CWSP Guide to Wireless Security Foundations of Wireless Security.
End-to-end wireless security: Integrated solutions that ... · A truly effective, future-proofed...
Transcript of End-to-end wireless security: Integrated solutions that ... · A truly effective, future-proofed...
IBM — End-to-end wireless securityDecember 2001
End-to-end wireless security:Integrated solutions that protect your business and your customers
Authors:The Wireless Security Acceleration Team
IBM — End-to-end wireless securityPage 2
New wireless technology = new vulnerabilities = new risks“The growing corporate appetite for remote LAN, Internet, extranet/intranet and wireless access services will drive the need for advanced information security services as technologies for circumventing network security systems continue to keep pace with the technologies designed to defend against them. The growth in this market will come from clients who recognise the value of engaging third-party service providers skilled at developing customised security strategies that solve real business problems. By implementing a best-in-class security architecture coupled with continuous monitoring and management of the infrastructure, security service firms enable clients to mitigate the risks associated with their business.” Allan Carey, IDC Senior Analyst
Mobile e-business is here. Employees are bringing their personal
devices into the working environment; new technologies are enabling
on-the-move e-business transactions and access to information; and
corporations have an increasing interest in the massive opportunities
presented by wireless access service.
Airlines are piloting programmes where passengers can check up-to-
date flight details and even check-in using their mobile phone.
Businesses are equipping their workers with a variety of mobile devices
used for an infinite number of purposes: hot desking, selling and other
e-business transactions. Users’ expectations are increasing — they want
to receive work emails on their PDAs; they want to purchase items
using their mobile phones; they want to be able to use their laptops
to access a network from anywhere. The possibilities are as endless as
the expectations.
2 New wireless technology = new
vulnerabilities = new risks
8 End-to-end wireless security — the
IBM value proposition
11 Software for wireless security
17 Hardware solutions
24 Conclusion
26 About the Authors
Contents
IBM — End-to-end wireless securityPage 3
Wireless technology is growing at an exponential rate. Companies that
want to lead in their market have already deployed mobile solutions. But
doing so is pointless unless you understand one vital concept: Wireless
e-business creates a whole new set of security risks and challenges.
Wireless expands the boundaries of your current IT infrastructure and
comes with an unprecedented degree of complexity — including the
need to manage the sheer range of devices and technologies and the
array of potential threats to your business.
Wireless e-business raises a new set of security implications that
need to be understood and addressed. Success in the mobile
environment is dependent on the development and deployment of
an end-to-end security solution that protects your wireless network,
devices, applications and data — continuously. If you can protect your
business and build trust with customers, wireless e-business offers
endless benefits — increased productivity, improved customer service,
streamlined communication with customers, employees and suppliers.
Fail to do this and your business will pay the consequences.
It’s not enough to merely decide that you’re going to equip your
employees with PDAs. How are you going to ensure that customer
information sent over a wireless network is secure and won’t expose your
company to a consumer backlash? Will your efforts to provide ‘always
on’ connectivity leave your customer information vulnerable? These
and a thousand other questions need to be addressed to ensure a viable,
sustainable business model for wireless e-business.
You know how your office is affected when your IT server goes down
for even a few hours. Imagine the consequences of a breach or failure
in your wireless solution. You need to know where your solution is
vulnerable and then know how to fill in those gaps. You need to ensure
that every conceivable security issue is covered without sacrificing
ease-of-use or customer access to your business.
Explores the security benefits of wireless
e-business.
Outlines key challenges and
developments in wireless security and
how to best address them.
Discusses the consequences of failed
security practices.
Details IBM’s end-to-end wireless security
solution, encompassing hardware,
software and services.
Describes tangible scenarios for IBM’s
solution and illustrates how the offering
can integrate with your existing business
practices and infrastructure.
Key Topics
IBM — End-to-end wireless securityPage 4
Understanding the risks in wireless security
To address the potential risks in wireless security, you need to
understand them. Here are just a few risk-points in typical wireless
e-business infrastructures:
Weaknesses in WAP
Wireless Application Protocol (WAP) was the first technology that
enabled mobile e-business. But WAP received endless bad press because
of bandwidth and device limitations. Unfortunately, because of its slow
take-up, little attention has been paid to security. Because WAP does not
provide end-to-end encryption, unauthorised data could be available
without protection at the WAP gateway.
Weaknesses in GSM/GPRS networks
GSM and GPRS wireless wide area network protocols contain
cryptographic weaknesses that could allow data to be disclosed by
eavesdroppers.
