Archive for December, 2009

Moving forward with our series on how to rethink remote access, we spoke to IT expert Stephen Hope. Stephen is a Solution Design Architect at  Cable and Wireless UK. He shares some insight with us on whether remote access policy is hard to adapt.

Policy is not hard to adapt – getting users to stick to policy is the hard bit.

What you may be missing is that policy is often compromised because remote access has to work reliably in the real world for all the users.

Convenience and utility are the only things that make using remote access worthwhile, and the user base is heavily biased to people who will not put up with issues if they do see the security tradeoff as needed- and have the clout to change a policy they do not accept.

Finally logistics get in the way as well.

If you want to alter setup for all your users, you need to either deploy the changes remotely (and risking trashing the service for someone who can fire you for doing it), or catch up with them all and fix it locally.

Right now we have users wandering in maybe 50+ countries……

The next IT expert to offer insight on our how to rethink remote access series is Mark Butler, experienced computer and process security professional. Mark shares his perspective on why adapting remote access policy is hard despite new technologies offering employees greater productivity.

Remote access is a touchy subject for most IT. It can be a great productivity aid, but in many (most?) cases it is massively unsecure and the amount of effort to secure it pushes the cost too high.

New handhelds – who pays to support them, who pays to standardize them. After years of trying to reduce costs by reducing diversity, the idea of dozens of new little “toys” being used by a handful of techies who are interested in what it can do, not how secure it is, draws the predictable reaction.

A non-security example, we went through a multi-year project to purge out all of the personal printers people were buying from discount houses because they were cheap. The cost to the enterprise was enormous as support for the drivers and the incompatibilities they introduced ate away at labor at an increasing rate. Eventually it became cheaper to replace the discount printers with much more expensive standardized ones.

Mobile apps are in the same boat. Allowing a mobile app developed by unknown, unsupported teams to have access to company resources is not a good idea, yet how many download something to try and play with it and have no idea if there is a hidden payload inside…these are the types of things IT must be sensitive to.

I think that the policy is the wrong place to look for change; most policies specify levels of security and layers of management. If the new devices and apps can prove they fit within policies they can be used, if they can’t then they are inherently insecure and shouldn’t be used no matter how productive they are. The problem is that like the printers, people want to just pick something up and plug it into the company resources – never a good idea.

To continue with our how to rethink remote access policy series, IT expert David Pearlstein shares his opinion on why adapting the policy can be difficult and how everyone in an organization can get on board. David is the Principal at DLP Consulting.

I think if you can provide information security training to ALL levels of management to show what would happen to the company if the security was compromised, that would go a long way to convincing people that a policy is needed.

Certainly your legal department should be behind you on this since they have a vested interested in keeping the company’s data from being compromised.

The C-Level management should understand in dollars and cents what it would mean to their bottom-line if the data were to be compromised.

Then there are the regulatory issues related to information security (i.e. SOX) that may also drive acceptance of stricter policies.

Get some facts together. This has to be adopted from the top down to be effective.

The next IT expert we spoke with for our how to rethink remote access series is Anton Ivanov, a Principal Technical Consultant. With new handhelds, WiFi everywhere and the explosion of mobile applications, great improvements for employee productivity are being offered.  Yet networking and security pro’s complain about enforcing policy to protect the network while staff push to use these new technology. Anton shares his view on this issue and why remote access policy can be difficult to adapt.

Lack of true defense is depth in most organizations. A very large percentage of the businesses out there have no defense besides the access policy. So they try to do it as draconian as they can.

There is a lack of segmentation and compartmentalization in most organizations. Most organizations operate ONE instance of remote access for the whole organization and ONE internal network for the whole organization. Even if there are security systems inside they are static and do not match the ever changing organizational boundaries. As a result, changing the access policy is an extremely high risk operation which requires prolonged risk assessment.

Most organizations lack defense in depth. Once an attacker has managed to enter the network they are free to go anywhere. Thus, the access policy becomes the only technical and administrative tool in between worms, viruses, hackers and the company systems. As a result, any change carries very high risk, and most IT departments are reluctant to go through the risk assessment process to modify something they perceive as working.

The situation is made even more complex through false economies of scale. Throughout the last 10 years most large company’s IT departments have fought long and hard battles to make all employees use very similar equipment with a limited choice of builds which are managed centrally and use fully centralized services. The traditional departmental boundaries between networks have been removed one by one and most company networks are more or less “flat.”

However, the cost savings from this “flattening” have been outweighed by the increased cost of risk management and the ever increasing PC build complexity. The result is that even in a company that has more than one “defense” layer, threats which have managed to cross the RAS have a significant target population at his disposal. Hence, departments are reluctant to change anything and any change ends up costing an astronomical amount of money. There is an easy solution to this problem- making the network agile through a process of departmentalization and compartmentalization of the networks.

Technology has moved on and the economical reasons for flattening the network are no longer there. Once the “risks” and costs of downtime (real and potential) are fully accounted for, a server serving 2000 users usually costs much more to operate than 10 Virtual machines serving 200 specific and “named” users each. Similarly, network technology has moved on. Networks can now be partitioned into virtual networks via simple configuration. Running virtual 10 networks in parallel across the same switches with 200 users each costs about the same as running a flat network for 2000 users. If RAS is designed to serve such an environment the risk from changing access policy is vastly reduced. For example, a change can be tested and used at very small marginal extra cost only on a small user population. This approach can also take care of most defense in-depth issues. The technology to do it is there. The knowledge to do it is there. The will, however unfortunately is not.

What We’re Reading, Week of 12/14

Posted: December 17, 2009 in Highlights

eWeek Security Watch…
Survey Lists Top Enterprise Endpoint Security and Compliance Holes
This post by Brian Prince discusses a survey of about 100,000 endpoints from some 25 organizations, revealing that all of them had between 10 and 30 percent security- or policy-compliance issues. The survey found the key issues are missing third-party agents, unauthorized peer-to-peer applications, missing Microsoft updates and out-of-date or misconfigured antivirus.

The Ashimmy Blog…
The Evolution of NAC
While reading Alan Shimel’s post, An Incite-ful Tuesday: Playing catch up, we came across another post of his, The evolution of NAC, where he discusses Jeff Wilson of Infonetics Research’s strong support for NAC. He says that with companies going out of business and market numbers not growing as projected, a new angle needs to be taken on NAC. This is what Jeff and and team have done with their new whitepaper titled the “The Evolution of Network Access Control”, which is available free to download if you are interested.

Business Week…
Security Evaluation of Remote Users
In this post, Jeff Hughes offers some advice for companies to ensure that they are doing everything possible to secure their network from their own users. Companies should require that all remote users outside the perimeter firewall connect using a virtual private network. All employees should also use an antivirus solution and have their laptops regularly patched and updated and change their passwords frequently. He also recommends companies create a remote-access usage policy and set clear expectations.

Network World…
IT Pros Go Mobile for Holiday Work
According to survey results, fewer IT professionals intend to spend holiday time in the office this season and the number of high-tech workers planning to log hours at work reduced by half since 2006. Over 200 small and midsize businesses were surveyed to learn about IT pros’ holiday work plans. With Eighty-two percent of business managers intending to log in remotely, and 75% of IT staffers also telecommuting, let’s hope they will be using a secure VPN client.