CIPS CONNECTIONSINTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., ITCP, MVP, DF/NPA, CNP
Sumit Deshpande: Top ranking Authority in Mobile/Wireless Technology
This week, Stephen Ibaraki has an exclusive interview with Sumit Deshpande.
Sumit is vice president of the Wireless Solutions group in the Office of the CTO. He is involved in defining and communicating CA’s global strategy for wireless technology, as well as the research and development of new solutions. Sumit has a broad range of technical expertise and experience in varying aspects of information technology, including networking, application development, technology consulting, market analysis, and others.
His articles and interviews on wireless and other topics have been published in several technical publications. Sumit is a much sought after speaker at several trade shows and has presented at CA World, CeBIT America, Wi-Fi Planet, CTIA, e-GOV, Wireless and Mobile Forum, and many more venues.
Sumit holds a bachelor’s degree in Computer Science from Pune University, and master’s degree in Computer Science and Information Systems from Marist.
Q: Sumit, with your distinguished background and very busy schedule, we are very fortunate to have you with us sharing your deep insights. Thank you.
A: It’s my pleasure, Stephen.
Q: You have a remarkable history and you are very well respected in the industry. Share the many milestones throughout your life that led to your current position.
A: I’ve had the privilege of being involved in several aspects of technology through my career. I remember the first job I had, right out of college in the early nineties, working for an IT infrastructure company. This was when Novell Networks were hot, and distributed computing was becoming the norm. It gave me a good foundation of how companies utilize IT networks to help facilitate business growth.
I then moved into software development for a company in Hong Kong – Trinity Services - that customized financial accounting software. It was a startup, and as one can imagine, everyone had to do a little bit of everything, in addition to doing all of one thing! So, besides writing C/C++ code and Xtrieve scripts, I was helping with accounts payable, developing training courses, and then going to customer sites and conducting the training. That was a great experience.
Conducting market research on the software industry with IDC Asia/Pac gave me an in-depth analysis of the different software companies world-wide and also exposed me to various technologies that were being leveraged. My team was the first to develop such a detailed report on the Asia/Pac software market.
After my stint at software industry analysis, I took a year off to work for a not-for-profit organization as a field volunteer at a drug rehab center. That certainly brought a lot of things into perspective for me. Needless to say, I was still involved in IT operations and conducted some database management projects.
Shortly thereafter, I came to the USA as a graduate student at Marist College in Poughkeepsie, NY. There I ran a division of the Academic Technologies department, conducting short-term software projects for IBM and other companies in the Hudson Valley region. My graduate thesis was on intelligent software agents and the use of neural networks in business intelligence. I was hired by Computer Associates a semester before I graduated, and joined the company in the summer of 1999.
My background in networking, neural networks, and software development, as well as my experience with project management was ideal for me to lead a team of experts responsible for deploying cutting-edge technologies at select customer sites. Eventually I was appointed to work with the Office of the CTO where I was involved in incubating research on wireless technologies. My group recently released CA Wireless Site Management, a solution to secure and manage Wi-Fi networks. I now run R&D for all wireless projects in the Office of the CTO.
Q: Can you share with us three case studies about the key success factors and best practices for enterprises contemplating a wireless implementation?
A: 1) A university is deploying a converged IP network – data, voice, and multi-media – all on one network, all on Wi-Fi. Not only are they able to control expenses, but they even recover several costs by effective management and control. Since they had good measures in place to manage their wired network, they simply had to extend that to the wireless environment. Some measures they took included:
2) A hospital has deployed Wi-Fi to enable doctors and nurses to access patient information on their PDA’s, Tablet PCs, and wireless COWs (computers on wheels). They estimate a 40% increase in productivity as a result. However, authentication, encryption, and access control are paramount concerns.
Using an enterprise-wide approach, the customer did the following:
3) A large retailer is in the process of converting its existing mobile devices to a newer model. With thousands of stores and warehouses nation-wide, store workers use mobile devices to update inventory information. They also have plans to integrate RFID and WLANs. There is a lot of sensitive information (customer info, credit card numbers, item prices, and others) that must be protected during transmission. Access control and device management are key issues. Using an enterprise-wide approach, this customer centrally manages the WLAN network across multiple stores, enforcing wireless security policy at each store and uses a store-wide device management solution to inventory and audit mobile devices.
Q: What are the ten most critical security areas concerning wireless networks including little known ones? How can they be resolved? What about 802.11i, the Wi-Fi standard that provides enhanced security, superior encryption, and uses Extensible Authentication Protocol (EAP), and measures such as using VPN and 802.1x authentications processes? Share with us recent statistics in this area. [Ed. Note from best to worst: AES = Advanced Encryption Standard; WPA = Wi-Fi Protected Access; WEP = Wired Equivalent Privacy]
A: This question would probably be answered best with questions….
