|
PAPER: Privacy Issues in Mobile Data Communication By David Barth, Intel Corporation, May, 1998
With the rise in popularity of business communication over the Internet and wireless cellular networks, issues of privacy have been the topics of increasing concern among information technology managers. The public nature of these networks means that malicious parties can intercept communication signals and, if the signals were sent as unencrypted plain-text, read whatever confidential information they desire. In response to this problem, data encryption techniques have been developed and deployed that enable users to send even the most confidential information over private networks. The use of encryption has brought the privacy level of digital wireless communication up to that of the wired telephone network, but in some cases this may not offer enough security. For stronger privacy, encryption can be deployed over an entire remote connection with the use of a Virtual Private Network (VPN), which can provide a single high-security solution for all mobile users. Data encryption is now a necessary addition to any mobile communications technology, but the available solutions and options can be confusing. The purpose of this document is to explain how encryption fits into the mobile data model, and what one should consider when choosing an encryption solution for mobile business communication.
How much "Privacy" do you need? Communications security is based on the premise that all confidential information has a value attached to it. It is this value that provides an incentive for others to try to steal information. The goal of any security solution is to take away this value by making it difficult for malicious attackers to read private data. A sufficient level of security is reached when effort and expense it takes for attackers to breach privacy is no longer worth the value of the confidential data. As an analogous example, consider that most people would comfortably leave two dollars on a table in their house – it wouldn’t be worth the effort or risk for a thief to break into the house to steal the money. On the other hand, if the amount were two thousand dollars, then the owner may think twice about leaving it on the table – the required level of security increases as the value to a thief increases. Hence, before choosing a security solution one must first consider the value of the information that is to be kept private. This will provide a benchmark for the minimum level of security that is required.
The baseline requirement: Digital wireless encryption In its infancy, wireless cellular communication used unencrypted analog signals. Since the signals were sent over the open air, all that was needed for one to breach privacy was a receiver that could intercept a specific signal. Such systems provided very little security, and were obviously not fit for the needs of businesses to transmit confidential information. Modern digital wireless systems have been designed with these needs in mind, and have fixed the security weaknesses of the earlier solutions. Today, all digital cellular systems provide encryption as part of their standard service. Before a signal leaves the wireless transmitter, it is mathematically manipulated ("encrypted") to make it unreadable to anybody but the person that is intended to receive the signal. Once the signal is encrypted, it doesn’t matter if a thief intercepts the signal, because they cannot understand the data. It is possible for a thief to use computers to try to read an encrypted signal, but such an endeavor would be too expensive and would take too much time to be worth the value of the intercepted information. When a connection is made over a cellular network, the network only provides a wireless link to the Public Switched Telephone Network (PSTN) – the regular land-based phone system. All digital wireless solutions aim to provide enough encryption so that the level of privacy meets or exceeds the level of security provided by the PSTN. With modern encryption systems, the wireless link is no longer the weak point in a communication link -- the level of privacy provided by a cellular communication session is at least as great as that provided by any PSTN-based session. This use of digital wireless encryption enables one to seamlessly move between PSTN-based mobile connections using wire-based land-lines to a mobile wireless solution that is just as secure. This is the baseline case for the use of mobile wireless communications – anything that a company can safely send over landlines can be sent over a cellular link with no modifications to the basic wireless service.
The next step: Building a complete data-based mobile solution Standard encryption over the wireless link may still be inadequate for a complete mobile solution. The biggest potential problem with relying on standard wireless security for all mobile needs is the fact that encryption is only provided up to the PSTN. Beyond that point, the user has no control over the level of security protecting his communication. This problem may limit the type of information that the mobile user is allowed to send or retrieve – many information technology managers would be wary of allowing their users to transmit highly confidential information over a connection offering only PSTN-level security. The problem becomes more urgent when one considers that the user may want to dial into an Internet Service Provider. In this case, unencrypted data would be sent over the Internet, which offers virtually no privacy protection. The point to remember is that the chain of security in a mobile communication session is only as strong as its weakest link. For example, it doesn’t help much to encrypt wireless data if the data is then sent unencrypted over the insecure Internet. In the past, most organizations have dealt with this issue by implementing different security policies for different types of connections, such as allowing some confidential information to be sent over phone lines but only non-confidential information over the Internet. With an increasing number of connection options becoming available, the task of implementing and enforcing multiple security policies would become complex for the administrator and more inconvenient for the user. To simplify and resolve problems such as these, many organizations are choosing to expand the use of encryption in their mobile communications as part of an effort to implement one strong security policy over their entire organization. This has resulted in a new class of products and services called the Virtual Private Network (VPN). A VPN enables an organization to send confidential data over the Internet by first encrypting the data so that it can be kept private from snoopers. The use of encryption means that VPN security is not dependent on the type of connection used or on the intermediate links, and can provide the same level of security for all users. This gives users the freedom to connect to the network however they choose without having to worry about what kind of information they can send. The result is a flexible, all-encompassing solution suitable for all mobile users.
