Rethink Remote Access: Mike Meikle’s Advice
von VPNHaus | 14.12.2009 |Rethink Remote Access
For another perspective on our how to rethink remote access series, we spoke to IT expert Mike Meikle about why remote access policy is hard to adapt. Mike is a Capital One Platform/Program Management Consultant at Sapphire Technologies, providing advice and solutions to senior executives. He shares some thoughts with us on whether the issue is network security’s flexibility with.
Internal politics first off has doomed many sensible security efforts. From "Why can't the VP have administrator access remotely to the email server?" to "I don't want to have to remember/change my password". Which usually leads to a bare bones approach to security as a whole. A metaphor for this is having a screen door on a bank vault.
Flexibility of network security is not the issue. Even though a hacker can break a password in three days with a mid-level system and a high-end graphics card, we haven't adapted to this new reality. One-time passwords, tokens, biometrics, are still only utilized by a small segment of the population, mostly to government and high-level financial institutions. Security professionals have a hard time making the case to upper management for security "best practices" let alone more advanced technologies such as intrusion detection and prevention, etc. So most companies go by the axiom that a "locked door keeps an honest man honest". These companies probably know that a dedicated individual, within or without, could walk off with valuable assets without too much trouble.
It all boils down to the user and his/her acceptance of the policy or solution. This topic was brought up on your blog by Andrew Baker. Without user buy-in to whatever you are selling or implementing, it will fail or be resisted heavily. Folks in IT are usually poor sales/marketing people, which is why IT and the business should work together on designing their solutions to fit the needs of the users within the company. Of course this would be weighed against a cost/benefit analysis and risk. A heavy-handed approach by IT or upper management will almost always guarantee a spectacular waste of money and time with an eventual bare-minimum compliance.
The solution? This goes all the way back to the strategic plan of the organization in question. Security has to start from the top down and be integrated in whatever solution, not tacked on as an afterthought. Also it involves training as Mr. Baker mentioned. Training for both employees and a company’s customers. Managing the expectations of both parties will help smooth the path for future adjustments.