Weaknesses in wLAN (802.11) and wPAN (Bluetooth) networks
Wireless Local Area Networks (wLAN) have already been deployed by
a number of companies to support hot desking, at-home working
and flexible provisioning of mobile services. However, by default,
wLANs offer no security and unless additional security measures are
deployed, networks are wide-open to outside intervention, or ‘drive-by
hacking,’ potentially exposing personal, corporate and business-critical
data. Bluetooth Wireless Personal Area Networks (wPAN) are also an
efficient, cost-effective way of connecting mobile devices and intelligent
appliances, but without adequate security measures in place, this too
could provide an opportunity for unauthorised access to data.
Meeting the Challenge of Wireless Security
Are you confident your organisation is
prepared for the security challenge of
wireless e-business?
These are just a few of the critical issues
companies now face:
• How can you ensure uninterrupted
access to your business?
• How can you be sure that your existing
security controls will hold up to your
long-term business plans?
• What security controls do you need to
implement?
• How can you leverage new methods
and technologies while maintaining a
high level of security?
• How can you prepare for an industry-
recognised security certification?
IBM — End-to-end wireless securityPage 5
Limited security built into mobile devices
Most mobile devices have little or no built-in security functions.
Even something simple like a password can have endless security
implications — users who chose to deactivate their passwords could
inadvertently allow unauthorised access to applications and data should
the device be lost, stolen or tampered with. Additionally, wireless
devices may have Over The Air (OTA) remote configuration facilities
that could be exposed and abused. They are also susceptible to viruses
and ‘Trojan horse’ malicious codes.
‘Always-on’ connectivity increases the window of opportunity for hackers
While ‘always on’ connectivity is perhaps one of the more attractive
features of wireless technology, it is also one of the most dangerous with
regards to security. Not only does it increase the window of opportunity
for hackers to access your system, ‘always on’ means that this can be
done often without the user knowing it — if a device is in a purse, a
pocket or a briefcase, the user will not be able to detect that something
has gone amiss.
Privacy issues with location-based services
Privacy is not the same as security, but the two are inextricably linked:
you cannot manage privacy without sound security. Security relates to
the protection of the organisation’s assets. Privacy relates to the way
organisations handle personal information, such as customer names,
addresses, credit card numbers and spending habits. Location-based
services will enable businesses to provide relevant information to users,
be that retail, food, entertainment, telematics and more. But the very
nature of location-based services means that users’ movements must be
tracked in order to provide timely, appropriate information. However,
consumers are justifiably concerned about how this will impact their
privacy, as well as the confidentiality of their information. Companies
will need to win their customers’ trust by developing systems that offer
the highest levels of security and privacy.
IBM — End-to-end wireless securityPage 6
Rapidly developing technologies, increased complexity and immature standards
Mobile technologies are evolving at a rapid rate, with new products and
services sometimes being offered on a daily basis. You want to stay ahead
of the game, but implementing a new service isn’t as simple as it sounds
— new technologies often don’t have full or suitably tested and verified
security measures in place. Immature standards for user and device
authentication, executable content security and stores data security
also create vulnerabilities. Additionally, you are often dependent on
third-party providers to exchange your data through multiple networks,
making it difficult for you to assure that all transactions and data
transfers are secure.
Existing ‘wired’ controls will be pushed to their limits
While a wireless application needs certain hardware, software and
services to run properly, these services may also be reliant on existing
‘wired’ controls that may not have been initially designed to support
wireless security services. It is not enough to simply attach wireless
hardware and software to your existing infrastructure — while many of
your current e-business investments can be leveraged for use in your
mobile network, you need a strategy for how all of these components are
going to link together.
IBM — End-to-end wireless securityPage 7
Implementing wireless security — partnering with a trusted provider
The key to tackling these challenges is to work with a trusted partner
whose understanding of wireless security comes from developing
pioneering solutions and tackling real security problems for a range of
global businesses. Security is about trust — your customers trust you to
protect their confidential information, your employees, customers and
business partners trust you to provide uninterrupted, quality service as
promised by your brand. Any breach or glitch in security will affect the
perception of your brand, therefore you need to trust that your provider
has covered all the bases.
A truly effective, future-proofed wireless security system is an
end-to-end solution that offers integrated security technology
(hardware and software), processes and organisational solutions. Your
partner also needs to be able to manage your security over time.
Changes in the business and political environment as well as new
technologies and developments, come with new security implications
and your partner needs to be able to address these quickly, while
ensuring that your business service is uninterrupted. You also want a
partner who is able to provide you with pioneering research, enabling
you to implement new services ahead of your competitors, and counter
security issues before they’re even raised.
Read on to discover how IBM’s innovation, research and global expertise
and experience can meet all of the challenges presented by wireless
security.
Covering all the issues
Knowing that you can provide end-to-
end wireless security is knowing that you
can cover all of these issues:
Authentification
Ensuring that users, clients and servers
establish their identity.
