Defining public Wi-Fi
To make sure we’re all on the same page, let’s first define public Wi-Fi networks as those that allow unrestricted access. That’s a simplistic definition, but what’s typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there’s no real security.
Is there more risk at airports?
So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I’m traveling. At any given airport, it’s very easy to capture copious amounts of unencrypted digital traffic.
I hope that explanation made sense, but I’m concerned that many people share DonnaKline’s viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it’s secure. In real life information security is anything but simple. That’s why an informed Wi-Fi user is the most powerful security tool available.
Three distinct security zones
I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones:
Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet.
Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet.
Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet.
To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor’s information as it traverses the wired and Internet security zones?
To explain, that particular coffee shop could be capturing customer’s personal information as it passes through the wired security zone. I’m not saying that it’s being done, but it could be. It’s also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner’s permission. Now that my financial adviser understands that there are different security zones, it’s easier for her to make an informed decision about what security measures to use.
Proper tool for the job
Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert’s viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let’s get back to the real world. Security does not come free and it’s the user that carries the additional burden created by increased security. Let’s continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered:
Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer’s VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That’s about as good as it gets and most security experts would be happy.
Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She’d rather not use the VPN, since it’s piped through the office’s Internet access and may create an unnecessary bottleneck. Only thing, there’s this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he’s snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an “IronKey” for safe portable file storage. Luckily, it’s configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it’s simpler than a VPN connection to use.
Final thoughts
The two examples are only meant to show what’s possible, not to advocate specific devices or methodology. That’s unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in “10 Wi-Fi security tips for the road warrior” will be good additions to the road warrior’s security tool kit.
Monday, May 5, 2008
Treating users equally, but differently
I try to treat all my users with equality, but sometimes equal doesn’t exactly mean equal. What I mean is that I treat them all equally depending on the level of support required. One type of person, for example, might approach me and describe a problem or issue, and I can simply tell them what I think and what I might try. Another person with exactly the same issue, however, might require more personal attention, where I would actually go and do it myself. It’s the same problem, but different users with different needs, and both requiring a different approach.
The first one I described might actually prefer to do it himself, but the second one might not. So in this case, equal means to give them what they require. The challenge lies in determining exactly what kind of attention is both necessary and appropriate. Another challenge is keeping my personal frustration level in check. I can’t get frustrated because User-A can’t understand something the same way User-B does. I simply have to be more patient and empathetic with some people.
I find that the timid user actually presents the greatest challenge. This is a person who does her job quite well and is very proficient with an application, but if just one little thing goes awry, she doesn’t know what to do; she’s totally lost. This is also the type of user who has a hard time understanding things over and above that norm. I might try to explain certain things, but some users just can’t seem to get it. Even more dangerous is when they might appear to get it, but they really don’t.
Then I might have the real hands-on user, one who would rather dig-in and do it himself, even though he might not be the best one suited to do it. I might have to find a non-offensive way to tell someone to move over to the co-pilot’s seat (or out of the cockpit all together), and that I need to have my own hands on the controls.
Another type of user is one who might automatically tell me the solution instead of articulating the problem. It might take a bit of finesse to take that bit of information, work backwards, and try to pull-out the real underlying problem. Often times that proposed solution isn’t the real solution at all. In this case, I have to resist the urge to simply tell them they’re wrong, but rather lead them into another way of thinking.
I’m here to try and provide what they might need, but peoples’ needs are all different. I have to adapt my style to their needs and personality, not the other way around. At least I try.
What are some of your biggest challenges in this regard? What kinds of users do you support? What kinds of approaches have you found successful?
The first one I described might actually prefer to do it himself, but the second one might not. So in this case, equal means to give them what they require. The challenge lies in determining exactly what kind of attention is both necessary and appropriate. Another challenge is keeping my personal frustration level in check. I can’t get frustrated because User-A can’t understand something the same way User-B does. I simply have to be more patient and empathetic with some people.
I find that the timid user actually presents the greatest challenge. This is a person who does her job quite well and is very proficient with an application, but if just one little thing goes awry, she doesn’t know what to do; she’s totally lost. This is also the type of user who has a hard time understanding things over and above that norm. I might try to explain certain things, but some users just can’t seem to get it. Even more dangerous is when they might appear to get it, but they really don’t.
Then I might have the real hands-on user, one who would rather dig-in and do it himself, even though he might not be the best one suited to do it. I might have to find a non-offensive way to tell someone to move over to the co-pilot’s seat (or out of the cockpit all together), and that I need to have my own hands on the controls.
Another type of user is one who might automatically tell me the solution instead of articulating the problem. It might take a bit of finesse to take that bit of information, work backwards, and try to pull-out the real underlying problem. Often times that proposed solution isn’t the real solution at all. In this case, I have to resist the urge to simply tell them they’re wrong, but rather lead them into another way of thinking.