VPN products and services are poised to become the remote access solution of choice for both large and small business for three primary reasons:
VPN solutions can save a lot of money over traditional dial-in services. Since VPNs can send all of their data over the Internet, there is no need to dial directly into the corporation. Instead, the user needs only to connect to the Internet, no matter where in the world he or she is. In most cases this will mean connecting through an Internet Service Provider. With ISP roaming services that are widely available today, connecting to the Internet through an ISP often requires no more than a local call within any major city in the world. This translates to direct savings in phone charges. Rather than paying long-distance charges for every minute that a remote employee is connected, the corporation pays a small monthly fee to the ISP and the only phone charges are for local calls. Additionally, since a VPN offloads to the ISP the responsibility of providing a reliable dial-up internet connection, more money is saved when the corporation no longer needs to administer and maintain pools of modems for dial-in users. VPNs can also be relatively inexpensive to deploy. The VPN service can be incrementally phased into a corporation and can coexist with current mobile access solutions. A second advantage of VPNs is that they can offer a great amount of policy control to the security administrator. Most VPN solutions give the administrator some degree of control over the strength of encryption used by the VPN, and some products allow detailed control over a variety of security preferences from user authentication requirements to access rights, often on a user-by-user basis. Combined with sophisticated user tracking software, these products allow full monitoring and policy enforcement to be accomplished easily for all users. If the administrator finds it necessary to implement slightly different policies for different users or different types of information, then this centralized control can be very useful. For mobile users, the biggest advantage of VPNs is their flexibility. Since the level of encryption provided by the VPN is unaffected by the communication technology used, a remote employee can use any type of connection that is desired. Whether the user connects to the Internet directly, through an ISP over a land-line, or through an ISP over a wireless line, the level of privacy achieved is consistent. This provides the freedom to use whatever connection is most convenient, without having to worry about a different security policy for each type of connection. From the administrator’s standpoint, there is a wide spectrum of VPN products and services available so that the administrator can find a solution that matches their organization’s needs for policy control, deployment, and maintenance. At first glance, the great number of different VPN solutions can seem confusing, but this variety ensures that a company will be able to find the right combination of features to match their needs.
When looking at possible VPN solutions for an organization, one must weigh the three major factors discussed above: cost, security policy control, and flexibility. The costs of various VPN solutions can vary widely. While in the long run most VPNs will save money over traditional remote access solutions, deployment and maintenance costs may be a concern. Many VPN products grow more complex as features are added to increase security and policy control, and this will affect the deployment and especially maintenance costs accordingly. It is important to consider the type of information that users will want to send over the VPN, what level of control needs to be exercised over security policy, and how much knowledge exists in the organization for maintenance of the VPN system. These considerations may help narrow the choices of VPNs that match an organization’s cost needs. Many companies choose to save money by incrementally deploying a new VPN. The existing remote access solution may be maintained or slowly phased out as the new VPN is deployed or initially outsourced to an ISP. Security policy control can include everything from the level of encryption and what authentication mechanism is to be used, to the level of granularity that can be applied to user profiles, to the amount of monitoring and logging that can be done on user sessions. Greater policy control will often result in a more flexible solution, but will also add cost due to the increased complexity of the VPN. Many organizations prefer to have a greater amount of control over their solution, either because they are unwilling to trust their security to an outside company (if the VPN is outsourced to an ISP for instance) or because they want greater freedom to let their VPN policies evolve in the future. However, this additional control comes at a cost, and if all that is needed is a basic VPN that will provide standard service, such solutions are available at relatively inexpensive prices. Flexibility of the VPN solution is of particular concern to mobile users who want to log in to the corporate network from various locations using various connection technologies. One of the most important features in a VPN for mobile users is the ability to "roam", or use the VPN from any location (or at least any major location) in the world. Some VPN products do not provide this ability – for example, some services my require that the user be directly connected to a specific server to use the VPN. Users should also have the ability to use various connection technologies with the VPN. For example, it shouldn’t make a difference if the user wants to connect through a direct Internet connection, a land-based phone call, or a wireless connection. Most VPNs that provide roaming will be connection-agnostic in this manner. For the administrator, flexibility may mean that the VPN should be able to evolve along with the needs of the organization and with changing ISP and Internet technologies. For example, the administrator may want a scalable VPN that can grow as the company grows, or a highly modular solution that can work in conjunction with a variety of ISP services.
