Rethink Remote Access: Paul Sloof’s Advice

The third installment of our how to rethink remote access series looks at why the policy is so hard to adapt. Is it an issue of internal politics? Is network security technology not being flexible enough? IT expert, Paul Sloof, European IT & TDP Manager at MOL-IT Europe, shares his opinions with us.

My observation is that even though IT security is moving away from perimeter control, technicians are reluctant to do so. Yet, in order to achieve this increased employee productivity through remote mobile access, we have no choice but to let go.

Why are security specialists reluctant to abandon perimeter control? Because perimeter control is relatively easy as it comes with a very clearly marked border. So everyone knows where security measures need to be applied and which devices need to be checked.

Letting go of perimeter control complicates security management significantly as now each individual component needs to be secured and monitored. This implies more work for the security specialist and it makes proving compliance harder.

In short: it is so hard because of network security being inflexible and the people involved are guarding their responsibilities rigidly.

What We’re Reading, Week of 11/23

Dark Reading…
Many Enterprises Still Struggling With Remote Security, Cisco Study Finds
This article by Tim Wilson discusses the results of Cisco’s latest survey results, showing that while many organizations appreciate the increased employee productivity and other benefits offered by laptop computers, smartphones, and virtual private networks, they may not have established clear security strategies or plans for employees to work remotely. Companies said they had enabled an average of 63 percent of employees with laptops, and another 46 percent of employees are using smartphones. Of the companies that have adopted mobility and remote-access technology, 62 percent said doing so had resulted in increased employee productivity, with 57 percent noting an increase in employee satisfaction and 42 percent seeing a reduction in overhead costs. But only 27 percent of the enterprises surveyed had enabled more than half of their workforce to work remotely. This study shows us that companies need to be rethinking remote access.

Computerworld…
Keep the Virus Away with Remote Access Today
This post by Eric Rosenzweig discusses how VPN technology is enabling people to work remotely from home and avoid spreading illness in the office.  User authentication has advanced so that companies can know who is remotely accessing sensitive data.  Many companies are now using “strong authentication” where the user accessing the system is required to produce two types of authenticators such as a password and a code.  With this remote access technology, businesses can now put a work from home policy in place to prevent employees from getting sick. With flu season in full force, employees need a quick and easy way to access the network in case of an emergency.

Information Security Q&A…
Best Way to Stop Malware from Spreading in a Large secure Network
This blog post answers the following question: What’s the best way to stop malware from spreading in a large secure network with no internet connectivity and a multi-platform environment? For a host setting, some suggestions they included were a firewall, remote device management and file integrity monitoring. For a network based situation, they suggest using IPS on the network, segmenting your network with firewalls and using anomaly detection tools.  In a hybrid situation, they recommend using an agent-less scanning tool and Network Access Control (NAC) because you could have all the security in the world until the stranger sitting next to you plugs in his laptop to the Ethernet port.

Rethink Remote Access Planning: Paul Sillar’s Advice

To carry on with our how to rethink remote access series, we spoke to IT expert Paul Sillars, Managing Director at So Internet (UK). He offered some thoughts on remote access planning.

I think the day of traditional thick(ish) client VPN installs is probably dying. Most of the time was spent getting the software to the end user, getting it installed and then managing the access.

SSL VPNs (allowing access to creating the “tunnel” via HTTPS) provides a quick way to create a secure VPN, without the need to push software to the end user in the same way.

To access the VPN the user needs to load a web page, thus you have more immediate control over their access. You can also customize the login page so resources are accessible with a single click and can be changed very quickly.

Depending on the depth you want to take it, you can even control access to the network based on the software or service packs an end user has installed on their PC.

There is a lot that you can do in a web browser. We have clients accessing Remote Desktop sessions in a web browser using Java Applet that gets installed automatically.

I agree that for some apps a thin client may need to be installed but the advantage is that the security side of things is so much easier as real-time access lists can be updated an enforced.

I don’t agree that you will be back to the same point [as IPsec], I think you may be back to something similar, but much easier to manage.

Most people want access to files on a server or remote desktop/terminal services.

With many SSL VPN boxes you can create “home pages” for the user (they can also update them). This can be shortcuts to drives, shares and terminal servers.

No longer is there a need for a mapped network drive in that sense, but a clickable link. You introduce a new server; just add it to their login page.

It is also possible to map some secure pages directly through without the user even needing to look in to the SSL VPN unit. For example you have a secure CRM solution behind a firewall. You can create a URL mapping in the SSL VPN device that allows the user to login in to a URL. As they log in the user details are passed through the SSL VPN box and to the CRM solution behind the firewall giving seamless access to an application behind a firewall without the need to first load up a VPN, so now it can be used from even an internet cafe.

What We’re Reading, Week of 11/16

SearchSecurity.com…
Secure Your Remote Users in 2010
This article by Eric Ogren lists a few technologies that security teams should be looking to in 2010 to help lessen the heightened risk of business disruption and data loss from a larger workforce of remote and mobile users. One technology he suggests investing in is remote user virtual workspaces to protect browsers and VPN agents from malware on home computers and less secure public networkers.

GigaOM…
Using Public Wi-Fi? Hop Into a Free VPN Tunnel First
In this post, Sebastian Rupley discusses using a VPN application to provide a secure, encrypted tunnel when using public Wi-Fi. Although a free VPN may protect you from other users in the hotspot, there are a number of advantages to using a VPN client. Using NCP’s secure entry client provides users with an integrated dialer, personal firewall and 32/64-bit VPN connection, and the ease of a ‘one-click and forget it’ experience.

The Forrester Blog | Infrastructure & Operations Professionals…
Why Mobility Will — And Does NOW — Matter To EAs And IT
In this post Chris Silva discusses recent Forrester research listing the mobile enterprise as one of the top 15 technology trends that EA’s should look out for. As companies begin to rethink remote access, they should consider how mobility will enhance productivity, user satisfaction and business efficiency. Chris tells us next time we are logging into our VPN from the local coffee house to ‘take note of the experience; is this the way your entire organization should be served in the event of a disaster?’

Rethink Remote Access Planning: Andrew Baker’s Advice

Adding to our how to rethink remote access series, IT expert Andrew Baker shares his perspective on remote access planning with us. Andrew is the Vice President of IT Operations at ARGI, which provides “Software as a Service” audience management, database marketing, and lead generation solutions for publishers, membership organizations, and other industries.

The user is integral to all technology usage. Even if all other complexities are removed, there is still the need to train the user to ensure that he or she is able to accomplish the intended tasks as quickly AND safely as possible.

One way or another, the user has to be accounted for — either in how they need to use the system, or what they need to do to be safe.