Rethink Remote Access: Anton Ivanov’s Advice

Posted: December 21, 2009 in Rethink Remote Access

The next IT expert we spoke with for our how to rethink remote access series is Anton Ivanov, a Principal Technical Consultant. With new handhelds, WiFi everywhere and the explosion of mobile applications, great improvements for employee productivity are being offered.  Yet networking and security pro’s complain about enforcing policy to protect the network while staff push to use these new technology. Anton shares his view on this issue and why remote access policy can be difficult to adapt.

Lack of true defense is depth in most organizations. A very large percentage of the businesses out there have no defense besides the access policy. So they try to do it as draconian as they can.

There is a lack of segmentation and compartmentalization in most organizations. Most organizations operate ONE instance of remote access for the whole organization and ONE internal network for the whole organization. Even if there are security systems inside they are static and do not match the ever changing organizational boundaries. As a result, changing the access policy is an extremely high risk operation which requires prolonged risk assessment.

Most organizations lack defense in depth. Once an attacker has managed to enter the network they are free to go anywhere. Thus, the access policy becomes the only technical and administrative tool in between worms, viruses, hackers and the company systems. As a result, any change carries very high risk, and most IT departments are reluctant to go through the risk assessment process to modify something they perceive as working.

The situation is made even more complex through false economies of scale. Throughout the last 10 years most large company’s IT departments have fought long and hard battles to make all employees use very similar equipment with a limited choice of builds which are managed centrally and use fully centralized services. The traditional departmental boundaries between networks have been removed one by one and most company networks are more or less “flat.”

However, the cost savings from this “flattening” have been outweighed by the increased cost of risk management and the ever increasing PC build complexity. The result is that even in a company that has more than one “defense” layer, threats which have managed to cross the RAS have a significant target population at his disposal. Hence, departments are reluctant to change anything and any change ends up costing an astronomical amount of money. There is an easy solution to this problem- making the network agile through a process of departmentalization and compartmentalization of the networks.

Technology has moved on and the economical reasons for flattening the network are no longer there. Once the “risks” and costs of downtime (real and potential) are fully accounted for, a server serving 2000 users usually costs much more to operate than 10 Virtual machines serving 200 specific and “named” users each. Similarly, network technology has moved on. Networks can now be partitioned into virtual networks via simple configuration. Running virtual 10 networks in parallel across the same switches with 200 users each costs about the same as running a flat network for 2000 users. If RAS is designed to serve such an environment the risk from changing access policy is vastly reduced. For example, a change can be tested and used at very small marginal extra cost only on a small user population. This approach can also take care of most defense in-depth issues. The technology to do it is there. The knowledge to do it is there. The will, however unfortunately is not.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s