1) Who gets access? Even if they are legitimate employees, do they really need wireless access?
2) Where can they access the wireless network from? Is it safe for them to access the wireless network from the parking lot or the garden café outside the office campus? Where do you draw the boundary?
3) How will they access the network? What devices are appropriate? Is it OK for them to use personal devices?
4) Encryption of wireless data is a must. In a private survey conducted by us, 46% of enterprises use WEP today. Over 10% use WPA and many are considering 802.11i. While it is good to use some encryption than none, if using WEP, the appropriate management structure must be in place to dynamically rotate the keys. Using newer encryption like AES is a good idea, but then you need proper policies in place to deploy this.
5) What is the best way to authenticate the users? 802.11i promises encryption and authentication – but do I have to buy new hardware? (Most likely – especially since the AES encryption supported by 802.11i requires a hardware upgrade).
6) Do I have to change existing security procedures to in order to accommodate 802.11i? (Chances are that if you are not using 802.1x to authenticate your end-users, utilizing 802.11i may be a lot harder than most people make it to be).
7) Rogue access points create major security risks. You need to detect these devices and automatically deny them access to the network. Your employees need to have access to policies and guidelines for acceptable wireless usage.
8) Wireless laptops in ad hoc mode can be open doors for hackers to steal information not just from the laptop, but possibly also from the network. This is a hidden risk and not many IT departments are aware of this.
9) Remote users that access public hotspots are at more risk than they think. A recently publicized risk known as the “evil twin” or “wireless phishing” is something that one should be aware of. This is when a hacker names his network the same as a legitimate public hotspot and steals information from unsuspecting users that log on to his network thinking that it is a legitimate hotspot. Most hotspots do not, and may never, provide security. Even if the end-user is careful to use VPN, the risk is present way before they get to that stage.
10) Lost or stolen mobile devices pose a serious risk, especially if the data isn’t protected. We’ve all heard of the former executive selling his Blackberry on eBay with all his information still in it. We’ve also heard of tens of thousands of cell phones being left behind in New York City taxicabs. The information on the device has a lot more value than the device itself. IT administrators should be able to set policies for automatic password protection, and perhaps should have the means to perform more aggressive measures such as device lockdown and wiping out all the information remotely.
Q: Encryption systems used in wireless connections such as WPA (Wi-Fi Protected Access) and WEP (Wired Equivalent Privacy) have challenges. What are the current issues and where do you see this evolving beyond 802.11i?
A: It’s interesting to see how security and convenience are almost always inversely proportional. For any kind of security, there has to be a trustworthy relationship established first. It doesn’t matter that your data is encrypted if the receiving party is malicious.
With WEP, the issue is that the keys are shared (everyone on the network has the same key) and static (the keys need to be changed manually).
With WPA, the keys dynamically rotate, but the pre-shared key still needs to be manually deployed. 802.11i combines authentication using EAP and encryption using WPA and TKIP (temporal key interchange protocol). However, this requires the right kind of client on the end-device in order to work.
One strange thing about standards is that there are so many of them. If the end-device has a certain kind of EAP client, and the authentication server does not support it, then you can forget about making a connection. Basically, a closed wireless network works only when the end-users are part of a trusted group, and their hardware and software are approved.
Beyond this, we get into the growth of biometrics as a viable authentication mechanism. While this is a growing field, it still has some hurdles to overcome. There are ergonomic issues as well as technological limitations. Most biometric technology that is accurate is quite expensive. We’re seeing fingerprint scanners being embedded in PDA’s – which is a very good extension to password protection. Voice scanning is also becoming popular, although that has severe limitations – especially when your voice changes due to any number of reasons (sickness, weather conditions, acoustics, etc.). Retinal scans are pretty accurate, but getting it down to a small enough form-factor is still challenging. But would you be comfortable having your PDA zap your eye with a beam of light when ever you want to access its contents?
Q: Controlled authorization, time and location boundaries/restrictions are administration challenges with wireless networks. Can you detail these and other issues around secure access?
A: Secure access is one of the top issues with wireless security… and security in general. Only trusted employees should have access to the network, and only to those areas pertinent to their role and responsibilities. Two-way authentication is really important here. Not only should the user be authenticated, but the users should know that they are connecting to a trusted network.
In many cases the boundaries of access go beyond just identity. For example, in businesses where there are a lot of shift workers, such as hospitals and warehouses, it is imperative to restrict access to employees only during their approved shift hours. In fact, access policy should be tied in to the overall security policies so that you are alerted to abnormal activity. For example, why is a nurse whose shift hours are from 8 AM to 5 PM still on the network at 7 PM?
