The CEO of Senforce Technologies, Inc., a Draper, Utah-based companyfocused on endpoint security, says to keep road warriors and teleworkerssafe, IT administrators need to set up strict policies. And then automatethem.
In a one-on-one interview with Datamation, Mike Hall, CEO ofSenforce, talks about the wireless market, security's fear of the coffeeshop, and the balance between productivity and security.
Q: Wireless was the hot topic for a few years but it seems to bequieting down now. Do you see the market loosing some speed?
We still see it expanding. Intel's drive from Centrinois helping profliferation. According to the TIA (TelecommunicationsIndustry Association), the number of hotspots has gone from 32,000 in2004 to 64,800 in 2008. The market for wi-fi hardware and software willgo from $4.35 billion to $7 billion in the same timeframe... What'shappening is that CSOs and CTOs have to secure the wireless that's outthere. Access points, evil twins... those threats will continue until theindustry as a whole addresses the security issues.
Say you go to a Starbucks and you sit down and log in to a T-Mobilehotspot. A hacker could be sitting near you and they could create a Website that looks like the T-Mobile hotspot. You access it and the hackercan take your credit card information and he can hack your system. Itlooks like the login screen of a provider, yet it's a hacker. For theenterprise, we see the need to eliminate those rogue access points. Andwhen someone goes out on the road, you want to make sure they don'tassociate with an access point that's not secure.
Q: How is that done when you're dealing with any number of hackers andany number of hotspots and access points?
You need to automate and enforce the behavior of the employee. There's aCIO or CSO who sets policy... What they have to do is be able toestablish a policy that follows users in the office, in an airport or athome. It is a technology. The policy is set up in a software agent thatwill set your access rights and privileges at the client. Given thatnotebooks are outpacing desktop purchases and wireless comes with thenotebooks... you have to automate your software. Have a written policyand then automate that through software.
Q: Shouldn't companies set up policies on whether or not employees caneven use hotspots?
Yes, it needs to say if they can use hotspots. But if they can, what arethe things that need to happen first? They need to establish a VPNconnection and then they can use that hotspot. CIOs have to findsolutions that will enforce that behavior and not allow the employee touse that hotpsot until they log in to the VPN first. What's happening isthat for years, CIOs and CSOs have secured the perimeter. They've createda castle where they're safe but the perimeter keeps changing. People aretaking critical and fresh data on their notebooks and they take itoutside the four walls of the organization. You need to make sure thatinformation is secure.
Q: A recent Gartner Inc. report says fears over hotspots is one of theTop Five over-hyped IT security issues. Are you simply worrying a littletoo much?
Absolutely not. I heard a story yesterday in New York. This man's friendwas at a hotspot at a Starbucks and he was duped by an evil twin. Thathacker had his credit card, and was able to use it. The hacker was usingit and giving it to other people to use. He had to go and shut down hiscredit card. Those stories are happening all over the globe.
Q: When you talk to CIOs, what are the wireless issues that worrythem?
Can I secure wireless? How can I avoid rogue access points? When peoplego on the road, how do I secure the data on those notebooks -- whetherit's on the road or at their home? You have to be able to enforce thosepolicies on those notebooks... They also talk to us about when someonehas wireless and they connect through a wired connection. They want todisable wi-fi when wired. It's very easy to do. It's done through amanagement console. You have to establish that automated policy.
Q: What is the key to securing wireless?
There's a balance between productivity and security... You must be ableto set different policies for different users, so IT can take control.You may do something different for the engineering side than you wouldfor a salesperson, who would not have all of your critical andproprietary information on their notebook. You might be lenient withthem. You need to set policy-by-person, by group and by your entireorganization.