Confidentiality
Preventing eavesdropping during data
communication or disclosure from
applications or storage media.
Authorisation
Prohibiting the improper use of data
and services by allowing only authorised
users to have access to information.
Data Integrity
Verifying that data has not been altered
in transit by a third party, preventing
forgery, tampering and unauthorised
alteration.
Non-repudiation
Preventing parties from falsely denying
data transactions after they were
supposedly done, enforcing
accountability for electronic transactions.
Privacy
Providing methods that allow users
to control what personal information
is provided to applications and other
parties and how it is used.
Trust
Ensuring that your solution partner and
third-party providers can be relied upon.
IBM — End-to-end wireless securityPage 8
End-to-end wireless security — the IBM value proposition
“[IBM’s offering is] a pretty complete solution for mobilisation. It’s
indicative of the complete package people are looking for.”
Mark Plakias, Kelsey Group Analyst
As we have established, an effective security strategy is crucial
for organisations that wish to exploit the opportunities of wireless
e-business. You need to protect your business and your brand,
by ensuring that all customer and business-critical information is
protected. You also need to ensure that all information is used in
such a way that it provides superior service without compromising the
trust of your customers, partners or employees. You need an integrated,
end-to-end solution that leaves no stone unturned, which also leverages
your existing IT investments.
IBM is responding to customer demand for an end-to-end package
that allows security policies already in place for wired networks to be
extended to wireless networks. Using a strategic approach to ensure all
security issues are covered and applying a range of industry-leading
products, methodologies and services, IBM can now offer an integrated,
comprehensive solution that meets the security needs of all companies
entering the wireless domain.
Defining the challenge of end-to-end security
For IBM, end-to-end means exactly what it implies; seek out the problem,
devise a solution by integrating the best combination of products and
services, implement that solution, then manage it continuously to ensure
that as the market and technologies change, the solution holds strong.
IBM has identified a number of key dimensions that need to be
considered in designing end-to-end security solutions for wireless
e-business:
The technology span
An end-to-end security strategy needs to encompass an increasingly
complex technology chain, including mobile phones, laptops and
PDAs from multiple vendors, multiple operating systems, various
network standards, wireless e-business applications, and IT management
frameworks. Naturally, all these components need to be addressed by a
coherent, integrated solution.
Field Force Automation
Challenge
A large, online courier company wanted to improve its services in the competitive delivery marketplace. Other companies were simply able to deliver faster and provide greater security for high-value items.
Solution
When a customer places an order online for a package to be collected and delivered, a consignment number is given. The courier picks up the item, which the customer signs for electronically on a WAP-enabled PDA supported by WebSphere Everyplace Server.
Through the WAP browser, the courier accepts and transmits details to a central processor, alerting them of the existence of the package so they can start arranging for further movements. This process seamlessly tracks the package’s movement and improves delivery efficiency. All data is encrypted, ensuring that all content and insurance details, addresses and personal information are safe.
IBM — End-to-end wireless securityPage 9
People, processes, culture and organisation
Security is also not just about technology — it’s also about people.
Often, the bigger security breaches are just as much the result of
human error as they are about technical vulnerability. The question
is, how can you minimise the security risks associated with human
oversight? IBM can address the technical and cultural aspects of security
in wireless e-business, helping your company to manage changes within
work culture, organisational transformation and corporate policies.
Managing change, minimising disruption
The pace of change is also a key consideration when planning security
solutions for wireless e-business. As new technologies arrive, new
vulnerabilities and risks will inevitably need to be addressed. IBM’s
global team of IT and business experts can help ensure your security
systems and policies keep pace with change and that your day-to-day
business goes uninterrupted as you anticipate and manage new threats
to your security.
Your security systems and processes are only as strong as the weakest
link in the chain. That means an end-to-end approach is the only way
to protect your business and safeguard relationships built on trust with
your customers.
Leveraging world-wide expertise, cutting-edge innovation and an array of world-renowned business partners, IBM’s end-to-end offering covers all wireless security needs, including software, hardware, services and maintenance.
IBM — End-to-end wireless securityPage 10
A company-wide initiative
Given the scope and scale of the security challenges associated with
wireless e-business, organisations need to tap into a vast breadth and
depth of expertise encompassing a range of IT and business disciplines.
IBM’s wireless solution offering represents a major company-wide
initiative to help businesses identify mobile and wireless vulnerabilities,
and to develop robust end-to-end solutions with the highest levels of
in-built security.
