Security Manager's Journal: You can't secure every employee's home
Unauthorized network access from home PCs has been widespread, and finding that out was just a fluke.
We recently deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been using to provide strong authentication for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but not in every way, as you'll see), but the software tokens can be used on mobile devices such as phones; they are much less expensive; and they can be deployed more quickly and easily. What's more, when a user no longer needs access, it's much simpler to disable a software token than it is to retrieve a hardware token from somewhere like China, Russia or India.
Of course, RSA suffered a notorious security breach last year, but after I was briefed on the details, I felt comfortable moving forward.
Deployments such as this software token rollout can be interesting, because you have a chance to learn about some scary practices that had been going on without your knowledge.
For example, once employees got word that their hardware tokens will no longer be operational, some of them started asking for software tokens to be installed on their home PCs and Macs. Clearly, they had been taking advantage of the fact that the hardware tokens could be used with any computer. Our VPN client allows full network access, and that, combined with our lack of Network Admissions Control, meant that we were ending up with untold numbers of noncompany computers on our network. Naturally, I can't vouch for the integrity of any of those noncompany assets. Home PCs are often used by family members and other people, any of whom might install untrusted applications, click on things they shouldn't and end up infecting our internal production network.
I'm also concerned about protecting intellectual property, which is my responsibility. We are free to inspect the contents of any device we have issued to our employees, but we have no legal right to inspect any personal device, even if that device is connected to our network. In addition, laws are vague in some states and countries regarding our ability to monitor activity when an employee is using a personally owned device. If such an employee were to leave the company, our intellectual property could easily go with him.
For good measure, let's throw in the risk of license compliance issues.
Help Desk Too Helpful
While employees might not be aware that they shouldn't be connecting to the network from their own PCs, our help desk personnel should know that, right? Truth is, they've been helping employees install the VPN client on their home PCs. As an experiment, I called the help desk with an urgent request for access from my home PC. They actually sent me the full VPN client and walked me through the installation on my computer. After that experience, I reviewed some help desk tickets and found that the techs had also assisted in the installation of the VPN client on PCs at public Internet kiosks and hotel lobbies.
These exception requests are being met with a stern response. If an employee needs to access our network from home or another remote location, then the company needs to issue that employee a laptop. In many cases, the employee already has a laptop and is just too lazy to take it home or prefers using a Mac. But until we deploy a more secure method of remote access, such as a virtual desktop environment or a sandboxed VPN, I will hold the line against these sorts of exceptions.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!