Rethink Remote Access: Stephen Hope’s Advice

Moving forward with our series on how to rethink remote access, we spoke to IT expert Stephen Hope. Stephen is a Solution Design Architect at  Cable and Wireless UK. He shares some insight with us on whether remote access policy is hard to adapt. Policy is not hard to adapt – getting users to stick to policy is the hard bit. What you may be missing is that policy is often compromised because remote access has to work reliably in the real world for all the users. Convenience and utility are the only things that make using remote access worthwhile, and the user base is heavily biased to people who will not put up with issues if they do see the security tradeoff as needed- and have the clout to change a policy they do not accept. Finally logistics get in the way as well. If you want to alter setup for all your users, you need to either deploy the changes remotely (and risking trashing the service for someone who can fire you for doing it), or catch up with them all and fix it locally. Right now we have users wandering in maybe 50+...

Rethink Remote Access: Mark Butler’s Advice

The next IT expert to offer insight on our how to rethink remote access series is Mark Butler, experienced computer and process security professional. Mark shares his perspective on why adapting remote access policy is hard despite new technologies offering employees greater productivity. Remote access is a touchy subject for most IT. It can be a great productivity aid, but in many (most?) cases it is massively unsecure and the amount of effort to secure it pushes the cost too high. New handhelds – who pays to support them, who pays to standardize them. After years of trying to reduce costs by reducing diversity, the idea of dozens of new little “toys” being used by a handful of techies who are interested in what it can do, not how secure it is, draws the predictable reaction. A non-security example, we went through a multi-year project to purge out all of the personal printers people were buying from discount houses because they were cheap. The cost to the enterprise was enormous as support for the drivers and the incompatibilities they introduced ate away at labor at an increasing rate. Eventually it became cheaper to replace the discount printers with much more expensive standardized ones. Mobile apps are in the same boat. Allowing a mobile app developed by unknown, unsupported teams to have access to company resources is not a good idea, yet how many download something to try and play with it and have no idea if there is a hidden payload inside…these are the types of things IT must be sensitive to. I think that the policy is the...

Rethink Remote Access: David Pearlstein’s Advice

To continue with our how to rethink remote access policy series, IT expert David Pearlstein shares his opinion on why adapting the policy can be difficult and how everyone in an organization can get on board. David is the Principal at DLP Consulting. I think if you can provide information security training to ALL levels of management to show what would happen to the company if the security was compromised, that would go a long way to convincing people that a policy is needed. Certainly your legal department should be behind you on this since they have a vested interested in keeping the company’s data from being compromised. The C-Level management should understand in dollars and cents what it would mean to their bottom-line if the data were to be compromised. Then there are the regulatory issues related to information security (i.e. SOX) that may also drive acceptance of stricter policies. Get some facts together. This has to be adopted from the top down to be...

Rethink Remote Access: Anton Ivanov’s Advice

The next IT expert we spoke with for our how to rethink remote access series is Anton Ivanov, a Principal Technical Consultant. With new handhelds, WiFi everywhere and the explosion of mobile applications, great improvements for employee productivity are being offered.  Yet networking and security pro’s complain about enforcing policy to protect the network while staff push to use these new technology. Anton shares his view on this issue and why remote access policy can be difficult to adapt. Lack of true defense is depth in most organizations. A very large percentage of the businesses out there have no defense besides the access policy. So they try to do it as draconian as they can. There is a lack of segmentation and compartmentalization in most organizations. Most organizations operate ONE instance of remote access for the whole organization and ONE internal network for the whole organization. Even if there are security systems inside they are static and do not match the ever changing organizational boundaries. As a result, changing the access policy is an extremely high risk operation which requires prolonged risk assessment. Most organizations lack defense in depth. Once an attacker has managed to enter the network they are free to go anywhere. Thus, the access policy becomes the only technical and administrative tool in between worms, viruses, hackers and the company systems. As a result, any change carries very high risk, and most IT departments are reluctant to go through the risk assessment process to modify something they perceive as working. The situation is made even more complex through false economies of scale. Throughout the last 10...

What We're Reading, Week of 12/14

eWeek Security Watch… Survey Lists Top Enterprise Endpoint Security and Compliance Holes This post by Brian Prince discusses a survey of about 100,000 endpoints from some 25 organizations, revealing that all of them had between 10 and 30 percent security- or policy-compliance issues. The survey found the key issues are missing third-party agents, unauthorized peer-to-peer applications, missing Microsoft updates and out-of-date or misconfigured antivirus. The Ashimmy Blog… The Evolution of NAC While reading Alan Shimel’s post, An Incite-ful Tuesday: Playing catch up, we came across another post of his, The evolution of NAC, where he discusses Jeff Wilson of Infonetics Research’s strong support for NAC. He says that with companies going out of business and market numbers not growing as projected, a new angle needs to be taken on NAC. This is what Jeff and and team have done with their new whitepaper titled the “The Evolution of Network Access Control”, which is available free to download if you are interested. Business Week… Security Evaluation of Remote Users In this post, Jeff Hughes offers some advice for companies to ensure that they are doing everything possible to secure their network from their own users. Companies should require that all remote users outside the perimeter firewall connect using a virtual private network. All employees should also use an antivirus solution and have their laptops regularly patched and updated and change their passwords frequently. He also recommends companies create a remote-access usage policy and set clear expectations. Network World… IT Pros Go Mobile for Holiday Work According to survey results, fewer IT professionals intend to spend holiday time in the office...