Wireless struggles with security
What employees see as simple wireless conveniences can cause security nightmares.
Agency officials in charge of setting policies for wireless use and related technologies such as radio frequency identification (RFID) still have a difficult job. Technologies are evolving, as are the security standards that they use, and employees are not always judicious about using their own wireless devices on an agency network.
What employees see as simple conveniences -- such as using a handheld device to send and receive e-mail -- can cause nightmares for security officials, according to panelists speaking today at the E-Gov Institute's Wireless/RFID conference in Washington, D.C.
"Even a simple thing like putting a password on a cell phone is hard to sell" to employees, said Jaren Doherty, director of information security and awareness at the National Institutes of Health. "But it's important if the phone is also enabled to get your e-mail or log on to the Internet."
Security policies also have to mesh with the agency's mission, he added. "The mission of the NIH is science," he said. "By definition, scientists use the best technology they can."
Technology policies at NIH, therefore, should not hinder the researchers, Doherty said. However, that means that security sometimes has to come before convenience. Wireless systems at NIH are considered expendable, meaning that if a wireless access point or another element of the wireless network is compromised, it will be shut down immediately.
If a particular communications connection "is critical to the mission, you should be able to do it with wire," he said. "If you use wireless, it's [considered to be] a backup system."
Setting policies becomes harder when agency officials don't control the organizations implementing the policies, said Paul Rudolf, a private consultant who served as a senior policy adviser at the Food and Drug Administration until earlier this year. He was a crucial figure in the FDA's efforts to develop RFID policies that would be used not by the agency, but by the drug manufacturers and suppliers the FDA regulates.
Agency officials had to go through basic steps, including assessing the current state of RFID technology and the needs of the various groups that would use it, in order to begin approaching the task. The work is still ongoing, he said.
"It's just a huge mess," Rudolf said of the landscape. FDA officials have to work closely alongside standards-setting groups, state regulators, drug developers and other organizations, each with unique needs.
NEXT STORY: Smart-card policy approved