What We’re Reading, Week of 9/26

InformationWeek, 5 Mobile Security Issues to Watch
SC Magazine, Sophistication and the downfall of security
The Wall Street Journal, What’s a Company’s Biggest Security Risk? You.
eSecurity Planet, IPv6 Will Cause Some Security Headaches

Why mobile employees shouldn’t pose a security risk

By Bernd Reder

All signs point towards mobility. This is true for all tech scenarios—personal and business. According to an IDC study, 119.7 million U.S. employees will be classified as mobile workers in 2013. This is 75.5 percent of the U.S. workforce, far more than in any other country of the world.

The benefits of mobile computing are clear:

• Employees are more flexible because they can work on the road or at home, with the same efficiency as the company office.
• Waiting times (for example, at the airport) can be used productively.
• The company’s agility increases because the employees can be contacted more easily, and decisions can be made faster.
• Employees are more content because they have flexibility.

Higher Risks

In many cases companies pay dearly for these benefits by accepting higher risks. IT security company MessageLabs conducted a study that showed that employees who work from their offices and from home or the road trigger five times as many security alerts as their office-bound colleagues. One of the reasons is that they access the company network via hotspots at airports or in coffee shops.

Additionally, mobile employees access more websites that do not relate to their jobs when working at home or on the road. They access, for example, online shopping sites or auction houses. Doing so, they increase their chances of landing on contaminated sites.

It is clear that such behavior poses security risks. According to a Ponemon Institute report, the financial damage resulting from loss or theft of company data is at $214 per data set. Each U.S. company has to pay, on average, $ 7.2 million to clean up the damage done by a data breach. This also includes things like loss of image, disappointed customers who turn towards the competition and various fines.

Simple Precaution Measures

However, it is possible to mitigate the risks of mobile employees. For instance, it’s important to secure all communication mediums that mobile employees use for remotely accessing the company network: wireless LAN, fixed networks and mobile networks. The best solution is a remote access solution that automatically identifies the available communication mediums and selects the most appropriate one.

Apart from that, remote access should be secured by strong authentication and a dynamic personal firewall at the end device. The firewall should also be able to select the appropriate security settings for each communication medium.

Furthermore, it is crucial that all company data must be encrypted if it is stored locally on smartphones, tablet PCs or notebooks. This allows the data to stay secure, even if the device is stolen or lost. In addition, the mobile system should also offer a remote wipe option, a service provided in mobile device management solutions.

Business Data in a VM

Companies that allow their mobile employees to use personal devices for business purposes can even go a step further. They can include the option to install a virtual machine (VM) with a dedicated working environment.

This virtual desktop is only used for business applications and data that are hermetically sealed off from private data and applications. The company’s IT administrator centrally manages the virtual machine. Such virtual desktops are available for notebooks, while companies like VMware have already developed prototypes for smartphones.

The bottom line is, there are plenty of ways to minimize the dangers that can result from remotely access company data and applications. For a company, the benefits far outweigh the costs of not investing in the proper security measures.

The VPN paradigm shift toward cloud computing

By Hery Zo Rakotondramanana

From its conception, a VPN was meant to secure a connection that has to transit through a public network, making the IT managers’ challenge simply to find the best encryption method for tunneling data through the VPN. They had to choose the protocols, as well as the device (or software) that they should put at each endpoint of the VPN tunnel. And all of this was typically dealt with in-house, giving IT managers control over both endpoints of the VPN tunnel.

But with the advent of cloud computing, things dramatically changed. Part of the IT infrastructure has moved to the cloud, introducing a third-party into the equation. As a result, IT managers are “losing control” over some parts of their infrastructure and are now having to deal with a third-party to setup a secure connection to access their IT resources in the cloud. So what exactly are your options in this new world where VPNs and the cloud collide? Let’s dig a bit deeper and find out.

• Extend in-house network infrastructure to the cloud. Cloud services in this category include, Amazon EC2, GoGrid, IBM Smartcloud, VMWare/Terremark vCloudExpress. At this stage, depending on the cloud provider, proprietary API are used for connecting to these cloud applications. As they become more popular, such cloud services are expected to provide more open and secured API connection. On top of this, Amazon, for example, has a VPN solution called Amazon VPC for accessing your cloud resources. Amazon VPC accepts third-party VPN implementations to access their cloud, provided that they implement IPsec

• Build a virtual network on top of the cloud provider’s infrastructure. Connections from outside of the cloud are made via IPsec and SSL, while OpenVPN is used in and across the cloud. This approach ties IT managers to only one cloud provider. Then, they can decide to create their own virtual network by connecting different units in the cloud to their in-house data-center. Connections between those units in the cloud are hence managed by provider, limiting the involvement of any other third-party vendors. However, connecting the cloud virtual network to the corporate’s datacenter requires a secure connection via IPsec that can be implemented by a third-party VPN provider.

• Build a direct private pipe between the enterprise network and the cloud. The main goal here is to remove any public transit through the Internet. Amazon has partnered with Equinix so that the client’s data center can be directly connected to the closest Equinix network presence. While Amazon Direct Connect’s concept emphasizes the “straight” connection, it’s expected that customers would add their own security implementation on top of that network.

Overall, it’s important to set up standard connection from the in-house datacenter to the cloud. And for this, IPsec is still the de facto standard protocol used. But of course, the story of VPN and the cloud is still being written, so stay tuned for more.

What We’re Reading, Week of 9/19

Channel Pro, ‘Bring Your Own’ devices on the rise
InfoTECH Spotlight, Frost & Sullivan’s Whitepaper Analyzes Challenges Involved in Enabling Secure Remote Access
TechNewsWorld, Wrapping Personal Devices and Critical Data in Stale Policies
SC Magazine, DigiNotar Collapse Underscores Impact of a Breach

IPv6 Myths Broken, Part 2

*Editor’s Note: This is the second part in a two-part series on IPv6 myths

By Nicholas Greene

In the first part of this series, I laid out some persistent IPv6 myths. Now it’s time for the reality.

In actuality, the notion that NAT increases security is essentially absurd. It is middleware designed to overcome a shortage of addresses in IPv4. Since IPv6 suffers from no such issues, it doesn’t need NAT. What little security is provided by NAT is completely negligible- as stated by security blogger Earl Carter, “it does no more than prevent random attacks; it prevents no real barrier to a skilled attack. And of course, it is no barrier at all to attacks coming in as email payloads or via open ports.”

The elimination of NAT could actually end up improving security and performance in the long run. According to Hurricane Electric’s Owen Delong, “NAT introduces a number of problems. Many of these problems have been made invisible to the end user and even to the network administrator deploying NAT. But if you ask any software vendor that has had to develop software in spite of NAT, you’ll rapidly find out that it’s making software much more expensive, complex, and even larger than it needs to be. In addition, it makes it hard for users stuck behind NAT to offer any services from their machines…I maintain the position that the choice to offer a service to the Internet or not should rest with the owner of the machine in question in most cases.” And for those who claim there needs to be some method of protection against random attacks in IPv6, “a good firewall can still solve the problem.”

IPsec is the same security solution no matter where it’s implemented. And NAT simply doesn’t do all that much for security. As a result, IPv6 is no more or less secure than IPv4 — and IPsec still remains one of the best solutions for security on either platform.