Another dimension is physical location. In many instances, employees’ access to information is physically restricted as part of the security policies. This becomes more important with wireless networks since wireless waves eventually overstretch the desired boundaries. You can adjust the power levels or use directional antennae, but short of putting lead in your walls and ceilings, it is difficult to accurately control the range of wireless coverage. Going back to our hospital example, wireless data access is allowed to doctors and nurses as long as they are within the hospital facilities. If they step out of the building or try to access the network from the parking lot, they are denied access.
Q: Using more than four channels presents problems with interference and channel management -- as does the misconception that the same SSID [Service Set Identifier] requires the same channel for access points. What are your recommendations and how will this evolve in the future? And what about load balancing?
A: I think this misconception is a carry-over from home wireless networking. If you configure all your access points to the same channel, all the traffic from all your mobile devices, goes through all the access points. This duplication of traffic will slow down the network and disrupt services. Also, if the access points are on the same channel, or if the channel numbers are close to each other, they experience signal interference that can disrupt wireless transmissions.
In order to resolve this, care must be taken to assign channel numbers that are furthest apart from each other to access points that are in close proximity. In 802.11b and 802.11g, you have 11 channels, but you can practically use only 3 or 4. Think of it as a 3 color map problem. No two neighboring countries can have the same color, and you only have 3 colors to use.
Many forget that a wireless connection is like a shared pipe. The more users you have on a wireless network, the slower the connection. Therefore, load balancing is a critical issue. This can be done in several ways – you could balance the number of connections on each access point so as to distribute the load; you could adjust the power-levels to increase or decrease coverage areas, or you can activate/deactivate access points in the vicinity depending on traffic. Either way, you will need to monitor your wireless activity to understand patterns and take proactive measures to meet service levels.
Q: You predicted in 2002 a growing market for embedded machine-to-machine communications in equipment and appliances. Where is this market today and how will it evolve into the future? [Ed. Note: RFID = Radio Frequency Identification; ZigBee = low data rate, low-power, wireless network, two-way standard for automation]
A: This is definitely a growing market. We are seeing some initial evolutions with RFID tags and the emergence of ZigBee technologies. ZigBee is interesting because it enables information to be relayed from sensor to sensor until it reaches a central location. This has tremendous scope in climate control, security systems, defense, and other industries. RFID is also going through its growth pains and we will continue to see more and more industries using this in some form. Wi-Fi based RFID is also becoming popular.
Another phenomenon that has caught a lot of interest is wireless mesh networks. These are peer-to-peer networks that dynamically grow or reduce in size, depending on how many nodes are part of the network.
Q: Describe the state of the major wireless standards today and into the future. Which ones must be adopted by enterprises for competitive advantage? And what about the future such as with 802.11n and 802.16?
A: The IEEE will keep releasing newer specifications to improve on what is currently available. 802.11g and 802.11a will continue to be preferred Wi-Fi standards for at least a couple more years. 802.11n is in the process of being ratified, but given the indecision over setting a standard, this might take a couple of years to get resolved. Wi-Max or 802.16 is something we’ll hear of more and more.
My concerns are more around the business model of deploying this rather than the technology itself. In many cases, telecoms see this as a major threat. Enterprises will most likely adopt a combination of wireless technologies, each best suited towards solving the business problem at hand. One company decided to use the existing low-bandwidth networks to transfer data to their mobile sales-forces’ pagers, while using WLANs to provide local wireless access when the salespeople were in the office. Another company may decide to standardize on a cellular voice+data system to transmit information to employees’ cell phones.
Companies that have deployed 802.11 networks will most definitely need to implement newer overlay specifications such as 802.11i (for encryption and authentication), 802.11e (for improved quality of service – due out later this year), and perhaps 802.11d (for improved roaming between access points).
Q: Where does the future lie: Code Division Multiple Access (CDMA) or Global System for Mobile (GSM)? Why?
A: We will probably see both standards for a while. CDMA phones are more expensive than GSM phones, but CDMA claims to offer more throughput, although not much more. What will be interesting is if (and how) these standards interoperate.
Q: Who are the key facilitators in the mobile and wireless environments and why did you select them? Who will be the winners and losers?
A: There are several players here. From the enterprise’s perspective, you have wireless operators trying to sell you more phones that handle data, and more email devices such as Blackberry. You then have mobile workers that are expecting to connect wirelessly to the enterprise network. You have the hardware manufacturers competing to sell you access points, switches, devices, and anything with a radio in it. And then software companies that specialize in mobile applications, security and management software. Let’s not forget the system integrators. I think this is a very hot market.
Wireless is here to stay and like it or not, we are going to get more and more wireless. So really, the winners are those that understand how to use wireless to meet their business objectives. The losers are those that rush into it without a plan, and those that don’t play at all.
Q: What are the issues with device convergence?
