83-02-16 Virtual Office (Mobile User) Security Previous screen Ralph R. Stahl, Jr. Payoff When attempting to ensure virtual office integrity, confidentiality, and availability for its mobile users, each organization's business and technology requirements may be different. Therefore, this article suggests a framework for achieving these objectives rather than a single approach. It addresses what must be considered and provides information about solutions and options. Introduction Information technology professionals today are unsure of themselves in a strange new environment. However, end users are telling security practitioners that they can no longer perform optimally and beat the competition if their access to information and processing power is restricted by the mainframes in the corporate data center. The days when security practitioners arrived at the office to find a stack of computer printouts on their desks are gone. Paper has been replaced by computers on the desktop in the environmentally correct and secure office. In addition, users today expect to be able to connect their notebooks by modem from any location to the server at headquarters. Tomorrow, mobile users may expect connectivity for their notebooks in the air as they fly and on the ground as they drive to their next destination. The business traveler may anticipate that all applications will behave in exactly the same manner on the road as in the office. Large companies like AT are encouraging employees to telecommute for three major reasons: · State and local governments are requiring companies to take action to reduce air pollution and traffic congestion. · Office sharing allows companies to reduce their real estate expenses. · Telecommuting benefits employees by allowing them more flexibility in managing their professional and personal lives. LINK Resources Corp., a New York City consulting firm, reports that Americans bought for home use a record 5.85 million microcomputers last year. One out of three American households already has a microcomputer. BIS Strategic Decisions estimates that 45 million workers in the United States are considered part of the mobile work force. Other surveys estimate that, in addition to the time spent in the office, the average white collar worker spends six hours a week working at home. Against this backdrop, the challenge for the application developer is to develop systems that may be used in any environment. The information architecture for the enterprise must also accommodate many methods of remote connectivity (i.e., dial-up, Integrated Services Digital Network [ISDN], Cellular Digital Packet Data [CDPD], Internet, wireless, video, and image transmission)in addition to the traditional local area network and Wide Area Network connectivity. This article is divided into four major sections: availability and continuity; integrity; confidentiality; and new technology considerations, which briefly reviews the security implications for some of the emerging technologies. The architectural model of the security services in Exhibit 1 provides a high-level view of the interdependence of identification and authentication, authorized privileges, availability, continuity, integrity, and confidentiality in providing a trustworthy environment that supports nonrepudiation and mobile power Previous screen user security. Model of Security Services Availability In this article, availability is defined as the assurance that an authorized user's access to an organization's resources will not be improperly impaired. Achieving such assurance involves properly categorizing information privilege keys and ensuring that the mobile user's authorized privileges are properly associated with these privilege keys. Availability also involves physical considerations(e.g., theft prevention, device identification, mobile uninterrupted power supply), notebook connectivity (e.g., a power source, telephone communications tools), and miscellaneous toolkit necessities. Scheduling Considerations Information availability is an operations scheduling issue, although some organizations believe that all availability needs are covered by their business resumption practices. The security practitioners must be aware of the need to maintain operational schedules. If the backup and batch processing is scheduled to end at a precise time so that the online or remote Transaction Processing may start, then the credibility of the central staff to meet their commitments to the field are tested every day. Although capacity planning is not a security issue, the complete information protection plan will make sure that the topic is adequately addressed by the appropriate operational staff members. Physical Considerations Concerns associated with the desktop microcomputers in the corporate office also apply to notebooks for the mobile user. However, with respect to mobile computing, security practitioners may need to be more creative to achieve the desired results. Theft-Prevention Devices. Such theft-prevention devices as cabling and bolting plates can be used to minimize the potential of notebook theft by opportunity. The cables are designed so that they may be looped through an opening in a stationary object to tie the laptop down while the user is traveling. Resistance to these devices exists because many users feel that having these devices gives the impression of not trusting coworkers or business associates. However, security administrators who use theft-prevention devices in their companies indicate that they have experienced a significant decrease in loss. Although the products are effective, corporate procedures with strong enforcement practices are usually required before these products are put into use. Device Identification. Device identification is critical to the ability to identify a misplaced or stolen notebook. In addition to traditional identification methods (e.g., serial number registers, tags, labels, and engraving), microcomputers can be marked by using invisible ink to record the company's name and the notebook's serial number on the inside of the lid just under the monitor display area. The invisibly inked number must match the serial number recorded in the corporation's asset inventory register. This practice can also be used to resolve disputes associated with ownership of the microcomputer. Mobile Uninterrupted Power Supply. Previous screen Mobile uninterrupted power supply implies that each mobile user should have a portable surge protector with sufficient electrical outlets for each device that is connected to the microcomputer or notebook. Electricity follows the path of least resistance, and it will reach the microcomputer through any device cable if the power source for the device is not protected. Surge protector plugs are available at most hardware and electronics retailers. It is also recommended that the user carry a fully charged spare battery pack for the notebook. Usually the battery can be purchased from the dealer that sells the notebook. Notebook Connectivity To ensure the notebook's power source, the electrical wall connection should be used so that the notebook's battery can be conserved or recharged. For proper grounding, the electrical code requires that all computer male plugs be three-pronged. In some facilities, the female electrical wall receptacles may accept only two-pronged male plugs. In such cases, the problem can be averted by carrying a female/male converter plug that converts three-pronged plugs to two-pronged plugs and has a grounding wire that may be attached to the wall receptacle's holding screw. This type of converter is available in hardware stores. If the user travels internationally, the toolkit must also include an international voltage adapter that eliminates the need to carry different converter plugs. Telephone Communications Tools Offices and hotels are updating their telephone Private Branch eXchange to digital service, but modems and the majority of the PBXs are still analog systems. To ensure connectivity in either environment, a converter should be purchased that can covert the phone line to analog at the modem connection. The complete converter kit should include alligator clips for phones that do not have RJ-11 jacks. The phone line converter requires an Alternating Current adapter as the power source; the full-functioning kit will have the capability to use a 9-volt battery when an electrical wall outlet is not available. Data transmission may be interrupted if a phone system with call-waiting capability is used. The feature can be suspended during the data transmission call by adding *70 (occasionally #70) at the beginning of the dial string. As a general rule, this is probably not required. However, if a transmission session is interrupted for an unknown reason, call waiting may be responsible. A miscellaneous toolkit should include the following items: · A small screwdriver with both a flat and a phillips head. · An extra-long telephone cord with male RJ-11 connectors on both ends. · A connector with two female RJ-11receptacles. Continuity Continuity is defined in this section as the processes of preventing, mitigating, and recovering from service disruption. The terms business resumption planning, disaster recovery planning, and contingency planning may also be used in this context; they concentrate on the recovery aspects of continuity that ensure availability of the computing platform and information when needed. Recovery diskettes will reduce the user's lost time when access to information