WLANs, too
Even enterprises that haven't started giving outside customers wireless access to their networks are developing wireless security strategies. VF, the US$6 billion manufacturer of such apparel as Lee and Wrangler jeans, isn't selling pants online, but it has rolled out a WLAN. Machine operators on VF's manufacturing floor use handheld devices from Symbol Technologies to access the company's SAP AG enterprise resource planning applications.
To keep the whole thing secure, Mel Cartwright, VF's project leader for radio frequency scanning, uses a combination of tried-and-true password management techniques, and he keeps a tight lid on where and by whom wireless devices are used. The company's handhelds never leave the premises. Every operator has his or her own machine and is required to scan in a personal bar code just to get a user ID prompt. The security doesn't stop there. Each user ID associated with a password has to be changed every 30 days, and it must contain a specific number of capital letters and numbers. Then, to get into VF's SAP application, the user must enter a different user ID and password combination.
Users are reminded every 14 days to change passwords before the 30-day deadline. And, as with any passwordâ€"whether it's for wireless devices or notâ€"Cartwright and VF's security managers enforce rules that prohibit users from writing down passwords. VF also conducts routine internal security audits to make sure everything's secure.
The system, of course, is a recipe for forgotten passwords. But, Cartwright said, it's worth it. "The No. 1 problem our help desk deals with is forgotten passwords," he said. "But it's justifiable because this ensures that proprietary information remains in-house."
Faced with the complex task of tracking rapidly changing wireless standards and providing security for a profusion of wireless devices, some enterprises are opting to hand the problem to a service provider. John Shields, vice president of wireless initiatives at Patelco, for example, recently chose to outsource his company's wireless implementation and security to MShift. With $1.9 billion in assets, San Francisco-based Patelco is California's fourth-largest credit union. Patelco launched its wireless banking application in November and recorded more than 1,000 log-ons that month.
While Patelco has internal expertise in HTML and online content delivery, Shields said, it lacked WAP expertise. Shields told his managers he feared that, as wireless devices proliferated, he'd eventually have to support multiple protocols. He also worried that as an increasing number of applications were wireless-enabled, Patelco would run into trouble guaranteeing security on all of them. In the end, Shields persuaded his managers to buy rather than build a secure mobile infrastructure.
"WAP protocol is relatively new to us, and there are so many wireless devices you have to keep on top of," Shields said. "Partly because of security concerns, our executives understood why outsourcing was right for us."
MShift's wireless implementation for Patelco uses WTLS, SSL and digital certificates to protect sensitive data. Patelco, on its end, secures every transaction internally with 128-bit encryption behind a corporate firewall. Patelco also controls what its wireless users can and cannot do. For instance, while users can check their balances, they are not allowed to pay loans and can only transfer money between their own accounts.
Experts predict that many enterprises will choose to outsource, at least initially, to get a jump on security. "This is definitely a buy-vs.-build type of proposition," said Lonadier of Hurwitz Group. "The wireless market is fairly new, and IT managers should figure out early on if they have the expertise to secure transactions on their own."
Nor is it a mistake for e-businesses to limit m-commerce bells and whistles until they are sure they can guarantee a level of security that is acceptable to users and business managers. As many organizations learned the hard way during the first phase of e-business, it doesn't matter if the site uses the coolest technology; if it's not secure, it's a failure.
"It doesn't matter if an application is mobile or not," said Edmunds.com's LaMuraglia. "It has to be secure, no matter what."
