User security in the office of the future

The days of the permanent office cubicle are almost over: users are exploding outwards into the world and taking their data with them. But how do you secure user access in a distributed world, one in which foreign governments are said to be hacking their way into individuals’ machines? Andrew Collins looks for answers.

Imagine you walked into work one day and management had declared that no one had a permanent desk anymore. Instead, employees had to play a frantic game of musical cubicles, each leaping up and racing to a more convenient space whenever the music stopped.

It sounds bizarre. How could employees get any work done without the trappings and comforts of their own familiar cubicles? How could this chaos be co-ordinated? And, most importantly, how could such a scenario ever be secured?

As mad as it may seem, one of Australia’s largest investment banks has created a scenario exactly like this - sans the music. When the bank moves into its new Sydney building, only a few of its executives will get permanent offices. Everyone else will shuffle around the building with their laptops in hand, working where they are required. The network will be primarily wireless, based on 802.11n.

This roaming wireless scenario, which supports 2000 users and features 400 wireless access points, is made possible with technology from Aruba Networks. The deployment produced some interesting challenges, some of which were operational: for example, Aruba needed to deploy intelligent load balancing technology in order to allow the sheer number of wireless users to move around the building at will, without losing wireless connectivity.

Roaming liabilities

But more pressing is the concern of security; broadcasting your company’s data on a wireless connection brings up all sorts of privacy and security issues. But the technology required to secure the radical facility is not unusual; Mark Verbloot, Aruba’s ANZ technology manager, says the deployment uses a ‘trusted model’ of wireless security.

“It’s consistent with deploying wireless in an enterprise,” he says. “Specifically, we use certificates on the machines and 802.1x at the authentication mechanism for the wireless machines.”

Relying on such a model is fine if you’re starting an operation from scratch, and if you’re okay with restricting the brand and type of mobile devices that can be used on the corporate network. But few companies are in this situation. More likely, you’re happy with your wireless and wired networks (and seating arrangements), but you want to allow greater numbers and types of mobile devices on your network.

Adding such devices ad hoc is, in some ways, more complicated than starting fresh. Given the variety of mobile devices with proprietary operating systems and software - BlackBerrys, iPhones, Android phones, and so on - things can get very messy for network security.

Matt Miller, systems engineer at Juniper Networks, says organisations must create a “happy mix of security and operational efficiency” - they have to allow these devices on the network to increase productivity, while making sure the network is secured against these devices.

“If the iPhone’s Safari web browser was to be attacked, taken over, or have a Trojan installed on it, what are the things inside your network that need to respond to that or protect against that? All these types of things need to be taken into consideration and the appropriate security mechanisms need to be implemented to secure against that,” he says.

Dealing with these new threats is a matter of compliance - making sure your existing network is able to deal with what Miller terms “the idiosyncrasies of each of these operating systems”.

Out of the frying pan

But work rarely stops at the office walls. Increasing numbers of Australians are working from home, connecting to the corporate network from their own computers. And when they do, they open up the company to a world of risk.

Firstly, physical security is a concern. Homes don’t have the same security precautions as offices - alarms, locks, gates, security guards, identity passes - so any data or computers left at home are much more susceptible to theft. There’s also the risk of unauthorised family members or house guests accessing the computer.

Infiltration poses an even bigger threat. Home users often neglect to update their anti-malware software and, if compromised, their machines can let nasties into any network they’re connected to - like the corporate network.

And according to Harry Archer, head of security at BT Global Services, this lax security on home machines is particularly alarming given the rise of targeted attacks, some of which are perpetrated by world governments. In such attacks, hackers go after specific employees of an organisation - such as senior executives or design engineers - in an attempt to steal the intellectual property sitting on their machines.

How to lock down your office

There are a number of things you can do to secure your remote and mobile users against such threats.

Make sure servers are patched and your antivirus is up to date. BT’s Archer says this is commonly overlooked, particularly on home machines.

Establish security monitoring to catch attacks that bypass security measures. “Look at firewall logs, intrusion detection logs and server logs, and look for suspicious activity,” Archer says.

Ensure your systems are compliant with ISO 27001. If you adhere to that, “generally you will fix all the problems as you go along”, according to Archer.

Don’t let employees access corporate systems with their personal machines. “Those organisations that do it are taking an extreme risk,” Archer warns. “It shouldn’t happen.”

When home users connect directly to the corporate network, deny - or at least limit - their access to the public internet. According to Archer, carte blanche internet greatly increases risk.

Establish policies for the physical security of work machines that are used at home. BT itself, for example, stipulates that no employee should leave a work laptop near a window on the lower levels of their house, lest it be stolen and confidential data leaked out.

Encrypt and secure devices used at home. “Put encryption onto the PC, and use a two-factor authentication token, so you secure that against family use,” Archer says. Also, “There should be internet security suites on those laptops to make sure that they’re protected from the internet.”

Don’t give remote employees pure IP connections into the corporate network. Instead, consider SSL VPN or other secure remote access technologies. Miller warns that pure IP connections, if not secured, can open the corporate network up to attack.

Secure every potential weak point on the network. This means employing layers of firewalls, intrusion prevention solutions, and the like. “If you don’t have a defence in depth strategy, you really shouldn’t be looking at opening up your network to points of connectivity that you can’t control,” Miller says.

“They’re not doing it to steal your bankcard,” Archer explains. “It’s primarily the theft of IPR. It could be the design of a jet engine, or it could be the design of the latest technology.”

These targeted attacks are themselves nothing new. But recently these attacks have evolved to include flanking manoeuvres. Now, instead of directly attacking a target’s machine, hackers will find out the websites their target visits, hack into these and lay traps in the form of web-based malware.

So if your CEO belongs to a gym with a poorly secured website, hackers can infiltrate that website and deposit a trojan, which will leap onto your chief executive’s laptop when he accesses the website from home. This will ultimately deliver corporate data into the hackers’ waiting hands.

And while many targets are in government departments, these state-based hackers are broadening their targets to include private-sector organisations that supply infrastructure to the state - defence contractors, financial organisations and mining companies, to name a few.

“States have been spying on each other for hundreds of years. What is new is that it’s moved into this semi-corporate, semi-government level that sits in between. Someone who’s building stuff to protect the state,” Archer says.

Read more on Application security and coding requirements