Regulations such as the Health Insurance Portability and Accountability Act of 1996 and Sarbanes-Oxley Act of 2002 (SOX) have put the spotlight on IT organizations to up the ante in terms of security and documentation. The good news for wireless LAN (WLAN) users is that taking a few steps will ease the path toward compliance.
WLAN got a bad name for security out of the gate, thanks to Mack truck-sized vulnerabilities in wireless equivalent privacy (WEP) encryption protocols. But the industry has come a long way since then, putting products with much better security standards on the market.
Nonetheless, it still takes some work to assure businesses under the regulatory looking glass that these systems are secure and can comply with regulations, said Graham Melville, director of product marketing in the wireless infrastructure division of Holtsville, N.Y.-based Symbol Technologies Inc., a leading vendor of wireless LAN systems.
"The industry had bad news on WEP, and it's always hard to shake off bad news," Melville said. He said he still needs to educate organizations about the quality of security available for WLANs.
Today, WLAN security is much improved and businesses should not fret over a properly secured wireless network any more than any other part of their network, said William Terrill, senior analyst with Midvale, Utah-based research firm Burton Group.
"When wireless LAN security is implemented, it's as good or better than security on the wired side," Terrill said.
To comply with regulations like HIPAA, which requires that health care organizations take reasonable steps to secure confidential patient data, businesses should encrypt the air link of their WLAN, said Frank Hanzlik, managing director of the Wi-Fi Alliance, a trade group that certifies interoperability between standardized WLAN devices. Wi-Fi protected access (WPA) or WPA2 both ensure a high level of security for the air link, he said.
For older systems that have not been upgraded to WPA, Terrill recommends implementing rotating keys for WEP, which helps to make those systems more secure.
Businesses should also implement some level of authentication for access to the WLAN, Terrill said. Using the 802.1x standard, businesses have several authentication approaches to choose from.
Businesses should also put security policies in place, said Craig Mathias, founder of Ashland, Mass.-based research firm, Farpoint Group. That way, organizations are forced to determine who should have access to what data and applications.
To ensure compliance with SOX, businesses need to implement the same kind of documentation of system changes with their WLANs as they have with their wired LAN, Hanzlik said.
Perhaps the biggest risk with a WLAN has nothing to do with the wireless air link at all but with the device itself, Terrill said. Most employees who use a WLAN do so with their laptops or PDAs. Those devices may well hold the kinds of confidential data covered by HIPAA.
Thus, businesses need to make sure that data on devices is encrypted as well.
Despite all the precautions that businesses take with technology, that is often not the biggest risk. "The human factor is often a bigger risk than equipment," Terrill said.