Q&A on Employee Provisioning with Joerg Hirschmann: Part 3

This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions. 

Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce?

Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses.

Organizations can also achieve temporary access, whether it be on-demand or limited hourly access,  by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important.

If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com. 

Joerg Hirschmann is CTO at NCP Engineering GmbH. 

Q&A on Employee Provisioning with Joerg Hirschmann: Part 2

This is part two in a series of questions related to employee provisioning and VPNs. Earlier this week, we addressed how enterprises can ensure that their provisioning processes benefit their overall security postures. 

Question: Provisioning’s security holes become particularly apparent when remote mobile access users leave a company and enterprises try to apply a one-size-fits-all de-provisioning approach. In today’s mobile, global, 24-hour business world, what de-provisioning tactics are necessary to mitigate security risks during employee transitions?

Joerg Hirschmann: The best de-provisioning approach will be one that does not rely on a singular component to keep up with an organization’s changing needs. For instance, a provisioning process should go beyond the ordinary capability of disabling an account; instead, an organization should use the scalable method of PKI (certificate based authentication), which offers an additional option to withdraw remote access permission by revoking the user’s certificate. Similar offerings are available through One-Time-Password tools, which can also disable specific tokens, for example.

At the end of the day, the quality of the automated process will dictate how effective provisioning and de-provisioning will be.

Stay tuned for more on employee provisioning and VPNs next week. If you have any questions that you would like answered, as related to VPNs, remote access, network security and the like, send them to editor@vpnhaus.com. 

Joerg Hirschmann is CTO at NCP Engineering GmbH. 

Q&A on Employee Provisioning with Joerg Hirschmann: Part 1

Today’s post kicks off a Q&A series with Joerg Hirschmann, CTO at NCP engineering GmbH. These questions and answers, which we will post over the next few weeks, are related to employee provisioning and VPNs.

Question: While user provisioning can enable efficient employee on-boarding, poor provisioning can result in expensive and irrevocable data leaks. How can enterprises make sure their provisioning is a benefit, not a detriment, to their overall security postures? 

Joerg Hirschmann: VPN user provisioning should be as automated as much as possible to rule out manual flaws, which are often caused by workload, unplanned absences, etc.  However, if not designed properly, even the best automated processes can allow security leaks to disrupt the corporate networks.

Normally, the provisioning process does not originate from the IT department; rather, it is initiated by HR once the decision is made to sign on/off staff or to provide access for external partners (temporary or permanent). Processes will have to be defined accordingly so that these kinds of personnel decisions will find their way into relative data records, which are then processed by IT. Therefore, a remote access solution must provide relevant interfaces to get synchronized with the appropriate databases.

The more time this information needs to be delivered to the relevant system, the bigger the security risks are going to be. It goes without saying that the processes defined need to be thoroughly tested and approved.

Stay tuned for more on employee provisioning and VPNs this week. If you have any questions that you would like answered, send them to editor@vpnhaus.com. 

Joerg Hirschmann is CTO at NCP Engineering GmbH. 

The Disgruntled Security Breach Strikes Again

We’ve said it before and we’ll say it again – disgruntled, former employees pose a major risk to your network. If you’ve been following the headlines this week, you know why we’re bringing this up again.

A former IT employee at Gucci was charged with remotely taking over the haute-couture company’s computers, shutting down servers, and deleting emails, the Wall Street Journal reported yesterday. According to the WSJ, here’s what’s happened:

Sam Chihlung Yun, 34 years old, allegedly created an account in the name of a fictional employee and used it to access the company’s network after he was fired in May 2010, prosecutors said. He allegedly caused more than $200,000 in diminished productivity, as well as remediation costs, prosecutors said.

Now Mr. Yun is being charged with a 50-count indictment for unauthorized use of a computer, unlawful duplication of computer-related material, among other charges. So, how did he do it? InformationWeek is reporting that Yun created a VPN token in the name of a fictional employee, then when he was fired he used this USB-based token to gain remote access. In the aftermath of Yun’s attack in November, Gucci staff were not able to access any documents, files, or materials saved anywhere on its network.

Frightening, right? So what can you do? Review your user log carefully and often – if you spot a red flag, investigate. Also, make sure all former employees are completely provisioned off the network and reset all the passwords and access rights following their departure.

Gucci was lucky enough to catch and prosecute its culprit — but the fashion giant would have been luckier if it had stopped the breach before it even happened.

Conversation with Shahid Shah on mHealth, Part 4

This week, we feature the final post in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, EMRs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPN Haus: When we last spoke, you said mobile phones will be just a small area of mobile health. What else can we expect?

Shahid Shah: There are going to be sensors as you walk into hospitals that will be placed on you, the way band aids were placed on you. Those sensors are going to collect information and that information is going to have to be shared somehow. So this data will have to be treated in a HIPAA compliant way.  So if you’re interested in healthcare IT in general, you typically hear about medical records, but really the big growth area is with the sensors, body area networks, wireless within hospitals and the ability to tie in the patient’s home to make the patient’s home a tie-in to the doctor’s office or hospital.

VPN Haus: How would this data be protected?

Shah: I would like to see smart information architectures, like patient data management, that keep the patient’s clinical data fully segregated from the patient’s ID data. So if you’re looking at a patient’s demographics, that might sit in on database separately than clinical or HIPAA protected information. So if somebody stole all the clinical data, it wouldn’t mean anything because they can’t identify the data.

VPN Haus: Thank you, Shahid.

For the first three parts of Shahid’s Q&A, click here.