The CEO of Senforce Technologies, Inc., a Draper, Utah-based company focused on endpoint security, says to keep road warriors and teleworkers safe, IT administrators need to set up strict policies. And then automate them.
In a one-on-one interview with Datamation, Mike Hall, CEO of Senforce, talks about the wireless market, security's fear of the coffee shop, and the balance between productivity and security.
Q: Wireless was the hot topic for a few years but it seems to be
quieting down now. Do you see the market loosing some speed?
We still see it expanding. Intel's drive from Centrino is helping profliferation. According to the TIA (Telecommunications Industry Association), the number of hotspots has gone from 32,000 in 2004 to 64,800 in 2008. The market for wi-fi hardware and software will go from $4.35 billion to $7 billion in the same timeframe... What's happening is that CSOs and CTOs have to secure the wireless that's out there. Access points, evil twins... those threats will continue until the industry as a whole addresses the security issues.
Say you go to a Starbucks and you sit down and log in to a T-Mobile hotspot. A hacker could be sitting near you and they could create a Web site that looks like the T-Mobile hotspot. You access it and the hacker can take your credit card information and he can hack your system. It looks like the login screen of a provider, yet it's a hacker. For the enterprise, we see the need to eliminate those rogue access points. And when someone goes out on the road, you want to make sure they don't associate with an access point that's not secure.
Q: How is that done when you're dealing with any number of hackers and
any number of hotspots and access points?
You need to automate and enforce the behavior of the employee. There's a CIO or CSO who sets policy... What they have to do is be able to establish a policy that follows users in the office, in an airport or at home. It is a technology. The policy is set up in a software agent that will set your access rights and privileges at the client. Given that notebooks are outpacing desktop purchases and wireless comes with the notebooks... you have to automate your software. Have a written policy and then automate that through software.
Q: Shouldn't companies set up policies on whether or not employees can
even use hotspots?
Yes, it needs to say if they can use hotspots. But if they can, what are the things that need to happen first? They need to establish a VPN connection and then they can use that hotspot. CIOs have to find solutions that will enforce that behavior and not allow the employee to use that hotpsot until they log in to the VPN first. What's happening is that for years, CIOs and CSOs have secured the perimeter. They've created a castle where they're safe but the perimeter keeps changing. People are taking critical and fresh data on their notebooks and they take it outside the four walls of the organization. You need to make sure that information is secure.
Q: A recent Gartner Inc. report says fears over hotspots is one of the
Top Five over-hyped IT security issues. Are you simply worrying a little
Absolutely not. I heard a story yesterday in New York. This man's friend was at a hotspot at a Starbucks and he was duped by an evil twin. That hacker had his credit card, and was able to use it. The hacker was using it and giving it to other people to use. He had to go and shut down his credit card. Those stories are happening all over the globe.
Q: When you talk to CIOs, what are the wireless issues that worry
Can I secure wireless? How can I avoid rogue access points? When people go on the road, how do I secure the data on those notebooks -- whether it's on the road or at their home? You have to be able to enforce those policies on those notebooks... They also talk to us about when someone has wireless and they connect through a wired connection. They want to disable wi-fi when wired. It's very easy to do. It's done through a management console. You have to establish that automated policy.
Q: What is the key to securing wireless?
There's a balance between productivity and security... You must be able to set different policies for different users, so IT can take control. You may do something different for the engineering side than you would for a salesperson, who would not have all of your critical and proprietary information on their notebook. You might be lenient with them. You need to set policy-by-person, by group and by your entire organization.