Data in motion means sensitive data traveling over private networks or the Internet, whether wired or wireless. There are multiple threats of disclosure of sensitive information on computer networks. We have outlined some of the common technologies used to transmit data and potential vulnerabilities.

Data in motion security must comply with NIST Special Publications 800-52,"Guidelines for the Selection and Use of Transport Layer Security (TLS) implementations" , 800-77, "Guide to IPSec VPNs" 800-113, Guide to SSL VPNs , or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Threats on Wireless Networks

Wireless LAN (wlan) – 802.11 a/b/c/n

Wireless LANs provide the flexibility of connecting to local area networks without requiring a wired connection at a fixed location. However, they present a serious threat to not only endpoint devices like laptops, PDAs, and smarthones but also to your local area network. Poorly secured wlan equipment can allow intruders access to your private network. Securing wlan devices and ensuring proper wlan encryption and access control is critical to securing wlan technology (both are required for maximum security). In addition, when users travel outside of the corporate network it’s critical to ensure their device endpoints such as laptop computers are secured and firewalled. Endpoint security is critical to ensuring that protected health information is protected from intrusion while wlan devices are connected to public networks.

Wireless WAN (wwan) – Cellular carrier Internet

Wireless WAN is a service provided by cellular carriers. An end user connects to the wwan using a cellular carrier data card. These are typically built in to laptop computers, are sold as USB devices by cellular carriers, or a mobile phone tethered to a computer using a wire or Bluetooth. These devices carry monthly Internet access charges and allow people to connect to the Internet in more places because the access is provided through the cellular network. Endpoint security and precautions similar to those for wlan apply.

Personal Area Network (pan) – Bluetooth/IrDA

Device with pan capabilities are typically mobile phones and laptops. Due to the pairing nature of pan device it is possible to transfer data between pan devices (like a mobile phone transferring data files to a laptop, and vice versa). Transferred files could then be placed on a device that is prone to loss or theft. Considerations need to be made for allowing Bluetooth functionality, especially in laptops. Endpoint security should be extended to Bluetooth devices. Although IrDA (infrared data transfer) is a legacy technology there are many older laptops and mobile phones that still use this technology to transfer data.

ExperiorData Solution: Endpoint security products, wireless device configuration review and audit.

Threats on Wired Networks

Local Area Networks (LAN)

LAN’s are used to connect computers together on wired networks within the 328 ft limit of Ethernet. Generally, these networks are inherently secure as they are behind a firewall. Assuming that the firewall is properly configured and customary malware protection has been implemented the risks to intrusion from the outside and theft of data is minimal. However, LANs can be complex when technologies such as virtual LANs and DMZs are used. The least common denominator is the actual data traffic on a LAN, no matter how it is routed on a LAN.

Threats to protected health information on LANs are generally internal, such as rogue employees having unauthorized access to data files through servers or data sniffers. Mitigating these types of threats requires encryption to be installed on servers and even e-mail systems if protected health information is able to be e-mailed.

Wide Area Networks (WAN)

Wide area networks connect remote offices together. WAN technology has evolved from point-to-point connections to virtual private networks (VPN), and more recently private virtual networks like MPLS. Protected health information traveling on these types of networks should be encrypted between endpoint devices, typically data routers. Employees utilizing remote access virtual private networks are also a threat if the endpoints that they use to connect to the VPN are not secured, especially if protected health information is transferred to these endpoints.

ExperiorData Solution: Network architecture review to identify points where protected health information is transmitted and determine where additional layers of security are necessary. File level and endpoint security products could be recommended to mitigate risks. In cases where protected health information would be transmitted using e-mail we would recommend implementing an e-mail encryption product.