Small Technology, Big Risks

If your company has a warehouse, limits building or IT access only to employees, or sells pharmaceuticals, chances are good that you're already using or at least studying radio frequency identification (RFID) technology. If you're not, chances are good that you will be soon.

In fact, somewhere in your company, an RFID pilot is probably underway that you don't know about. That's one key finding of the August issue of Unstrung Enterprise Insider, RFID & the Enterprise: Security & Privacy Risks, which looks at the key issues enterprises should consider when developing and executing a strategy for RFID privacy and security.

As the cost of RFID equipment falls, it becomes easier for a department such as the supply chain to fund a pilot out of its expense account and thus escape the IT department's notice. By preparing now for questions, pilots, and deployments, CIOs and IT managers can reduce the chances that RFID will create security and privacy risks.

The bad news is that although RFID had been in commercial deployment for years, security and privacy solutions still tend to be ad hoc. As a result, it is difficult for enterprises to make apples-to-apples comparisons regarding security and privacy features. The good news is that vendors are responding to enterprise concerns, as well as mainstream press coverage about RFID aiding every one from terrorists to marketers, with products that should significantly reduce risk.

One example is IBM Corp. (NYSE: IBM)'s new Clipped Tag technology, which has a perforated edge. After a product is sold, the consumer can tear that perforation to remove most of the antenna, thus reducing the read range from about 30 feet to just a few inches. Because the chip remains intact and functional, it can enable limited applications, such as facilitating product returns.

Some security issues can be addressed immediately using existing IT tools and best practices. One example is WiFi, which some RFID readers use to connect to a network. If the system uses unsecured 802.11 access points, that can create back doors into the enterprise network. This risk can be mitigated by enforcing IT best practices, such as forbidding unauthorized access points and using network-monitoring tools to identify unauthorized access points and related policy violations.

CIOs and IT managers are kidding themselves if they believe they won't have to address RFID at some point. The technology is already used for a wide variety of applications in a wide variety of verticals, and the cost of tags and other hardware continues to fall. This combination of adoption and price makes it increasingly inevitable that RFID will be at least discussed, if not deployed, by most enterprises -- and that they will have to deal with its security and privacy issues.

— Tim Kridel, Analyst, Unstrung Enterprise Insider

This report, RFID & the Enterprise: Security & Privacy Risks, is available as part of an annual subscription (6 bimonthly issues) to Unstrung Enterprise Insider, priced at $1,295. Individual reports are available for $900. For more information, or to subscribe, please visit: www.unstrung.com/enterprise.

Be the first to post a comment regarding this story.
Sign In