The VPN market is still evolving, and vendors are continuing to look for the right combination of features that will broadly appeal to a large number of organizations. This can be good for an organization looking to implement a new VPN solution, because it means that there is a great variety of options to choose from that offer different combinations of features and different usage models. On the other hand, the great number of options can also quickly become confusing. Each VPN solution brings it’s own benefits with respect to cost, policy control, and flexibility, and there are often tradeoffs between each of these factors as different solutions are compared. For the mobile user, there is a spectrum of VPN solutions available that usually represent some combination of two broad models. At one end of the spectrum are VPN solutions that are self-deployed and maintained exclusively by the organization using the VPN. In this model, the ISP is used only for the purpose of connecting to the Internet. If an organization is not prepared to exclusively manage their own VPN, they may wish to outsource some of their VPN services to the ISP. As the amount of outsourcing increases a second model emerges where the all VPN services are handled by the ISP. In this model, the organization using the VPN may have little or no VPN maintenance responsibilities at all.
A self-deployed VPN solution would require that an organization purchase, deploy, and maintain their own VPN. In this model, VPN hardware or software products are purchased and installed at the home office of the organization and on each remote user’s computer. Self-deployed solutions can offer all-encompassing security that is under the full control of the corporation. The biggest advantage of a self-deployed VPN is that it is very flexible. Since the VPN is only installed at the endpoints of the remote connection, any type of intermediate connection can be used. Whether the remote user connects via wireless, Internet, telephone, or any other technology makes no difference – the VPN provides the same level of end-to-end privacy. There are also obvious advantages in flexibility to keeping complete control over the maintenance of the VPN. This control allows the organization to modify the VPN as needed to adjust to changing user demands or security policies. It also frees the organization to outsource whatever maintenance duties it sees fit, and to keep control of duties it wants to keep in-house. A self-deployed VPN can also offer very good policy control features. An organization running its own VPN is free to choose whatever security policies it sees fit. This allows the organization to keep its security policies as simple or complex as it chooses, and frees it to change the policies as often as is needed. If precise policy control or session logging is desired, there are many products available that offer such features. The drawback to being responsible for all VPN policy control is that this can often become one of the most complex aspects of maintaining a VPN. In response to this concern, many VPN providers offer additional tools to aid in policy control duties. Usually, the biggest worry about implementing an in-house VPN is the cost. A large and complex VPN solution can grow to be fairly expensive and, depending on the expertise available in an organization, there may be additional startup costs associated with training personnel for deployment and maintenance of the VPN system. For very small organizations, this expense may not justify a self-deployed VPN. However, most companies will find that over the long term this cost is worth having a flexible end-to-end security solution and keeping control of their important security duties, in addition to the savings that VPNs offer over traditional dial-in services.