IBM is already working with leading organisations around the world on
wireless security engagements to plan, develop, implement and manage
secure wireless e-business applications in the field. As a result of this
pioneering work, the end-to-end wireless security offering leverages
IBM’s global assets and intellectual capital, including:
• Pioneering research that includes the development of the industry’s
first wireless LAN security auditing tool, Wireless Security Auditor*
• Intellectual capital — expertise and experience captured from the
world’s largest IT services company, with a global representation
• New wireless e-business security service offerings from IBM Security
and Privacy Services, extending its expertise in security to specific
business issues, risks and opportunities in the wireless environment
• A suite of security-optimised software for wireless e-business,
including WebSphere* Everyplace Server, Domino* Everyplace
Access Server and Tivoli* wireless e-business management solutions
• Security-enabled hardware for wireless e-business, including
embedded security subsystems for ThinkPads* and NetVista* PCs
• Valuable support and expertise in specific regions, markets and
technologies from IBM’s unrivalled community of business partners
IBM’s extensive expertise and work processes, innovative wireless
security software and hardware are combined to offer the most
comprehensive, end-to-end wireless security solution on the market.
Let’s now look at these essential components in greater detail.
Sales Force Automation
Challenge
A large insurance company wanted to utilise technology to enable its salesforce to process customer orders in the field. It had the back-end system to support these transactions, but the system needed to be optimised to ensure security in the transactions. The company also needed to provide its sales professionals with secure devices.
Solution
WebSphere Everyplace Server enabled the company to take existing sales applications and make them available on a mobile platform. Salespeople are now able to securely connect to every sales resource within the company from any device over a virtual private network. The devices used in the field are equipped with Embedded Security System (ESS) and all customer data (billing address, credit card information) is encrypted when sent over the network. Transaction authorisation is processed through Tivoli Policy Director, while potential security breaches are monitored using Tivoli Risk Manager.
IBM — End-to-end wireless securityPage 11
Software for wireless security
“IDC, 2001 rate IBM as the broadest scope vendor with the highest market share.”
Ongoing security management
The complex mix of technologies and processes that need to be constantly
monitored, plus the range of new threats that arise in wireless e-business,
create a massive challenge. You need automated systems and policies
for managing authorisation, subscription services, and detecting threats
and system abuses — systems that can be easily managed from a central
point of control.
IBM has developed an integrated solution that provides centralised
security management through a strategic combination of products offered
by its software divisions, Tivoli, WebSphere and Domino: security
management, including intrusion detection and identity management, is
provided by Tivoli Risk Manager and Tivoli Identity Director; wireless
gateway, authentication and encryption functionality is provided by
WebSphere Everyplace Server and Domino Everyplace Access Server;
authorisation is provided by Tivoli Policy Director.
Covering all the issues
IBM’s end-to-end wireless security
offering is made available through IBM
Global Services. The company is also
tapping into technology, products and
services from multiple business units:
IBM Research, IBM Software Group and
IBM’s Personal Computing Division.
This company-wide initiative aims to
help companies identify mobile and
wireless vulnerables, establish security
policies, provide secure authentication
and authorisation of users, protect the
integrity and confidentiality of business
transactions from origin to destination
and provide security management of the
technology and organisation.
IBM — End-to-end wireless securityPage 12
This software combination is also the first to include security
authentication and authorisation capabilities for both Wireless
Application Protocol (WAP) and iMode devices in one solution.
Tivoli, WebSphere and Domino provide specialised security functions —
a company’s need for these functions will vary based on unique business
requirements and the results of IBM’s wireless security assessment.
Tivoli Risk Manager
Part of IBM’s overall wireless security framework, Tivoli Risk
Manager is an enterprise-wide solution enabling organisations to
centrally manage attacks, threats and exposures by correlating security
information from multiple, heterogeneous firewalls, intrusion detection
sensors, vulnerability scanning tools and other security measures. One
of the sensors provided for Risk Manager also includes the IBM Wireless
Security Auditor (WSA), which audits wireless LAN networks for proper
security configuration.
Security benefits of Tivoli Risk Manager:
• Centralised, automated risk detection and management
• Intelligent correlation engine prioritises alerts, enabling rapid
response
• Adaptors available for integration with Wireless Security Auditor
• Ease-of-use for both problem identification and resolution.
Tivoli Policy Director
IBM is delivering secure access management (authentication and
authorisation) software for the delivery of secure mobile transactions
and access to e-business applications over wireless network channels.
The latest version of Tivoli Policy Director is the industry’s first
software that enables organisations to provide Web single sign-on and
authorisation to mobile transactions and applications accessed through
both WAP and iMode devices. As part of IBM’s end-to-end wireless
security solution, Policy Director enables organisations to deliver a
consistent security policy and secure end-user experience extending
across both their wired and wireless enterprise applications and portals.
IBM — End-to-end wireless securityPage 13
Policy Director provides fine-grained access control for Web
applications and resources without requiring any modifications
to a customer’s existing Web-based applications. It also enables
organisations to authorise and secure the IBM messaging system
MQ Series by providing protection for both messages and the message
queues.
