Under Lock & Key

With the increasing interest in wireless data, many carriers believe that because their systems are digital, they do not have to worry about data encryption. They assume that because their digital systems include forms of encryption that are sufficient for voice, they should be sufficient for data. The problem with this assumption is that corporate IT managers tend to be more skeptical than the wireless community.

>From mainframes to PCs and LANs, IT managers have been charged with keeping this information private while making it available to the company's own employees.

Wireless access to the corporate "jewels" will be the next step in the evolution of remote access. On the CDMA side, both Air- Touch and GTE have unveiled information-access services using digital phones as modems for laptops, and GSM carriers already support dial-up, circuit-switched data access. From the IT managers' perspective, the idea of throwing company confidential information into the ether goes against everything they have been taught about keeping a tight rein on corporate data.

How should wireless carriers react to these concerns, and how should they help businesses protect their data?

SECURING DATAThe first level of data security is the digital network itself. For casual users who will access their e-mail and calendars, the encryption built into the digital network probably is sufficient. However, building paranoia from stories about how insecure the Internet is causes these folks to be more aware of the potential risks. They may begin searching for solutions to help keep their data secure.

Companies that plan to use digital wireless networks for sensitive data transactions should do more than rely on the measures provided by the digital networks. This is where deploying encryption technologies can become complicated. What type of encryption will be used? Will it be public key/private key? Should it be a system that makes use of industry standards such as data encryption standard (DES)? How will using encryption affect the system's performance? There are general guidelines that you can follow, but there is no pat answer when it comes to security.

The first set of issues has to do with the two end-points for the data. Will they always be people or places that are under the company's control? Are they employees, vendors or others whom the company can identify ahead of time? Can their computers be equipped with a data-encryption solution that is compatible with the one the company has chosen?

If all of the locations are within the company's control, the decision is easier to make. There are many products available today that are designed to encrypt data at the application layer rather than at the transport layer. Anyone who is concerned with data security should understand that regardless of the level of security offered by a network, application-level security that is directly under their control will be the most effective and the best measure.

If the company does not control all of the data-transmission and data-reception locations or cannot pre-identify these locations, it will need to make use of public key/private key encryption. With this type of encryption, each person has his own private key, but data sent using the public key can be unencrypted by anyone authorized to do so.

ENCRYPTION & THROUGHPUTThe downside to adding another level of encryption is that it affects network performance. Data encryption can affect data throughput depending upon the data-encryption scheme, and your network data speeds can suffer. For example, CDPD systems start out with a raw data rate of 19.2kb/s. By the time you add in the overhead for TCP or UDP for transport and your own data encryption, the data throughput is about 10kb/s -- a loss of about 50%. If you add application-level data encryption, the throughput could fall even further.

It is important to verify exactly how much overhead a given encryption scheme carries. Some data-encryption packages work with data compression and some include data compression. Data compression adds yet another level of security because compressed data requires special software on the receiving end to decode it.

The Research In Motion Black- Berry wireless messaging device uses a combination of Triple DES data encryption and 2:1 data compression. This results in a secure and efficient way to move data over a network.

WORKING WITH MIDDLEWARECarriers need to work with corporations to determine which data-security software program affords maximum security and efficiency. It also might be prudent for wireless carriers to work with middleware companies to provide more robust transport layers instead of relying solely on TCP/IP technologies. TCP is not a wireless-friendly transport, and adding security software on top of TCP can result in throughputs as low as 50% of a network's data speed.

Nettech's Smart IP reduces this overhead to less than 20%, and when data-security software is added, data can be transmitted at about 60% of the raw throughput of the network. Many carriers believe that this type of overhead savings will not be important because data speeds will increase over all of the digital technologies. However, the customer perceives any degradation in a network's performance in the data mode as less than acceptable.

WHAT IS GOOD ENOUGH?Being able to protect voice calls by using digital technologies or the addition of voice-encryption technologies may not be sufficient to give IT managers a good feeling about using these digital networks for data transmission. It is important that carriers take all possible precautions to ensure that the data transmitted over their networks is secure.

In most cases, it is smart to encourage corporate clients that want the use of wireless networks to install end-to-end security programs at the applications layer. The digital network, with its built-in security, will be able to protect most data users to a high degree. When a corporation adds security software at the applications level, it provides another layer of encryption.

Although most data encryption companies will disagree, if someone wants to get information badly enough, he will find a way to do so. One example is through a standalone computer. All PCs generate RF signals that can be decoded from a car or van sitting in a parking lot with the proper equipment. The solution, then, is to make it as difficult as possible for unauthorized people to access data. The more time and effort it will take, the less likely hackers are to pursue it.