Rethink Remote Access: Mark Butler’s Advice
by VPNHaus | 12/28/2009 |Rethink Remote Access
The next IT expert to offer insight on our how to rethink remote access series is Mark Butler, experienced computer and process security professional. Mark shares his perspective on why adapting remote access policy is hard despite new technologies offering employees greater productivity.
Remote access is a touchy subject for most IT. It can be a great productivity aid, but in many (most?) cases it is massively unsecure and the amount of effort to secure it pushes the cost too high.
New handhelds - who pays to support them, who pays to standardize them. After years of trying to reduce costs by reducing diversity, the idea of dozens of new little "toys" being used by a handful of techies who are interested in what it can do, not how secure it is, draws the predictable reaction.
A non-security example, we went through a multi-year project to purge out all of the personal printers people were buying from discount houses because they were cheap. The cost to the enterprise was enormous as support for the drivers and the incompatibilities they introduced ate away at labor at an increasing rate. Eventually it became cheaper to replace the discount printers with much more expensive standardized ones.
Mobile apps are in the same boat. Allowing a mobile app developed by unknown, unsupported teams to have access to company resources is not a good idea, yet how many download something to try and play with it and have no idea if there is a hidden payload inside...these are the types of things IT must be sensitive to.
I think that the policy is the wrong place to look for change; most policies specify levels of security and layers of management. If the new devices and apps can prove they fit within policies they can be used, if they can't then they are inherently insecure and shouldn't be used no matter how productive they are. The problem is that like the printers, people want to just pick something up and plug it into the company resources - never a good idea.