I remember a time where access to the internet from the work place was only available from a couple of “Internet Stations” and where the Internal company network was just that, Internal with no external links! At that time, to get around those controls, one could set up dial up/ADSL lines under his desk and it was deemed as a risk to the Internal Network integrity from within the company’s premises. This was not widespread and required a specific intent to bypass the company’s network policy.
Then came Wi-Fi and hotspots started to flourish everywhere, often basic security was forgotten, such as not bridging it to the Internal Network or not enforcing adequate access controls. It was, and still is, deemed as a risk to the company’s network integrity. Although this is a more widespread practise there are controls in place and detection mechanisms to remediate the related security risks.
Both are examples of uncontrolled access to company resources leading to Network Integrity risks.
Today with 3G and tomorrow with 4G we have a new uncontrolled ADSL equivalent access for most employee/3rd parties on the premises through the use of their newest smartphones/portable computers. This is a new risk which is being overlooked by many companies because the rise in those devices functionalities and connectivity is still not fully appreciated and often only considered as “it is just a phone”.
However, today, it provides uncontrolled internet access at the work place for anybody with a 3G+ compatible device. More importantly there are not many controls that can be put in place to prevent this to happen, unless you ask your staff and visitors to leave such devices at reception.
The main security control which is lacking is one that can enforce the company’s network policy on its premises. As you can only enforce such policy on the wired and wireless network, you cannot guarantee an employee/visitor will not access prohibited materials on the internet from the company’s premises using his own 3G+ connection.
The technical solution isn’t an obvious and easy one so far. More work with mobile providers should be taking place, to at least enforce some web usage policy on corporate provided networks (through mobile phones, tablets, 3G plans, etc). This would however have no effect on personal staff devices and 3rd parties. One thing I have heard at a recent conference was for the company to operate and control its own Cell tower.
Although this may sounds a bit extreme, the upcoming issue is that we are losing corporate control of the Internet access from within the company premises. As technology evolves and provides such “nomad” devices with improved bandwidth and functionality this uncontrolled Internet Access channel may become more of an issue.