In addition, Tivoli Policy Director helps companies protect Web
resources including URLs, scripts and data that can be accessed by
traditional Web browsers or WAP-enabled devices. Giving companies
the power to control access to e-business applications and data accessed
through WAP devices reduces the cost and complexity of extending
e-business to Web phones and other WAP devices.
Tivoli Policy Director for WebSphere
Policy Director’s authorisation service can also be integrated into
IBM’s WebSphere Application Server environment, providing access
control to WebSphere-based resources. Policy Director is compatible
with WebSphere Transcoding Publisher and is a leading solution for
secure access to e-business applications from a broad range of pervasive
devices.
Security Benefits of Policy Director:
• Web single sign-on and authorisation to mobile transactions and
applications accessed through WAP and iMode
• Access control management centralises network and application
security
• Compatibility with other platforms, including WebSphere
• Delivers secure remote access and personalised access.
IBM — End-to-end wireless securityPage 14
Tivoli Identity Director
Tivoli Identity Director provides policy-based identity management
across legacy and e-business environments. Intuitive Web administrative
and self-service interfaces integrate with existing business processes
to help simplify and automate managing identities, while improving
administrator productivity. It incorporates a workflow engine and
leverages identity data for activities such as audit and reporting.
As your organisation moves forward with e-business initiatives and
continues to grow due to mergers, acquisitions and partnering, there
is a need to increase the efficiency and reduce the cost of managing
user information and provisioning of user services. Employee turnover
and fluctuating user populations only make user lifecycle management
more costly and complex. In these dynamic and diverse environments,
ensuring that only the right people have access to the right data and
applications within your organisation can become a security nightmare.
Tivoli Identity Director addresses these business issues by providing a
single point for managing users and a consistent access control policy that
integrates with existing environments. Tivoli Identity Director provides
self-service interfaces that integrate with the processes for managing
individuals and their interaction with your business, while the embedded
workflow engine automates the approval and submission processes.
Security benefits of Tivoli Identity Director:
• Reduces costs: enables efficient management of users and their
access to resources
• Increases productivity: provides automated workflow and
delegated administration
• Quickly realise ROI: brings users, systems and applications online
faster.
IBM has leveraged Tivoli Risk Manager, Tivoli Policy Directors and
Tivoli Identity Director’s strengths in Web-based security monitoring,
securing transactions and user authentication, authorisation and
management in the wireless security space. By implementing Tivoli as
part of their wireless solutions, organisations can be confident that their
wireless environments are proactively monitored and managed to the
highest security standards.
IBM — End-to-end wireless securityPage 15
WebSphere Everyplace Server Security
WebSphere Everyplace Server is a comprehensive solution that provides
tools and middleware infrastructures to enable customers to rapidly
deploy and manage mobile e-business services.
The solution has been designed to enable customers with existing
e-business infrastructures to capitalise on the wireless Web by reaching
out to new customers via mobile phones, handheld computers and other
wireless appliances.
Security software enables secure connections between pervasive
devices and applications across mobile and land line networks.
It provides authentication and single sign-on for users of all
functions within the WebSphere Everyplace domain, including Domino
applications. It can also be integrated with Policy Director to provide
authorisation and fine grain access control and limits application access
through limiting user access.
Security Benefits of WebSphere Everyplace Server:
• Support for multiple authentication methods, including basic Web
authentication, forms-based certificates, as well as support for Tivoli
Policy Director
• Encryption of data transmission across wireless and land-line
networks.
• Support of authentication by other vendor gateways (e.g. Nokia)
• Client software available for laptop and PDA clients to protect the
confidentiality and integrity of data across wireless networks using
IBM’s two party key distribution protocol (TPKDP).
Domino Everyplace Access
Domino Everyplace Access provides wireless access to corporate email,
calendars, directories and WAP-enabled Domino applications. With
Mobile Notes and Domino Everyplace Access you can move beyond
wireless e-mail and into full service Personal Information Management
(PIM) capabilities and access to business applications such as sales force
automation, field service and customer relationship management. Now
you can rapidly enable Domino collaborative applications for wireless
access.
IBM — End-to-end wireless securityPage 16
With Domino Everyplace Access server you can associate an authorised
user with each mobile device, track what network a device is used
on, encrypt data in transmission and more. Familiar, robust Domino
security features control who gets into your network and what gets out
over it. Domino Everyplace Access builds on this secure environment
with standards such as SSL and WTLS.
