Wireless broadband, from wi-fi to 3G and now even 4G network availability, has made mobilized more than just communication. Mobile phones equip more than phone calls. Many mobile devices today are powerful and useful hand-held computers. But the question is: are they secured like one?
First, let's begin by understanding the risk. A few months ago, I downloaded an inexpensive app to my iPhone phone called "FTP On The Go." Within minutes, I had bookmarked my company's FTP server, complete with a saved username and password. Moreover, I have been using QuickOffice to access my company docs, emails, spreadsheets, quotes, etc. while traveling or just stuck in traffic. So, what happens when my iPhone gets stolen or lost? Sure, a thug on the subway probably has little interest in our company data, but what if I accidentally left this tiny little data gateway lying on a table at an industry conference?
Of course, even acknowledging the risk, most of us aren't stricken with fear because we've been down this road before. When laptops entered the scene, IT departments everywhere were in a fit to figure out how to secure the devices. Fortunately, Microsoft's user-level security features were actually quite useful. Laptops were password protected and everyone rested easy. So, can't these mobile devils be controlled with the same means?
Let's take the iPhone, and it's cousin the iPad, as examples. The PCI-DSS demands password security with a minimum of 6 characters. Ever type in the password on an iPhone? It's 4-characters max and numerical only. That is assuming, of course, that users have activated the password security on their iPhones. Mine, for example, is privately owned and my IT staff has never even seen it, let alone mandated it's secure use. With nothing more than the usernames and passwords that I have been granted for access to my company's systems, I have downloaded the applications I need to create a mobile workplace for myself--or perhaps a mobile security breach for my company.
And, physical security aside, what level of data security can mobile devices ensure? Whereas Accel Networks' fixed wireless broadband can be provisioned with Layer 2 security, what of the mobile broadband devices?
Here are some policies to consider as the mobile broadband users in your company will, undoubtedly, continue to grow:
If any company data is to be retrieved, including simple pop3 email, the phone's password security--albeit lacking PCI-DSS requirements--should be employed.
Saving of passwords on the phone's applications for accessing any secure sites, including FTP, remote desktop, or similar applications should be prohibited.
When accessing secure data, 3G networks or security-enabled wi-fi should be required.
What are some other policies your company has instituted in order to protect itself from the unmitigated risk of mobile broadband?
The FCC opened a formal notice of inquiry (NOI), a not-so-popular decision, looking to reestablish its authority over broadband rules and policies. The FCC has outlined three initial possibilities: retain broadband's current Title I classification as an information service; reclassify as a Title II (telecommunications) status; or possibly create a hybrid status for Broadband that takes a Title II flavor but softens certain aspects of that classification. Verizon's sentiments (summarized in the video below) echo a general and growing industry-wide distaste for what appears to be encroaching regulation.
At it's core, the debate stems between whether broadband is an information service--a mode of communication such as telephone--or if it is a broadcast medium warranting similar regulation as television and radio. Title I classification is a less strict classification which currently encompasses broadband, telephone, and some short-range radio communication devices. Title II enforces much more stringent requirements on the use of broadcast frequencies.
So, the question is: should the dissemination which broadband accommodates (website, email, streaming video, etc.) be treated as broadcast?
Do you remember when that jumbo postcard came in the mail from your local Time-Warner Cable affiliate and it had all those impressive sounding numbers on the front? Do you know what they were? Some figure of mbps or kbps or something like that, right? Or, when you signed your service level agreement (SLA) with your current broadband provider, do you have any idea what speeds you're contractually guaranteed? Moreover, are you getting what you paid for?
The FCC thinks not. Or, at least, they think the consumer public needs to know for sure. We commented last week on a push by the FCC to label broadband speeds. Since then, the FCC has upped their push even more. Yesterday, they asked 10,000 Americans to participate in a nation-wide study to know the broadband speeds (see www.testmyisp.com for details).