Many ISPs are beginning to offer VPNs as a premium service. In this model, some of the difficult or expensive aspects of a VPN are outsourced to the ISP. ISPs offer varying levels of VPN service – some services will handle most aspects of VPN maintenance, while others may only handle certain parts while leaving other aspects, for example user authentication, up to the client. Use of the right service that matches an organization’s needs can result in a low-cost solution that is easier to implement. The primary advantages of ISP VPN services are cost savings and simplicity. By outsourcing the VPN to an ISP, an organization can avoid having to train or hire employees to deploy and maintain the VPN system. This cost savings comes in addition to the savings in long distance calls and dial-in maintenance that comes with all VPN solutions. Depending on how much of the VPN is outsourced, leveraging the ISP can also make deployment and maintenance of the VPN much easier. Many ISP services don’t require any software to be loaded onto the remote client, and they often will handle administrative duties such as security policy control. This added simplicity can be especially beneficial to small businesses that don’t want to go through a lot of expense and trouble to deploy a VPN for a small number of employees. Outsourcing can also make it easy for an organization to incrementally deploy their VPN. For example, they can continue using their existing modem pools or current mobile access solution while slowly transitioning employees to the ISP VPN service, or can even use the ISP’s VPN concurrently with an in-house VPN deployment. While maintenance of security policy can be made easier when outsourced to the ISP, this loss of control can be a disadvantage of this model. The ISP may not offer enough options to match the needs of the company, or the company may simply decide that security policy is too important to trust to external vendors. There is also a risk to outsourcing encryption duties to the ISP. This would mean that, while data will be safely encrypted by the ISP when sent over the Internet, before reaching the ISP it is transmitted as clear text. In most cases the connection between the remote user and the ISP will be over a land-line or wireless phone connection. If strong encryption is used by the ISP, this connection may then become the weak link of the remote session. This situation may be unacceptable to some organizations if the VPN is to be used for the transmission of highly confidential information. Recognizing this problem, many ISPs offer customers the ability to extend encryption all the way to the client. However, this usually involves giving up some of the advantages in simplicity and ease of deployment that make outsourcing attractive. One factor in which some ISP VPNs may be lacking is flexibility. If critical VPN services are housed by the ISP, then it is important to check whether a direct connection to that specific ISP is required to ensure security. If the "base" ISP provides pieces of the VPN that cannot be substituted for by other ISPs, then mobile users on the road may not be able to use the VPN when roaming. ISPs have different ways of trying to solve this problem, from putting additional software on the remote clients to partnering with other ISPs to provide VPN roaming. In most cases, this will involve bringing some VPN duties in-house.
Choosing the best VPN for your organization can be a confusing process, given the many choices that are available on the market today. The two models discussed above are broad categories of VPN offerings that contain many different products. These products may overlap in functionality and features to varying degrees. The best solution for an organization’s needs may lie in between these models, with some combination of ISP outsourcing and in-house deployment. A self-deployed VPN can provide maximum flexibility and control, but may not be fully worth the additional start-up cost and complexity for some small organizations. For larger organizations, an ISP-based VPN can be used as a pilot, or as a temporary solution to aid in the migration to an in-house system. The in-house solution will save more money in the long run, and will likely provide a more flexible solution that can cover all data privacy needs of the corporation. Once the decision is made that a VPN can offer privacy and convenience to your organization with cost savings over traditional dial-up, all that is left is to decide which factors best match your situation and the needs of your mobile users. It is likely that somewhere between a completely self-deployed product and a completely outsourced service there lies a VPN solution that will meet your needs.
Using encryption to solve your mobile privacy issues Encryption has given organizations many new options for protecting the confidential data of their mobile users. The use of encryption in wireless communications has made wireless just as secure as land-line PSTN sessions. Organizations that want further security, or that want the freedom to send confidential data over the Internet or any other connection medium, can implement encryption across all mobile communication links by deploying a VPN. A VPN lets users securely send data over any type of connection, can greatly simplify security policy control, and can save the corporation money in mobile access costs. There are many VPN solutions available that lie on the line between fully self-deployed solutions and outsourced ISP offerings. Self-deployed VPNs offer a high level of flexibility and control, and can protect all confidential data as soon as it leaves the internal corporate network. However, a self-deployment may be too expensive for very small organizations. ISP VPNs are well suited for small implementations or as temporary solutions, but special attention must be paid that the needs of mobile users are satisfied. The right solution for your company will be one that best balances your needs for cost, policy control, and flexibility in a VPN. Copyright © 1998 Intel Corporation. |