Security Benefits of Domino:
• Enhances wireless access to Domino, providing Mobile Notes access
from a WAP phone to critical business information
• Single-point access to e-mail, PIM and applications
• Customisable Mobile Notes homepage for a single point of access to
vital information and Domino applications
• Central administration through tight integration with Domino
administration and directory services, letting you configure and
manage all your wireless services and devices from a central location
• Leverages Domino security features for user authorisation and
encryption of data over wireless networks.
IBM — End-to-end wireless securityPage 17
Hardware solutions
IBM provides a number of hardware options for wireless security.
Combining these with IBM wireless security software, and extending
IBM’s embedded security subsystem to encompass the NetVista desktop
and ThinkPad Notebook computer lines, IBM ensures that devices,
wireless e-business applications and data are safeguarded against
security breaches.
Embedded Security Subsystem (ESS)
The IBM Embedded Security Subsystem (ESS) provides hardware-
based protection of critical security information, including passwords,
encryption keys, and electronic credentials, protecting information
and PCs from ‘sniffers’, Trojan horses, and other potential invaders.
Embedded into both the IBM ThinkPad and the NetVista desktop, ESS
helps identify computer users involved in transactions, and ensures that
data transmissions are authentic, confidential, and intact.
ESS consists of a cryptographic microprocessor designed to interface
with common security protocols. Built into the system board of
an IBM NetVista desktop or ThinkPad notebook, the cryptographic
microprocessor is an advanced chip that employs encryption keys and
processes to help secure data, communications and identity. The chip
stores a user’s encrypted keys and supports Public Key Infrastructure
(PKI) operations, such as encryption for privacy and digital signatures
for authentication, within the protected environment of the chip.
Unlike software solutions alone, ESS is physically located on the
motherboard and protects PKI operations and other functions within a
secure and separate hardware environment. The encryption functions
are more secure because the operations are not performed in main
memory and the keys are not stored on the hard disk drive.
ESS can also be used in combination with embedded wireless LAN
interfaces, ensuring protection against potential wireless LAN security
issues. Select IBM ThinkPads with built-in WLAN capability are now
equipped with ESS.
Wireless Micro Payments
Challenge
A parking facilities management company wants to offer its customers the option of paying for parking via a WAP-enabled application.
Solution
Customers can now reserve or pay for parking using a WAP-enabled device, accessing the parking company’s WAP site via WebSphere Application Server. As in all wireless payment scenarios, authentication is an important issue. IBM therefore worked with a telecomm supplier to develop software that can authenticate accurately using the customers’ SIM/WIM card. WebSphere Payment Manager then handles the transfer of funds in a totally secure environment.
IBM — End-to-end wireless securityPage 18
IBM 4758 PCI Cryptographic Coprocessor
IBM 4758 PCI Cryptographic Coprocessor is a hardware solution
for providing accelerated cryptographic operations on IT servers.
It incorporates specialised electronics to relieve a server from
time-consuming cryptographic functions while providing a tamper-
responding, secure computing environment for the storage of keys
and performance of sensitive processing. It is available for all IBM
server platforms and many personal computers, providing high-security
cryptography and secure computing.
Only digitally signed software that is validated by the Coprocessor
will be acceptable for download. Sophisticated code-loading controls
enable companies to employ signed software from IBM, other vendors,
or codes created using toolkits available from IBM. It also detects
physical attacks — probe, voltage, temperature, radiation. IBM supplies
two cryptographic-system implementations and toolkits for custom
application development.
Bluetooth-enabled solutions
IBM is already developing Bluetooth applications that enable people to
work flexibly in mobile environments, while also minimising the risk
of security breaches caused by human error. For instance, IBM has
developed a solution that uses a Bluetooth ID proximity badge designed
for low-cost, low-power consumption, short-range radio links between
mobile PCs, mobile phones, and other portable devices. This technology
operates in a range of one to 30 feet (up to 10m) and supports both
voice and data services. Bluetooth technology simplifies short-range
connectivity by doing away with the need for proprietary cables that
connect one device to another (hands-free head-sets, printer cables,
keyboard and mouse cables, etc). Additionally, no ‘line-of-sight’ is
needed between devices like with Infrared/IrDA.
IBM is implementing Bluetooth to enable improved security in everyday
business processes. For example, using IBM’s proximity badge, hospital
workers that need to access a patient file can walk up to any computer
and be automatically logged in once they’re within proximity. Bluetooth
saves users from having to remember or type a password, and it
automatically logs the user off when out of proximity to the device.
IBM — End-to-end wireless securityPage 19
Harnessing global expertise
IBM’s wireless security offerings aim to help companies identify and
address mobile and wireless vulnerabilities, establish security policies,
authenticate and authorise users and protect the confidentiality,
integrity and availability of corporate information within a
wireless environment. IBM achieves this through comprehensive
implementation of hardware, software and services.