I’m here to try and provide what they might need, but peoples’ needs are all different. I have to adapt my style to their needs and personality, not the other way around. At least I try.
What are some of your biggest challenges in this regard? What kinds of users do you support? What kinds of approaches have you found successful?
Don’t waste your time supporting problems that don’t exist
We’re moving some staff into a new suite of offices, which means that we’re shopping for new furniture. This is also a great opportunity for us to choose some new workstation equipment to standardize on, and I’ve been talking with a very competent sales rep that has been helping us pick out new keyboard trays and task seating.
I ran into a problem with the demo keyboard tray that our sales rep, Kurt, left for me to evaluate. I decided to leave him an email, even though I knew that he was going to be on vacation. Kurt’s really customer-focused, and even though he was out of the office, he saw my email and asked his OEM contact to give me a call.
The OEM’s rep, Jim, came out and replaced a worn part on the key tray that Kurt had left with me, and he must have smelled an opportunity. After getting some background on what our plans were for our new offices, Jim started up-selling me.
His company makes articulating display arms as well as keyboard decks and chairs, and Jim came on really strong about the ergonomic advantages of getting the computer’s display off of the desk. I told him that all of the LCDs that we have in our department already offer significant adjustability: height, tilt, pan — they’ll even rotate from a landscape orientation to operate in portrait mode. So, I told Jim that I think the equipment we have has been fitting my users pretty well. In response, Jim broke out one of his brochures. It showed how a display arm can let users reclaim their work surfaces for other purposes…laying out papers, and things like that. Well, Jim made a persuasive case, and I let him leave me a display arm to try out around the office.
Once I’d installed the display arm, I started inviting people into my office to try it out. I was expecting that a lot of my users would respond favorably to the setup, you know, because of all that space on my desk surface I had reclaimed. Quite the opposite occurred, surprisingly. Everyone was completely underwhelmed by the ‘advantages’ the display arm provided. After inquiring why they weren’t more excited by the demonstration, I realized that articulating display arms solve a problem that we don’t have.
No one has ever complained to me about their display cluttering their desk too much. In fact, my users seem to welcome even more clutter, as long as there’s a reason for it; to benefit from the increased productivity that comes with having a second display, for instance. I had bought into Jim’s hype, and thought that he could provide a solution to an actual problem, one that I was afraid I had missed. I’m glad I actually looked beyond the pitch and asked for feedback from my users. I was saved a lot of expense and installation headaches that would have come from an over-engineered solution to a non-existent problem.
It’s good to be out in front of things, and to try and anticipate your clients’ needs. Take a moment, though, and talk to a focus group of your users. This will help you make sure that you’re on target with your assessment of their situation, and keep you from buying a white elephant.
I ran into a problem with the demo keyboard tray that our sales rep, Kurt, left for me to evaluate. I decided to leave him an email, even though I knew that he was going to be on vacation. Kurt’s really customer-focused, and even though he was out of the office, he saw my email and asked his OEM contact to give me a call.
The OEM’s rep, Jim, came out and replaced a worn part on the key tray that Kurt had left with me, and he must have smelled an opportunity. After getting some background on what our plans were for our new offices, Jim started up-selling me.
His company makes articulating display arms as well as keyboard decks and chairs, and Jim came on really strong about the ergonomic advantages of getting the computer’s display off of the desk. I told him that all of the LCDs that we have in our department already offer significant adjustability: height, tilt, pan — they’ll even rotate from a landscape orientation to operate in portrait mode. So, I told Jim that I think the equipment we have has been fitting my users pretty well. In response, Jim broke out one of his brochures. It showed how a display arm can let users reclaim their work surfaces for other purposes…laying out papers, and things like that. Well, Jim made a persuasive case, and I let him leave me a display arm to try out around the office.
Once I’d installed the display arm, I started inviting people into my office to try it out. I was expecting that a lot of my users would respond favorably to the setup, you know, because of all that space on my desk surface I had reclaimed. Quite the opposite occurred, surprisingly. Everyone was completely underwhelmed by the ‘advantages’ the display arm provided. After inquiring why they weren’t more excited by the demonstration, I realized that articulating display arms solve a problem that we don’t have.
No one has ever complained to me about their display cluttering their desk too much. In fact, my users seem to welcome even more clutter, as long as there’s a reason for it; to benefit from the increased productivity that comes with having a second display, for instance. I had bought into Jim’s hype, and thought that he could provide a solution to an actual problem, one that I was afraid I had missed. I’m glad I actually looked beyond the pitch and asked for feedback from my users. I was saved a lot of expense and installation headaches that would have come from an over-engineered solution to a non-existent problem.
It’s good to be out in front of things, and to try and anticipate your clients’ needs. Take a moment, though, and talk to a focus group of your users. This will help you make sure that you’re on target with your assessment of their situation, and keep you from buying a white elephant.
Subscribe to:
Posts (Atom)