A: It is more about capability rather than convergence. Quality must not suffer as a result of overcrowding features. It’s a phone, a PDA, a camera, a computer!! The PDA of today has the same capability of a high-end computer 10 years ago. Perhaps more. That is just amazing!!
Q: Comment on the Wireless Ethernet Compatibility Alliance (WECA), Institute of Electrical and Electronic Engineers (IEEE), Bluetooth Special Interest Group (BSIG), Open Mobile Alliance (OMA), UCLA’s Wireless Internet for Mobile Enterprises Consortium (WINMEC), World Wide Web Consortium (W3C), and Wireless DSL Consortium.
A: These are all interesting associations, each involved in contributing to the efforts to make wireless more viable to the enterprise. Again, the danger is that we are creating so many standards for the same thing. Hopefully these organizations will also work with each other in the near future.
Q: Describe the latest research occurring at Stony Brook University’s Center of Excellence for Wireless and Internet Technology of which your company is a founding member. [Ed. Note: GPRS = General Packet Radio Service]
A: It is always interesting to work with education and research institutions. Fresh ideas and out-of-the-box thinking is what gets me going. We’ve sponsored a lot of research activity with Stony Brook’s CEWIT – especially in the area of wireless management and security. One project looked at seamless transfer of Web sessions when a user migrates from a GPRS environment to a WLAN. We even demonstrated the project at our annual user conference – CA World – and it was a huge success. Other projects involved the use of optimized algorithms for wireless mesh networks, and identity management of wireless users.
Q: Share your views on the Asian marketplace and specific areas we should be watching. Why?
A: The Asian marketplace is poised for significant growth in the wireless space. Already, several Asian countries are ahead of the US in terms of wireless infrastructure. Many organizations have embedded wireless as part of their normal business processes. A lot of it has to do with the fact that people in general have accepted wireless as an integral part of their lives. We see it happening in the West as well. Interestingly, cellular technologies grew a lot faster than WLAN technology. I think we will see significant growth in Wi-Fi networks in Asia in the next 18 to 24 months.
Q: Can you share your thoughts on the “information delivery maturity model” and why it’s relevant to business?
A: The “information delivery maturity model” is all about getting the right information to the right person at the right time, so that they can make the right decision in order to reach a desired outcome. The conversion of data to information, information to knowledge, and knowledge to intelligence is an important process. Access to pertinent information to make decisions is critical to business success. The amount and quality of information can make a difference between a good and bad business decision. Having a report on sales numbers is useful, but having a report on how to improve sales in each region is even better.
Q: Sumit, you are in an ideal position to make predictions. So make your top ten predictions in any areas of your choosing and provide specific time frames? What are the solutions and the value to businesses?
A: 1) All end-user computing will be wireless by 2007
2) All end-user devices will have bio-metric authentication by 2006
3) WEP will become obsolete in 2006
4) Cell-phones will continue to pervade all aspects of life
5) Mobile devices will provide converged capabilities and will support multiple networks – Wi-Fi, GSM, CDMA, etc.
6) VOIP will revolutionalize enterprise deployment of phone technology and will become the norm by the end of 2006
7) Community wireless access will be made possible by Wi-Max in a widespread manner within the next 18 months
8) By 2006, the use of software in vehicles will double.
9) The number of mobile-phones will exceed the number of PCs in the world by 2006
10) Holographic technology will have more viable business applications by 2008
Q: What are your favorite information links, tools, and other resources? Why?
A: 1) http://news.yahoo.com - for general news, especially in the technology section
2) http://www.wi-fiplanet.com/ - for wi-fi related news and notes
3) www.fiercewireless.com – good articles on wireless happenings
4) http://www.wirelessweek.com/ – their site has some good information as well
Q: Here’s an audience favorite. Imagine you are doing the interview. What two questions would you ask and then what would be your answers?
A: Q1) If you were a CIO, what would you do first before you deploy a wireless network?
A1) First of all I would determine why we need wireless. Monetary as well as “soft” ROI is an important issue. I need to know what business processes can be positively affected by going wireless. If wireless does not help me make or save money, it is not worth the investment. Deploying technology for technology’s sake is a bad move.
Q2) Why is the enterprise adoption of wireless so slow?
A2) I don’t think the enterprise adoption is slow. Most of them are taking their time with it because they are making sure that the technology is stable enough to make an enterprise-wide implementation. The 802.11 standard has seen a lot of evolution in the past 2 years. I think we are at a point now where we can begin larger scale deployments using some of the standard security measures available today. Many enterprises are still experimenting and piloting the technology to gather data to justify larger investments.
Q: Sumit, thank you for taking the time to do this interview and sharing your considerable experiences, and wisdom with our audience.
A: It has been my pleasure.