Actually, these tests (albeit slightly less sophisticated than what the FCC may offer) exist all over the Internet. So, if your curiosity has been stoked the FCC's urging and you now want to know for certain, follow these steps:
Know what you're entitled to. When you signed up for broadband, you received a Service Level Agreement (SLA) from your vendor. If you did not keep it, or cannot find it, a copy can be provided to you upon request. Among other things, this agreement will let you know the level of service, i.e. the speed of broadband connection, you should receive.
Create a Comparison Chart. In Excel, create a spreadsheet with 8 columns and 5 rows. Your first 8 columns will be for storing two metrics--upload and download--from 3 different tests. Then, in the 7th column and 8th column, you will average the results from all three. The 5 rows will be for storing those metrics at 5 different times throughout the day.
Test From Three Sources. It is IMPORTANT that you test from multiple sources as the accuracy of free web-based testers may vary. A sampling of three different tests at 6 times throughout the day will be enough to tell you whether you have something to squalk about to your vendor. Here are three FREE tests you can run (note: be sure to convert results to a common unit in your spreadsheet. Some display kbps whereas other display mbps)
Test Throughout the Day. Unless you have an SLA that's different from most, your broadband provider probably promises an average speed above a certain mark, not a permanent speed above a certain mark. This means that if your speed drops slightly at 3pm when all the local kids get off the bus and get onto Facebook, that's outside the provider's control. So, to get a good sampling, I recommend testing at the following 5 times:
8:10 AM - when usage spike from employee arrival & login is highest
10:00 AM - an average workload
12:30 PM - a below-average load over lunch break
3:00 PM - an average workload, but commonly compounded by residential users on the same network (note: this is irrelevant for dedicated t1 subscribers)
5:30 PM - a below-average load after hours
Get the overall average. Get the overall average of each time, and from all 3 testers, and compare that number against what you expect from your provider.
Chances are, you're going to find that your speeds are up-to-par with what you purchased. In that event, there is still one more thing to consider: are you purchasing what you need. Many people are not in the correct solution for their needs simply out of an uninformed buying decision. If your speeds are still insufficient for your business despite meeting the SLA requirements, talk to Accel Networks about what sort of solution you should be looking for.
In the event you find that your numbers incriminate your provider, don't call the feds yet. Don't panic. Remember, this was an in-house test using free resources. First, check your math. Second, contact your provider with your findings and allow them to explain. Maybe they're aware of some service interruptions that day and ask you to test again tomorrow. Or, maybe... juuuust maybe, they'll send a tech out to your location with their equipment to perform a highly accurate test. Rest assured, if they value their license, they'll fix the problem.
We've all come to know and love the nutrition labels required by the FDA for any consumed food item, right? Or, what about the stickers on all new vehicles that designate an EPA and fuel mileage rating. These federally-mandated disclosures provide valuable information for consumers. So, why not disclose broadband speeds in the same way?
That's just what the FCC is proposing. As a part of the Broadband Plan (or, what some consider an addition to the plan), the FCC has proposed some form of required disclosure that would affect all broadband providers. The data would be presented in a series of common metrics to allow for reasonable comparisons among vendors.
But, is this really what our nation needs, or is the FCC nuts? Well, let's first ask ourselves the desired result. The FDA required food labeling to encourage smarter eating and a healthier culture. The EPA required MPG labeling to encourage more fuel-efficient cars and a cleaner environment. What pandemic social problem will the FCC be able to thwart? What's the deep, scarring impact on our economy when a business buys a slower internet connection than they should have? After the FCC's recent announcement of their intentions for such a labeling requirement, many in the telecom industry were simply wondering: WHY?
The biggest threat to our nation's economy related to broadband is the utter lack of availability for rural areas. Where no options exist, the addition of labeling is of little value. The FCC may offer rural businesses the ability to compare zero to zero, but what we need most greatly is a plan to bring at least one broadband option to these areas.
If the nation were inundated with countless broadband options seemingly indistinguishable one from another, AND the impact of a poor buying decision had socio-economic impact on a grand scale, then I could see the need for such a labeling system. As it stands, however, I would encourage the FCC to put tighter regulation on hold while it implements a plan to bring broader service areas to unreached areas.