Expert Q&A: Establishing a Secure Data Center and Cloud with Remote Access

*Editor’s Note: This is Part One of an article that originally appeared in The Data Center Journal’s  Industry Perspective Column By: Rainer Enders, VPN Expert and CTO, Americas, at NCP engineering: Industry Perspective: What are some of the main security concerns for data center managers today? Rainer Enders: The evolution of modern data centers, while beneficial for many reasons, is exposing serious security pain points along the way. For one, as data centers grow in size to keep up with enterprise computing needs, it becomes increasingly difficult for IT managers to adequately protect all corporate assets, which include everything from data and documentation to software and supplies. As capacity expands, data center managers are finding it harder to maintain critical IT compliance and security measures, such as managing and de-provisioning privileged user access, and running compliance reports that are growing in both depth and volume. Additionally, with the rising popularity of virtualized and cloud environments, data center managers are tasked with baking security into all compute, network, storage and hypervisor layers. This is a considerably difficult task, in light of the numerous emerging attack vectors that constantly increase in sophistication, such as ever-morphing advanced persistent threats (APTs) that are compromising critical corporate information. IP: What specific security challenges arise as companies outsource to the cloud and rely on remote services with increasing frequency? RE: The most critical security challenges that arise in cloud deployments are compromises to remote access connections—in the form of session-hijacking attacks, for example—and compromises of cloud-hosted resources, such as virtual machines, from within the hosted provider network. Insufficient security architectures and controls in operator networks can cause...

Q&A on Employee Provisioning with Joerg Hirschmann: Part 3

This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions.  Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce? Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses. Organizations can also achieve temporary access, whether it be on-demand or limited hourly access,  by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important. If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.  Joerg Hirschmann is CTO at NCP...

Q&A on Employee Provisioning with Joerg Hirschmann: Part 2

This is part two in a series of questions related to employee provisioning and VPNs. Earlier this week, we addressed how enterprises can ensure that their provisioning processes benefit their overall security postures.  Question: Provisioning’s security holes become particularly apparent when remote mobile access users leave a company and enterprises try to apply a one-size-fits-all de-provisioning approach. In today’s mobile, global, 24-hour business world, what de-provisioning tactics are necessary to mitigate security risks during employee transitions? Joerg Hirschmann: The best de-provisioning approach will be one that does not rely on a singular component to keep up with an organization’s changing needs. For instance, a provisioning process should go beyond the ordinary capability of disabling an account; instead, an organization should use the scalable method of PKI (certificate based authentication), which offers an additional option to withdraw remote access permission by revoking the user’s certificate. Similar offerings are available through One-Time-Password tools, which can also disable specific tokens, for example. At the end of the day, the quality of the automated process will dictate how effective provisioning and de-provisioning will be. Stay tuned for more on employee provisioning and VPNs next week. If you have any questions that you would like answered, as related to VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.  Joerg Hirschmann is CTO at NCP...

Q&A on Employee Provisioning with Joerg Hirschmann: Part 1

Today’s post kicks off a Q&A series with Joerg Hirschmann, CTO at NCP engineering GmbH. These questions and answers, which we will post over the next few weeks, are related to employee provisioning and VPNs. Question: While user provisioning can enable efficient employee on-boarding, poor provisioning can result in expensive and irrevocable data leaks. How can enterprises make sure their provisioning is a benefit, not a detriment, to their overall security postures?  Joerg Hirschmann: VPN user provisioning should be as automated as much as possible to rule out manual flaws, which are often caused by workload, unplanned absences, etc.  However, if not designed properly, even the best automated processes can allow security leaks to disrupt the corporate networks. Normally, the provisioning process does not originate from the IT department; rather, it is initiated by HR once the decision is made to sign on/off staff or to provide access for external partners (temporary or permanent). Processes will have to be defined accordingly so that these kinds of personnel decisions will find their way into relative data records, which are then processed by IT. Therefore, a remote access solution must provide relevant interfaces to get synchronized with the appropriate databases. The more time this information needs to be delivered to the relevant system, the bigger the security risks are going to be. It goes without saying that the processes defined need to be thoroughly tested and approved. Stay tuned for more on employee provisioning and VPNs this week. If you have any questions that you would like answered, send them to editor@vpnhaus.com.  Joerg Hirschmann is CTO at NCP...

Avoiding VPN Headaches with Joe the CIO

We continue to join Joe the CIO on his hunt for ways to save his company both time and money in enabling remote access. In particular, Joe is concerned about costly rip and repair projects his company would have to undergo in order to efficiently provision and configure each VPN client needed — not to mention future software and security updates. The VPN management system provided by NCP engineering helps ease Joe’s worries. To learn more, check out this video....