and architectures. IBM

has the depth of knowledge required for building secure end-to-end

solutions that cover wireless devices, operating systems, middleware,

applications, networks and development environments. IBM also helps

companies to build the necessary security and risk management

processes to ensure that the wireless security solution remains secure

over time.


The Wireless Solution Design service covers:

• The development of a strategy for implementing a corporate-wide

approach for meeting your security requirements and enabling

consistent security across a company’s wireless e-business initiatives

• The development of security and privacy requirements and policies

to effectively align the wireless infrastructure to a company’s

business objectives

• The development of a secure and resilient solution design that meets

the business’ security and privacy requirements

• The integration of proven security functions and components into a

company’s new or existing wireless e-business solution

• The development of security processes required for successful

wireless e-business operations and risk management

• A customised set of documentation that details security and

privacy requirements, security policies, processes and the security

architecture and design required to implement and manage a

company’s wireless e-business solution.

Manage the solutions over time

Companies need to be kept abreast of current and future risks in order to

react efficiently and effectively with minimal disruption to service and

quality. Through industry-leading tools and people, IBM will provide

resources for ongoing management of your IT operation and long-term

security protection for your business-critical assets, enabling business

continuity and seamless service. IBM Managed Security ensures that

the right people are in the right place at the right time to manage all

security issues within your organisation.


Conclusion

Organisations across every industry sector are keen to exploit the vast

opportunities and benefits of wireless e-business. But as they enter this

new arena, companies need to fully address a range of new security

risks to ensure they can adequately protect their businesses and build

relationships of trust with their customers.

Wireless e-business introduces increased complexity and vulnerability

into today’s enterprise IT environments. Any gap in your defences could

be exploited to the detriment of your company, so organisations urgently

need an end-to-end security strategy for wireless e-business.

Few companies have the in-house expertise to identify and manage

all the risks. Furthermore, while there are a plethora of security tools

on the markets, until now no-one has offered an end-to-end security

solution tailored to the specific demands of wireless environments.

With these crucial challenges and opportunities in mind, IBM has

now developed a comprehensive wireless security offering. Combining

industry-leading, complementary technologies with service expertise

provided by IBM Security and Privacy Services, IBM can help

organisations plan, implement and evolve the robust security solutions

they need to succeed in the age of wireless e-business.


For more information

To learn more about IBM Global Services, contact your IBM Sales

Representative (or Business Partner if applicable) or visit:

IBM Security and Privacy ibm.com /services/security

Services

Tivoli security management tivoli.com/products/solutions/security

software

IBM Client security solutions pc.ibm.com/ww/security

IBM Pervasive computing ibm.com /pvc

and WebSphere solutions

Lotus Domino wireless lotus.com/home/nsf/welcome/mobile

solutions

IBM Security Research ibm.com /security/research


About the Authors

The Wireless Security Acceleration Team is a global team of specialists

focused on leveraging IBM’s end-to-end wireless security capability by

providing thought leadership and supporting the delivery of industry

leading solutions. The team’s responsibilities include the evaluation

of new technologies and techniques, identification of new threats and

vulnerabilities and the design and integration of innovative wireless

security solutions. Using its Wireless Security Acceleration Centres in

France, U.K. and the U.S., the teams also specialise in building customer

Proof of Concept solutions by leveraging skills from IBM Global

Services Security and Privacy Practice and IBM Security Research as

well as products from Tivoli, Lotus, IBM and IBM’s wireless business

partners.

WeWUK004 (12-01) RB

IBM United Kingdom LimitedPO Box 41North HarbourPortsmouthHampshirePO6 3AU

Tel: 0870 010 2503ibm.com /services/uk

IBM Ireland LimitedOldbrook House24-32 Pembroke RoadDublin 4

Tel: 1890 200 392ibm.com /services/ie

IBM Nederland N.V.Postbus 99991006 CE Amsterdam

Tel: 020 513 5151ibm.com /services/nl

IBM South Africa LimitedPrivate Bag X9907Sandhurst2196South Africa

Tel: 0800 130 130ibm.com /services/za

UK company-wide registration to ISO9001.Certificate number 92089.

The IBM home page can be found on the Internet at ibm.com

IBM is a registered trademark of International Business Machines Corporation.

* The e-business logo, WebSphere, Domino, Tivoli, ThinkPad, NetVista and MQ Series are trademarks of International Business Machines Corporation.

** Microsoft is a trademark of Microsoft Corporation in the United States, other countries or both.

** UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product and service names may be trademarks, or service marks of others.

References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM’s product, program or service may be used. Any functionally equivalent product, program or service may be used instead.

This publication is for general guidance only.

© Copyright IBM Corporation 2001

End-to-end wireless security: Integrated solutions that ... · A truly effective, future-proofed...

Documents

Transcript of End-to-end wireless security: Integrated solutions that ... · A truly effective, future-proofed...