InformationWeek
Defining The Business Value Of Technology
|
August 7, 2000 |
 |
Wireless Overcomes Security Woes
continued...page 2 of 2
 |
| More on wireless: |
|
|
 Send Us Your Feedback |
Wachovia's initial wireless applications, due for a fourth-quarter rollout, will let a company's financial officers track and transfer funds for improved cash management. Consumers can manage their Wachovia accounts wirelessly in early 2001. Costs weren't disclosed for the system, which is implemented by wireless integrator 7/24 Solutions Inc. Eventually, both Suretrade and Wachovia envision giving free wireless devices to high-value account holders.
At Wachovia, data is transferred to and from wireless devices in a similar way to the Suretrade implementation. The data from cell phones enabled with WAP 1.0 are encrypted with Wireless Transport Layer Security, a wireless derivative of Secure Sockets Layer that's used for Web browsers to engage in secure sessions with servers. Encryption on PDAs is handled through a public key infrastructure cryptographic framework. PKI is based on a pair of keys generated by a single algorithm, one public, one private, known only to the individual. The private key, which is never shared or transmitted, is used to decrypt information that's been encrypted by a company using the public key.
"There's always a theoretical possibility of security problems, but this implementation reduces the risk to a level that's acceptable to a financial institution whose reputation rides on every transaction," Baxter says.
Yet even this level of security can be improved. Ideally, Baxter would prefer a dual system of security, where, for example, a smart card or other identity device is swiped through a cell phone. Eventually, experts predict, biometrics will be incorporated into wireless devices to verify identity through thumbprints or other personal characteristics.
Wireless-industry implementations are moving closer to the smart-card level of security, primarily to address the well-publicized security hole in WAP 1.0. That security hole made it possible for decrypted traffic to be intercepted as it passed from wired to wireless networks. This threat was downplayed in the security community because the vulnerable transfer point was under the security umbrella provided by carriers. Still, the breach was addressed in WAP 1.2, which requires a Wireless Identity Module, essentially a tamper-resistant smart card that uses PKI certificates to ensure continuous encryption throughout the connection.
"WIM cards using PKI ensure end-to-end security for wireless devices," says Skip Bryan, director of technology market development at Ericsson Cellular. Wireless Identity Modules that meet the WAP 1.2 specification should generally be incorporated into wireless phones available early next year.
Businesses in other industries are also interested in wireless security as well as ERP and other back-office applications so that they can enable wireless remote access to E-mail. Pacific Coast Building Products Inc., a private manufacturer of blocks, bricks, and other building materials based in Sacramento, Calif., turned to a server from Wireless Knowledge Inc. that lets employees in nine states access E-mail, calendars, and other information on a Microsoft Exchange Server via the AT&T wireless network. Pacific Coast investigated alternatives, including an outside Post Office Protocol 3 server, but rejected them either for security or convenience reasons.
The Wireless Knowledge server, which sits behind the firewall, routes communications to and from the Exchange Server. Access is verified by user IDs, passwords, and phone-specific IP addresses from WAP-enabled Ericsson R280LX cell phones. "Security has been tested, and it hasn't been an issue at all," says David Matteoli, Pacific Coast's NT administrator, who says that many concerns were addressed because data was encrypted over the AT&T network. After a successful 60-phone pilot, Pacific Coast is testing wireless-enabled Windows CE devices. Matteoli soon hopes to provide access to the company's SAP applications, which will, for instance, let remote sales representatives check order status from the field.
As wireless applications become more common and proven implementations meet the high security standards of financial institutions, the overarching issue is the integration of wireless into IT environments. There are several points to address within the next six to nine months, says Ericsson's Bryan. One is the impact that wireless may have on existing environments. Wachovia's Baxter says that with wireless, the nature of some online transactions changes from batch to near real time. This could mean hardware upgrades and other steps to ensure the necessary responsiveness.
Other day-to-day challenges involve asset management for tracking a multitude of handheld devices, and privilege management for different levels of access for different users and devices. The other issue is whether to handle wireless access internally, as Pacific Coast does, or to outsource it, as Suretrade does, to companies such as Mobile Logic Inc.
Gartner's Pescatore says companies can choose a middle ground--outsourcing to manage a secure wireless connection, but keeping privilege and asset management in-house. That's because secure connectivity is outsourced to carriers and others, while privilege and asset management involve access to corporate data.
IT managers may also be stymied by a personnel headache when developing wireless apps. MasterCard's Jarman says there are only 300 to 400 WAP developers in the world.
return to page 1
Illustration by Richard Borge
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
Featured Microsite
