By and large, corporates have solved the problem of
protecting the security of workstations against malware in their
own internal environment, writes Gary Wood, a research
consultant at theInformation Security
Forum. One indication of this is the
reluctance of many to upgrade toWindows Vista: the maturity,
reliability and security of their Windows XP implementations make
it tempting to stick with what they know.
However, ever larger numbers of users now exist outside the
corporate network. They range from road warriors and homeworkers to
business partners and customers accessing corporate websites.
Remote disquiet
Road warriors are associated with numerous problems,
including:
- infrequent connections to the corporate network, directly or
via a VPN
- poor bandwidth
- short-term connections simply to view e-mail, then
disconnecting, for example
- lack of end-user knowledge and awareness
To deal with this, remote access devices need to be autonomous
and self-sufficient. They should be able to update themselves from
a trusted source, rather than rely on a connection to the tightly
controlled corporate environment.
For example, to ensure end-users have the most up-to-date
security patches, one solution is to implement the
auto update patching process available in Windows, which
connects to Microsoft servers once an internet connection is
detected. Such solutions are also widely available from the vendors
of anti-virus and other malware protection solutions.
But in addition to trusted or corporate managed devices, the
modern business environment includes end-users who connect to
applications via the internet, perhaps from a home PC or internet
café.
What to do
To protect these employees, corporate websites need to be
designed to reduce the impact of malicious code. This begins with
strong user authentication solutions that can be protected, such as
one-time password tokens. Other devices resistant to replay
attacks include the end-user
chip and PIN solutions being implemented by UK banks.
Host devices can also be scanned remotely for malicious code by
software running on the website, prior to permitting confidential
or sensitive transactions. Another approach is for end-users to
carry
encrypted USB storage devices, which also contain anti-malware
software.
Once connected, websites should only deliver services based on
the level of trust of the connected device. For example, full
functionality should only be granted to a fully managed corporate
laptop with up-to-date patches and anti-virus signatures.
The traditional boundary is being eroded and organisations need
to look beyond the perimeter to protect end-users, wherever they
are and whatever they are using to connect.
Gary Wood is a research consultant at theInformation Security
Forum
Read more expert advice from the Computer Weekly Security Think
Tank >>