Implementing and managing an end-to-end security solution requires
careful planning and execution. IBM’s global team of wireless security
experts collaborate to provide businesses with the most relevant set of
products and services:
• Tried-and-tested methodologies for assessing risk, designing
appropriate security solutions and managing the environment
against ongoing threats
• Expertise from the world’s largest IT Services Provider, IBM Global
Services, plus the latest innovation from IBM Research
• IBM’s global expertise and solutions, providing an end-to-end
solution encompassing all areas of risk in wireless security.
IBM — End-to-end wireless securityPage 20
IBM’s structured approach to devising a security solution in the wireless
domain is to:
1. Conduct a security assessment
Organisations need to understand the risks in order to implement the
appropriate security controls. The first step in determining any kind
of wireless security solution is to assess the current security level and
understand the kinds of risks to which a company could potentially
be exposed. This can be achieved through security assessments that
combine business and IT issues, including ‘ethical hacking’ to pinpoint
possible points of weakness. All of these findings feed into devising the
security solution and define the security and privacy requirements in
the context of a company’s current and future business plans.
IBM’s Wireless Risk Assessment is designed to help companies
understand the information risks introduced by wireless e-business
infrastructures and how to effectively manage them. Threats and
vulnerabilities can be identified by assessing your wireless e-business
architectures, implementation plans and infrastructure. IBM can also
assess and validate the strength of an infrastructure using advanced
penetration testing techniques.
An integral part of IBM’s wireless security assessment is the Wireless
Security Auditor (WSA). WSA identifies all wireless access points across
the extended organisation and detects and analyses possible breaches.
WSA is the industry’s first automated auditing tool that can monitor
WLAN 802.11 to collect security-related information, allowing system
administrators to take proper actions to improve network security.
IBM has the depth of knowledge to cover multiple pervasive device
types (telephones, PDAs, laptops, embedded devices), operating
systems (Linux, EPOC, PalmOS, Microsoft** CE) as well as different
application environments (messaging, transactions, location based
services, infomedia, telemetry). It also covers wireless networking
technologies and protocols including wireless LANs (802.11), wireless
PANs (Bluetooth) and wireless WANs (GSM, GPRS, CDMA). IBM will
also develop an understanding of your business model, objectives,
organisation and processes. This enables IBM to assess the alignment
of wireless technology to your business goals as well as the impact on
the business of the threats and vulnerabilities. This will allow your
current information risk position to be accurately reported in terms you
will understand.
IBM — End-to-end wireless securityPage 21
IBM’s Wireless Risk Assessment encompasses:
• A review of your wireless e-business strategies, plans and
architectures
• A review of the security management controls for the wireless
e-business solution covering policy, organisation, personnel, asset
classification and control, physical security, access control, network
and computer management, business continuity, system development
and maintenance and compliance
• A penetration test that attempts to gain unauthorised access to
the infrastructure supporting your wireless e-business solution
including networks, systems, applications and data in order to
validate the strength of your security infrastructure implementation
• An information risk analysis that assesses the impact of identified
threats and vulnerabilities to your business objectives and
requirements
• A report that details the strengths and weaknesses of security within
the wireless e-business solution along with recommendations for
short-term and long-term improvement.
IBM also offers a one-to-three day Wireless Security Workshop,
designed to help organisations understand the new security challenges
created by wireless technology and enable a quick-start approach to new
secure wireless e-business initiatives.
IBM — End-to-end wireless securityPage 22
2. Implement security solutions
Based on the output of the security assessment, IBM can define security
policies, architecture principles and identify appropriate security
controls, including organisation, process and technology. From here,
IBM can assist in the implementation of these policies and standards
by defining formal security processes and designing specific security
solutions. This assists in selecting security products and services that
best fit your business needs. IBM will also ensure compliance with
corporate security policies or international security standards. This
end-to-end approach saves companies from having to rely on multiple
standards to link together various pieces of a patchwork wireless-
security architecture.
IBM has developed a Wireless Solution Design service to help
companies plan and implement security strategies and end-to-end
solutions for mitigating security risks. IBM has aligned its expertise
in wireless security to specific industry business problems and
opportunities in the wireless environment. The company can help
organisations plan, architect, design and build wireless e-business
solutions that meet their unique security and privacy requirements.
IBM helps companies build a security strategy and define the
necessary security requirements, functions and components required
for ensuring that your wireless e-business solution satisfies the business
requirements and acceptable levels of risk. Using the proven IBM
method for architecting secure solutions, the security functions and
components are built into a secure solution design that is fully
aligned with a company’s existing IT strategies and architectures. IBM
has the depth of knowledge required for building secure end-to-end
solutions that cover wireless devices, operating systems, middleware,
applications, networks and development environments. IBM also helps
companies to build the necessary security and risk management
processes to ensure that the wireless security solution remains secure
over time.
