Remote access is fast becoming the number one security challengefor public sector IT managers. From a laptop in an Internet cafe,to a BlackBerry along a lonely highway, to a home computer in therec room, the task of “keeping the inside in and the outside out”is growing in kind and scale.
The indisputable benefits of remote access mean there is nostanding still. There is constant pressure to push functionalitybeyond the traditional network. Users want to download spreadsheetsto their PDAs or carry as much as 16 gigabytes of data out of theoffice on a keychain flash drive.
First conceived of as productivity enhancements, teleworking andmobility have become standard operating procedure if notimperatives. Employees can better juggle their familyresponsibilities with their working lives and reduce travel time.Employers can substantially reduce the physical environment theyneed to provide and reach out across time and space to assemble thetalent they need. Virtual work teams can collaborate effectively incyberspace and eliminate travel expenses.
More recently, we have seen that remote access can have nationalsecurity implications. Kellman Meghu of Check Point SoftwareTechnologies points to the SARS epidemic that struck Toronto in2003. “All of a sudden a lot of companies that were debatingwhether or not they needed remote access suddenly had a very goodreason for needing remote access. The companies that had investedin a secure remote solution were still business as usual, or asusual as they could be when they sent everybody home.” Withexamples like the 1998 ice storm and the terrorist attacks of 2001fresh in mind, it is easy to construct scenarios in which remoteworkers save lives.
As always, when a new IT opportunity emerges, the securitythreat is never far behind. Vendors are quick to bring solutions tomarket. Making sure that products meet the test ofuser-friendliness is key, and a USB flash drive is the focus of theMobiKEY solution from Toronto’s Route 1 Inc.
“It’s a thin client on a key,” company president Tim Hylandsaid. “Load a host on the desktop where you want to work. Then,when you want to work at home, you plug in the key and a passwordand 40 seconds later, you’re working on your desktop, as if youwere in front of it, working over an encrypted VPN. You’re on thenetwork.”
The device works on any computer with a USB port that can runWindows 2000 or better. Users can manage the setup themselves orthe IT department can install the host and send the key to a remoteuser. Once the key is removed, nothing resides on the guestcomputer. The system is already in use with Canadian andinternational public sector clients.
For administrators, the great advantage of solutions likeMobiKEY is that it reduces the sense of ownership that manyemployees have in their communications and computer equipment,allowing IT security personnel to restrict usage privileges andconfine access to permitted files and applications. In effect, theusers are on their “work” computer, not their own machines.
There is a powerful incentive to get ahead of the demand curvefor usability. Many users are accustomed to installing and runningtheir own software in the office to do their work or grabbingupgrades and enhancements off the Internet before ITadministrations can get around to their request. Where the employerdoes not provide a secure, Web-based service, the private sector iswilling and able. Web-based e-mail services like Yahoo and Hotmailare already banned in most environments, but free collaborativeword processing and other office applications are now becomingavailable. For public servants and contractors writing a documenton deadline, the temptation to use a new service like Writely toshare Word documents online could be overwhelming.
Says Kellman Meghu: “The biggest challenge I’ve seen withcompanies deploying endpoint security is really shifting anattitude in their users and that’s the biggest ‘gotcha.’ That is,up until the point where somebody takes control of their laptop,the attitude is ‘this is my laptop, my desktop, and I’m going toload my software and do my things,’ and in reality, what we’resaying is, ‘no, this is a business laptop and it’s only to be usedfor these purposes.'”
When governments issue their employees chainsaws or weldingrigs, they typically teach safety rules and enforce thoseprotocols. The tools that lock down physical equipment aretraining, policies and enforcement. System administrators have theability to do the same thing and more, locking users down to justthose files, applications and Web sites they really need, but theculture of entitlement is strong. Delivering their desktopsinstantly and completely to employees anywhere in the world maymean reversing that trend. As Kellman Meghu said, “Because they arecomputers, BlackBerries, PDAs and cell phones, people treat themlike personal property, almost like perks. The reality is, it’s sodangerous, no organization should be taking that risk.” 062256
Richard Bray ([email protected])is a freelance journalist based in Ottawa specializing in hightechnology and security issues.