The need for adequate
end-point security has become a growing concern as more and
more organisations allow their staff to work remotely. To support
this demand the IT industry has developed products to ensure that
remote or roaming workers are authenticated and secure. But
identifying which technologies to employ is not always obvious, and
getting user buy-in can be half the challenge.
The first challenge is identifying the risks. Steve Robinson,
European head of information security at investment bank Lehman
Brothers and a keynote speaker at the InfoSec conference in April,
says the risks include people working from home, hotels, internet
cafés or a supplier's or client's offices. Outsourcing, offshoring
and satellite offices are also a security risk.
Robinson adds to this list the latest emerging technologies of
wireless, 3G and hand-held devices. "An organisation's IT
security group needs to assess each specific risk and implement
systems to enable the business to take full advantage of today's
technology to maximise their remote working capabilities," says
Robinson.
The types of technologies available to help secure remote
workers include
two-factor authentication virtual private networks, often used
in association with two-factor authentication
biometric technologies data encryption, and tracing
technologies.
To be most effective, end-point security should be used with
other technical innovations and processes, says Robinson.
Steven Furnell, a professor of information systems security at
Plymouth University, says that when considering these
technologies companies must look at how they will affect
end-users.
"Although we might be happy enough entering a 10-character
password to access a laptop, this would be less acceptable on a PDA
that is frequently used for short periods. Indeed, such devices are
often left entirely unprotected against unauthorised access, with
users considering even basic Pin protection to be inconvenient,"
says Furnell.
"Although various products are available that can prevent data
being transferred to and from mobile devices and removable media
without authorisation, they will not prevent users entering
sensitive information into the devices directly. As such, user
awareness and encouragement to make appropriate use of the
available security will represent crucial accompaniments to the
technology."
So what is the best approach to achieving security with remote
workers? Donal Casey, security consultant at IT consultancy Morse,
says that most organisations tend to build up layers of security
when securing remote workers.
This could start with a layer of anti-virus software and an
application patching system, followed by a user access control
system to stop users having administrator access to the IT
system.
Next would be a personal firewall. This used to be the
responsibility of the user, but is now coming under the IT
department's remit.
Next, says Casey, organisations should look at
end-point policy management software. This determines which
applications the remote device runs and is allowed to run, and how
it is allowed to connect to the corporate environment.
Wireless protection is another level above this that some
organisations deploy, and may include wireless encryption and
policies.
Two-factor authentication
Two-factor authentication systems from suppliers such as
RSA Security and
Verisign are widely used among enterprises and add a layer of
security by asking not just for a login password or Pin, but also
for a physical security token.
RSA's system, SecurID, uses an electronic device as the physical
token, which changes the Pin code every 60 seconds. Users include
Bradford & Bingley, Rolls Royce and Bentley Motor Cars and
Staffordshire Police.
In the case of Staffordshire Police, the technology has meant it
can give more than 2,000 police officers mobile and secure access
to the Police National Computer (PNC) and confidential
information.
Each officer carries a personal RSA SecurID token on their belt,
which generates a unique "one-time" passcode every 60 seconds. This
must be entered, together with the officer's private Pin, to gain
access to the network and the PNC.
Staffordshire Police uses the system to link officers to a
Citrix-based thin-client system over a GPRS mobile link, using a
ruggedised PDA or notebook.
Ian DeSoyza, project manager at Staffordshire Police, says, "RSA
Security's secure mobile and remote access system has now allowed
our officers to report a crime at the scene within a secure systems
environment. Previously this was just not possible."
Virtual private networks
Another measure to control remote access to a corporate network
is through a virtual private network (VPN) technology such as
Secure Sockets Layer (SSL) or IP security. This can be used in
combination with a two-factor authentication system such as
SecurID.
Secure VPNs give password-protected browser-based access to
applications and data from any remote computer, encrypting traffic
at both ends so it remains secure.
EDF Energy employs more than 11,300 people in the UK, and gives
a significant proportion of the workforce secure remote access. In
the summer of 2004, it implemented an SSL VPN appliance to give its
remote workers secure access to corporate applications, the
intranet and Microsoft Exchange e-mail.
The security appliance, from Microsoft subsidiary Whale
Communications, allows remote workers to access corporate
applications over the web using a secure login, and wipes away any
confidential data after use.
According to John Harries, strategic projects manager at EDF
Energy, the cost savings from using the appliance were immense
compared with giving each worker their own preconfigured secure
laptop that needed to be kept up to date.
Biometric technologies
Another way to secure user access to corporate networks and
sensitive data is through biometrics. Often employed as a form of
two-factor identification, biometric technologies work by matching
certain physical characteristics to information in a database. The
physical element could be from a fingerprint, iris or face scan.
Voice patterns can also be read.
ING is one company that rolled out fingerprint readers to its
dealers on the trading floor to increase security and boost
productivity. The bank is using biometric fingerprint identity
management technology from Bio-key International and fingerprint
readers from Zvetco Biometrics, so that dealers can access
computers in the central dealing room quickly and securely.
ING said that in the past these activities were impeded by
passwords that were easy to forget or lose, and as a result needed
to be changed frequently.
Another innovative user,
Humberside Police, issued biometric USB drives to staff to
maintain data security. The devices from MicroRiver use fingerprint
recognition in addition to password-level protection so that only
authorised users can access information.
The New York branch of Japan's
Shinkin Central Bank recently introduced finger vein
authentication technology. The Hitachi system was implemented
in the bank's trading room, operation room and the server room.
To enter a secured room, an ID number is entered into a keypad
and the finger is placed on a reader for validation of the vascular
pattern. Employing this type of biometric system eliminates the
need for keys or cards.
Data encryption
Apart from securing user access to data, there are many
technologies available to secure the data itself. One method is
data encryption.
The Ritz hotel in London uses software from Pointsec Mobile
Technologies to encrypt data on all its executives' mobile devices
in the event of an incorrect password being entered.
Richard Isted, IT manager at The Ritz, says, "In the beginning,
senior executives were hesitant about the new security application.
It took a while for them to get used to their device locking after
10 minutes if they were not using it.
"Luckily the new security application is adaptable, so I
adjusted the profiles to suit each of our end-user's requirements -
in this case changing the time-out feature to 30 minutes. It was
not long before everyone had become accustomed to the encryption
software on their mobile devices."
As an alternative to full-disc encryption software, storage
supplier Seagate Technologies recently launched the Momentus 5400
FDE.2 drive with built-in encryption.
The drives, which are currently shipping in notebooks from ASI
Computer Technologies, use technology that automatically encrypts
the whole drive on boot-up unless the user has the right
password.
Tracing technologies
Other technologies focus on preventing the theft of hardware,
such as PDAs and laptops. Tracing technologies in laptops can be
used to secure data and can help to locate stolen laptops and can
deter thieves both inside and outside the company.
Many laptop suppliers sell tracing technologies as a feature.
One such supplier is Dell, with its Computrace tracking
systems.
"Embedded into the basic input/output system, Computrace
notifies you when a stolen or missing machine is connected to the
internet and sends a signal alert of the location of the equipment.
This advanced data protection technology can even be used to
remotely wipe sensitive information in the event that your notebook
is lost or stolen," says a Dell spokeswoman.
End-point security has developed to the extent that there are
now many layers of technology available to secure both remote users
and their data. It is up to the organisation to find the approach
that best works for them.
Data protection: the expert view >>
End-point security:
a matter of trust >>
Mobile security: the balancing act >>
RSA: SecurID
>>
Comment on this article:
computer.weekly@rbi.co.uk