Information technology staffers charged with securing their company's remote connections report that their largest challenges have to do with notebooks and laptops, e-mail, firewalls and VPNs -- in that order.
So said 223 respondents in a survey conducted online recently by searchSecurity.com. Top industries represented included computer software and hardware manufacturers, financial services, government/nonprofit and IT services. The most popular titles of those answering the survey were network or systems analyst/administrator (30%), IT manager/director (20%), security analyst/consultant/architect (17%) and security manager/officer (9%).
But while the overall number of remote workers is still in the minority (37% said they have remote and or traveling workers), they pose a serious problem. "They are bypassing the security measures you have in place on your internal network," said Eric Hemmendinger, research director for security at the Aberdeen Group in Boston. "Those users are not shielded by corporate security provisions, and so they're the weakest link in the chain."
When we ran our findings by those who actually took the survey, it's interesting to note that some said that their own biggest headaches weren?t necessarily reflected in the top survey responses. Johannes Roehricht is a system engineer for EDS Information Technologies and helps administer remote security for EDS employees in Germany, where he is based. EDS is a huge IT services company,
Roehricht said his biggest problem is having to learn and administer different remote-security administration tools -- one for e-mail filtering, another for password administration and authentication, another set of software to administer VPNs, and so on...
"It?s very inconvenient," he said. "Some [tools] still lack multiple interfaces to other useful or necessary tools," and some vendors "are still too stubborn to look out of their back door." This forces remote-security administrators to learn and to run many individual packages to solve different pieces of the problem. In other words, instead of having one all-encompassing toolkit to use for everything, security administrators are forced to go to different vendors for different solutions. The result is that the security administrator does not get "a general overview," of what he or she is trying to accomplish, Roehricht said.
To solve this problem, his company is currently "experimenting" with integrating individual remote-security tools by using middleware such as IBM?s MQSeries. The idea is to connect the tools so that they pass information to and from each other, with a similar look-and-feel for all the individual tools, Roehricht said. This will cut down on the number of tools that the security administrators will need to learn.
Another survey respondent said that his most time-consuming problem is dealing with security profiles of his remote users. "Because they take their systems home and on the road, they then use the wrong profile for when they are back in the office," said Eric Etheredge, systems manager for the Office of the Standing Trustee in Lubbock, Texas. Typically, companies have one set of software for when an end-user is traveling or working remotely, with a suite of applications intended for that purpose. But when these users return to the office, they must switch back to using whatever software is supported in the mother ship.
On average, once or twice a month someone comes to him with this problem, he said, and "they get the deer-in-the-headlights look on their faces when I tell them they need to choose the 'Office' profile" so they're using the correct software, Etheredge said.
Roehricht and Etheredge are not alone. Other shops are dealing with the remote-security problems they identified, as well as with issues having to do notebook and laptop PCs, e-mail, firewalls and VPNs. Here's what analysts and users had to say about these areas:
Notebooks and laptops
Some 21% of the searchSecurity.com survey respondents identified this area as a top problem. Typical issues here involve authentication, or making sure the user is really who he or she is supposed to be. Ultra-careful customers have multiple levels of security, with different passwords needed to get into the corporate network and then each major application or set of applications for which the individual user has been approved.
Password authentication, identified by only 12% of survey respondents as a thorn in their sides, is "seldom" a problem in his shop, Etheredge said. But when it does happen, it's a huge time-consumer. "There are a few people who cannot ever seem to remember their passwords, or that the passwords are case-sensitive," he said.
Further, theft of laptops and notebooks can be an issue. The biggest concern here isn't necessarily the purchase price of the machine; rather the key issue is the data and possible proprietary information contained inside the machine. Regular backups, particularly when a user returns from a road trip, are essential, according to the survey respondents and analysts.
In all cases, the most important remedy is to keep e-mail filtering software up to date. "A large number of security products are misconfigured or not updated," Christiansen says. "It's important to keep them as up-to-date as possible." Still, he said, that spam is a "difficult thing to filter, because spammers often have legitimate-looking addresses and/or subject lines."
Trailing closely behind e-mail, some 17% of respondents said firewalls give them problems. Issues here include keeping the software current, much as with the e-mail world, Christiansen said. "People tend to install them, and then forget about them. But an old firewall is worse than none at all," he said, because that can lead to a false sense of security.
Other things here include managing multiple firewalls, from multiple vendors, in multiple locations. This is especially common in very large companies, Christiansen said.
Some 15% of survey respondents identified VPNs as trouble spots. One issue is "making sure a third party isn't piggybacking on the remote connection," Christiansen said. In other words, it's important to take measures to prevent a third party from gaining access over the remote connection, whether it's a VPN or another communications mechanism.
Other problems here include the complexity of setting up and administering VPNs in general.
Frank Prince, an analyst at Forrester Research in Cambridge, Mass., said that most of his customers'remote security questions relate to data protection and link-level security -- and that the answers are application-specific. For example, let's say that a healthcare organization has bought PDAs for its physicians to write prescriptions. Customers want to know which vendors can encrypt data on a certain type of PDA, or they might wonder whether remote devices have enough horsepower to be the terminating point of a VPN, Prince said.
"What organizations are doing, characteristically, is securing the device?s operating environment and channels of communication," Prince explained. "So they might set up a VPN all the way out to the remote device and ensure that the data in the remote application is encrypted or otherwise securely stored on the device. They may require that access to the device be controlled by a password."
Overall, Prince said, "you can see organizations trying to extend, amoeba-like, the security envelope of the devices that are traipsing around."
Ambrosio is a freelance writer in Marlborough, Mass. Reach her at mailto:firstname.lastname@example.org.