Individuals who constitute a remote workforce must have access to corporate information networks. Such access can...
be compromised or corrupted more easily than just about every other access link to valuable records. Therefore, the remote workforce represents risks that can easily exceed all promised economic or operational advantages.
Let me start with a categorical assertion that there is no such thing as total information security, and that information crimes cannot be completely prevented. That is true even if all communications are contained within a tightly guarded fortress. However, when you examine the technologies used to accomplish remote access to corporate computer networks, you have to conclude that access from a remote workforce will be always more vulnerable to misuse than any other information-processing activity.
There are numerous technical reasons for such tendency to security failure. Perhaps the most important cause of risk is the ability of a perpetrator to be in a better position to evade prosecution than someone hard-wired to a local network performing the identical criminal act. This inequality is largely the fault of corporate security organizations that are easily pressured to treat their "road warriors" or those working on vacation as an accommodation and not as a heightened risk. The case that proves my point is one in which the Director of CIA worked from his home (using AOL!!) to comment on "code blue" reports.
The best approach to securing remote workforce access to corporate information is by means of -- what in intelligence operations is called -- "compartmentalization." This requires deliberate and pre-planned isolation of access to only those data that can be associated with designated persons and their ?need to know.?
Compartmentalization makes it possible to deal with specific risks as they apply under specified circumstances. The concept calls for the creation of a "security custodian." This person is accountable for assessing the risks and then assigning a file, record or document into its appropriate "compartmented" category for protection. Thus, only businesspeople can be accountable "security custodians." They are the only ones who can make the necessary trade-offs between the worth of what needs to be protected and the many inconveniences that all security procedures impose on business operations.
In the case of a remote workforce, compartmentalization would make it necessary for a "line" manager, who is responsible for the employment and work assignment, to decide when and how individuals access data, the procedures they follow and what track record they leave to make their actions a matter of record that could be admissible for prosecution, if necessary. The key feature that would govern this entire process has to be strict adherence to the principle of "non-repudiation." This makes it necessary for the security organization to offer every manager clearly identifiable security safeguard options that could be then invoked by making simple choices that would be then legally binding.
I am dwelling on some of the legal minutiae of compartmentalization because I have been involved in cases where after-fact discoveries of alleged losses of data to remote laptops could not be prosecuted because of insufficient evidence and an absence of appropriate notification.
Compartmentalization should be contrasted with the prevailing present practices, which I label as the blanket privilege "classification" method. The existing approach is a holdover from security practices that go back to medieval practice, which designated every "gentleman" -- usually of noble origin -- as unquestionably trustworthy, under all circumstances. In this approach, all one has to do is slot people as to whether they are eligible to see Secret, Top Secret, or Special Secret information.
Once equipped with a badge with the right color, or certified as to their appropriate password, such individuals are free to roam through file rooms or networks without much difficulty. Security personnel are wedded to the ?classification? approach because it keeps them busy checking past employment records, employee references and neighbor gossip. If one of the approved wards turns out to commit a crime, nobody is held accountable. If the security people filled out all of the forms, they are not responsible. If one of the remote workers leaks the contents of a sensitive customer database to a competitor, the marketing manager who engaged the remote contractor to save money is not accountable, because the problem was the responsibility of computer people.
As the security of internal information management processes improves, remote access from a fluid workforce (or those masquerading as such) will continue to be the preferred technique for committing hard-to-trace information crimes. It should be clear to corporate executives that the management of remote-workforce security warrants extraordinary care and tough-minded enforcement. I believe that the management of remote-workforce security will be finally recognized as the weakest link in corporate information resource protection. Chances are, remote access privileges will someday dictate security policies that must be imposed on everybody!
The idea that everyone with a password -- or even an access token -- is automatically recognized as a trusted person is without merit. The best you can do is to accommodate their access needs by letting them enter into a temporarily constructed "compartment." Most importantly, this will finally put an end to having security and computer people responsible for information security. "Compartmentalization" places accountability where it belongs: into the hands of those directly responsible for the performance of their employees.
About the author:
Paul A. Strassmann (firstname.lastname@example.org) services as the chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.