Today, we read an article by Cindy Waxer of IT Security’s article, Mobile Work Force, Mobile Threats, that quotes some advice from James Quin, an Info-Tech Research Group analyst. The intent is good – strategies for preventing mobile security breaches – but he misses the bigger picture.
Quin lays out advice for dealing within an existing remote access network scenario. Use a VPN, rollout NAC, develop solid password protections, and control end-device use. What he misses here is the real solution – rethinking the existing remote access setup which is creating the security risks to begin with.
First, the advice for using a VPN: According to Quin, a VPN is
“a fairly well-established and understood security technology. Organizations have accepted it and have come to view VPNs as having value.” Quin said SSL (Secure Sockets Layer) VPNs, in particular, are becoming increasingly popular.
This is contradictory by nature, as SSL is but one option for VPN, born out of an attempt to make VPN “easy” and universal. Of course this has failed, as both IPsec and SSL protocols are suited for very different uses, and both very important. The advice should not be, “one over the other,” rather, “understand your needs and apply the right technology.”
Second, limit end-device usage:
Employees bringing personal unprotected devices into the workplace and connecting them to a company’s corporate network is “a very significant concern” for most security officers, said Quin. “Organizations, for their own protection and security, should issue devices themselves so that they can maintain a level of control,” he advised. That approach, however, is costly, which presents companies with a catch-22. “Encouraging employees to bring their own devices in is more cost-effective but there’s a greater security risk,” said Quin. “At the end of the day, it becomes a personal decision for each organization.”
Again, this is not practical or conducive to getting the most productivity out of telecommuters. For example, if I use an Android-based mobile on a regular basis and type / navigate and multi-task at a comfortable rate I am more productive than when having to use some other device I use only for work. My productivity will go down. The better advice is to adopt technology that allows on-the-fly policy changes to embrace new devices while maintaining tight security.