This is part two in a series of questions related to employee provisioning and VPNs. Earlier this week, we addressed how enterprises can ensure that their provisioning processes benefit their overall security postures.
Question: Provisioning’s security holes become particularly apparent when remote mobile access users leave a company and enterprises try to apply a one-size-fits-all de-provisioning approach. In today’s mobile, global, 24-hour business world, what de-provisioning tactics are necessary to mitigate security risks during employee transitions?
Joerg Hirschmann: The best de-provisioning approach will be one that does not rely on a singular component to keep up with an organization’s changing needs. For instance, a provisioning process should go beyond the ordinary capability of disabling an account; instead, an organization should use the scalable method of PKI (certificate based authentication), which offers an additional option to withdraw remote access permission by revoking the user’s certificate. Similar offerings are available through One-Time-Password tools, which can also disable specific tokens, for example.
At the end of the day, the quality of the automated process will dictate how effective provisioning and de-provisioning will be.
Stay tuned for more on employee provisioning and VPNs next week. If you have any questions that you would like answered, as related to VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.
Joerg Hirschmann is CTO at NCP Engineering GmbH.
Q&A on Employee Provisioning with Joerg Hirschmann: Part 3
Posted: January 22, 2013 in Expert Q&A, Industry Commentary, Rethink Remote AccessTags: de-provisioning, IPsec, provisioning, remote access, VPNs, working remotely
This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions.
Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce?
Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses.
Organizations can also achieve temporary access, whether it be on-demand or limited hourly access, by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important.
If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.
Joerg Hirschmann is CTO at NCP Engineering GmbH.
Share this: