Securing home access to the network

There is an ever increasing requirement to provide suitable facilities so that employees can work from home. Right now all we have available within my own organisation is an expensive and cumbersome IPSec VPN solution that requires an employee to have company provided equipment on which to install the client software. We use RSA tokens for two-factor authentication.

It’s not a particularly flexible solution. First and foremost, I do not allow non-company owned computers to be connected to the network so unless an individual has been provided with a suitably built laptop or has an acceptably built and supported desktop corporate PC at their home then the answer is “no”.

One class of solution being investigated is making use of an SSL VPN configured to allow users to access network based resources through a browser using their own PC. This can also be combined with a malware detection solution that can scan any device attempting to connect to determine if has been compromised. We can also go into management over issues such as whether or not users can save and copy documents.

However, if we’re going to allow home users to use their own PC’s to connect to work resources then should we also be able to mandate acceptable use of that PC and the standards of ownership and management of the equipment in question? We can probably try but I doubt that there is much in the way of enforcement that can be performed.

There have been cases reported of home workers being specifically targeted to get through to corporate data. For example, this story from earlier in the year where hackers “had hoped to exploit lower levels of security in home computers to burrow into the corporate network.” One question is how much company data and up to what classification would you trust a home worker to have on their non-company PC? And that’s before you begin addressing questions about data backups.

Also, in any typical home PC scenario, it’s likely that other members of the family will also be using the same machine for everything from checking email to downloading music to searching for that elusive guitar tab (as happens in my own home…) and all the associated risks of trojans and keyloggers.

Reality though is that it’s estimated that by 2012 more that 5 million people will be working from home. Strong authentication is probably the easiest problem to solve. Managing the end-point is much more difficult and I’m not sure we’ve yet got a good answer. Anyone care to suggest something?