IBM — End-to-end wireless securityPage 23
The Wireless Solution Design service covers:
• The development of a strategy for implementing a corporate-wide
approach for meeting your security requirements and enabling
consistent security across a company’s wireless e-business initiatives
• The development of security and privacy requirements and policies
to effectively align the wireless infrastructure to a company’s
business objectives
• The development of a secure and resilient solution design that meets
the business’ security and privacy requirements
• The integration of proven security functions and components into a
company’s new or existing wireless e-business solution
• The development of security processes required for successful
wireless e-business operations and risk management
• A customised set of documentation that details security and
privacy requirements, security policies, processes and the security
architecture and design required to implement and manage a
company’s wireless e-business solution.
Manage the solutions over time
Companies need to be kept abreast of current and future risks in order to
react efficiently and effectively with minimal disruption to service and
quality. Through industry-leading tools and people, IBM will provide
resources for ongoing management of your IT operation and long-term
security protection for your business-critical assets, enabling business
continuity and seamless service. IBM Managed Security ensures that
the right people are in the right place at the right time to manage all
security issues within your organisation.
IBM — End-to-end wireless securityPage 24
Conclusion
Organisations across every industry sector are keen to exploit the vast
opportunities and benefits of wireless e-business. But as they enter this
new arena, companies need to fully address a range of new security
risks to ensure they can adequately protect their businesses and build
relationships of trust with their customers.
Wireless e-business introduces increased complexity and vulnerability
into today’s enterprise IT environments. Any gap in your defences could
be exploited to the detriment of your company, so organisations urgently
need an end-to-end security strategy for wireless e-business.
Few companies have the in-house expertise to identify and manage
all the risks. Furthermore, while there are a plethora of security tools
on the markets, until now no-one has offered an end-to-end security
solution tailored to the specific demands of wireless environments.
With these crucial challenges and opportunities in mind, IBM has
now developed a comprehensive wireless security offering. Combining
industry-leading, complementary technologies with service expertise
provided by IBM Security and Privacy Services, IBM can help
organisations plan, implement and evolve the robust security solutions
they need to succeed in the age of wireless e-business.
IBM — End-to-end wireless securityPage 25
For more information
To learn more about IBM Global Services, contact your IBM Sales
Representative (or Business Partner if applicable) or visit:
IBM Security and Privacy ibm.com /services/security
Services
Tivoli security management tivoli.com/products/solutions/security
software
IBM Client security solutions pc.ibm.com/ww/security
IBM Pervasive computing ibm.com /pvc
and WebSphere solutions
Lotus Domino wireless lotus.com/home/nsf/welcome/mobile
solutions
IBM Security Research ibm.com /security/research
IBM — End-to-end wireless securityPage 26
About the Authors
The Wireless Security Acceleration Team is a global team of specialists
focused on leveraging IBM’s end-to-end wireless security capability by
providing thought leadership and supporting the delivery of industry
leading solutions. The team’s responsibilities include the evaluation
of new technologies and techniques, identification of new threats and
vulnerabilities and the design and integration of innovative wireless
security solutions. Using its Wireless Security Acceleration Centres in
France, U.K. and the U.S., the teams also specialise in building customer
Proof of Concept solutions by leveraging skills from IBM Global
Services Security and Privacy Practice and IBM Security Research as
well as products from Tivoli, Lotus, IBM and IBM’s wireless business
partners.
IBM — End-to-end wireless securityPage 27
WeWUK004 (12-01) RB
IBM United Kingdom LimitedPO Box 41North HarbourPortsmouthHampshirePO6 3AU
Tel: 0870 010 2503ibm.com /services/uk
IBM Ireland LimitedOldbrook House24-32 Pembroke RoadDublin 4
Tel: 1890 200 392ibm.com /services/ie
IBM Nederland N.V.Postbus 99991006 CE Amsterdam
Tel: 020 513 5151ibm.com /services/nl
IBM South Africa LimitedPrivate Bag X9907Sandhurst2196South Africa
Tel: 0800 130 130ibm.com /services/za
UK company-wide registration to ISO9001.Certificate number 92089.
The IBM home page can be found on the Internet at ibm.com
IBM is a registered trademark of International Business Machines Corporation.
* The e-business logo, WebSphere, Domino, Tivoli, ThinkPad, NetVista and MQ Series are trademarks of International Business Machines Corporation.
** Microsoft is a trademark of Microsoft Corporation in the United States, other countries or both.
** UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product and service names may be trademarks, or service marks of others.
References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM’s product, program or service may be used. Any functionally equivalent product, program or service may be used instead.
This publication is for general guidance only.
© Copyright IBM Corporation 2001