FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater, Part 1

Posted: November 17, 2011 in Rethink Remote Access, SSL
Tags: , , , , ,

By Cameron Laird

In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now:

  • Work is as likely to take place outside the office as in;
  • Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation;
  • A large percentage of all work can be done through the Web; and
  • “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands.

The situation is unsustainable; what should be done?

Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why:

What is VPN?

First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement.

Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace, and therefore outside the usual control policies traditional IT establishes. Everyone agrees that the fundamental data of the workplace deserves protection — whether the business deals in customer names and addresses, proprietary product recipes, or factory inventories and outputs — these details must be kept private. For an IT department, data appear in two states, “in transit,” as it travels from central organization repositories to the hardware of an individual remote worker; and “at rest”, which, for this purpose, means stored on the hardware of an individual remote worker. Welch’s FDE prescriptions address “at rest” or “endpoint” vulnerabilities, with the assumption that any local copy–any file or document or report–of data on a remote machine is necessarily encrypted. In turn, to view company data, an unauthorized person would need not only physical possession of the remote machine, but also a key to unlock the latter’s storage encryption.

Data “in transit” requires a mechanism that enables protection while traveling. With computers, there are many different ways to protect data in transit. In broad terms, though, a VPN  encapsulates everything that passes back and forth from a remote worker in a single consistent way. With a VPN in place, the higher-level applications that are meaningful to an end-user, including software for project management, office productivity, multimedia chat, project collaboration, file access, enterprise resource planning (ERP), and so on, all have the impression that the remote worker is using a computer networked within the home network of the organization. The VPN takes responsibility for translating every data transmission so that what appears to be a message sent to or received from a local computer is actually a corresponding encrypted message to or from a remote location.

Cameron Laird is an award-winning author and developer for Phaseit, where his recent work has concentrated on back-end programming for secure Web applications.

Comments
  1. […] With corporate IT departments allowing–and sometimes requiring!–workers to bring their own mobile devices, is there still a place for VPN? 'Depends: sometimes yes, sometimes no. It's surely not time, though, to assume VPN is only for the trash-heap.    Mobile Read the original post on DZone… […]

  2. […] FDE and VPN: don’t throw out the security baby with the legacy bathwater, Part 1 (vpnhaus.ncp-e.com) […]

  3. […] FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater, Part 1 […]

  4. […] Note: This is part 2 in a series, “FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater.” For part one, click […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s