searchSecurity: We recently conducted a survey that found notebooks, password authentication and e-mail to be the biggest remote security challenges. Can you give any advice on how to manage notebooks? Steve Mencik: While the three challenges are related, there are a number of problems that they address. First, with notebooks, you have the problem of protecting the data contained on the notebook. Theft of laptops has always been a problem and will likely continue to be a problem. While the laptop itself can be replaced, sometimes the data can't. It is important that data be backed up regularly, perhaps to a company server, so it can be retrieved in the event the laptop is stolen. Another issue with laptop theft is the loss of sensitive material. Even if backed up so the rightful company user can retrieve the data, that data is now also in the hands of the thief. Encryption is the best way to deal with this problem. There are some products on the market that allow for nearly transparent usage, yet provide a high degree of security for the data through encryption. searchSecurity: What advice can you give for managing password authentication and e-mail? Steve Mencik: The challenges of password authentication and e-mail come into play during communication between the remote user and the home network. Normal dial-up connectivity is plain-text (no encryption) and is subject to wiretap or network sniffers. Thus, any data that is passed between the remote user and the home network is vulnerable. The most popular and practical solution is a virtual private network (VPN). By using a VPN, all communication between the remote user and the home network is automatically encrypted and thus protected. The password authentication scheme is then just as secure as the password authentication scheme used by users directly connected to the home network. Obviously, if there is a problem with that scheme, it is a problem for all users, not just remote users. E-mail read using a VPN is protected just like any other data. If stored to the remote computer, is should be protected by encryption as described above. Another problem is if the remote computer can be connected to the home network and the Internet at the same time. The remote computer can then become a gateway for attacks from the Internet that bypass your corporate firewall. The way to avoid this is to ensure that the VPN used prohibits split tunneling. That feature is provided by many VPN products to allow a remote user to be connected to both networks at the same time. For the very security conscious, you may want to require that a remote user only connect back to the home network via a VPN and not directly to the Internet. Thus, if the remote user wants to surf the Net, they have to follow the same path as any directly connected user, which would be to go out through the firewall. By doing this, you ensure that remote users have the same Internet restrictions as directly connected users. searchSecurity: What specific points should a company address concerning remote worker issues in their written security policies documentation? Steve Mencik: Remote users should be subject to the same general security policies as in-house users, plus whatever policies are necessary to cover the differences between remote and in-house users. For instance, there should be policies regarding physical protection of the remote computer. This includes where can it be used and who is liable for theft. The policies should state how the data on the remote computer is to be protected. If data encryption is to be used, the policies should state what programs or algorithms are providing the protection and how encryption keys are chosen/distributed and protected. The connection policies should also be detailed. searchSecurity: What have you personally found to be the biggest problem with remote workers and security issues? Steve Mencik: The biggest problem with remote workers and security issues, other than some of the technical issues I've already described, is that often management personnel want to have access that bypasses the security mechanisms required for other users. Generally, the higher the level of management, the more likely the request for a way to bypass security. The other big problem is the lack of the use of tools provided. For instance, users may be provided with file or disk encryption tools for their remote computers, but either find them too cumbersome to use, or simply can't be bothered. Thus, their data is left unprotected.