The routes to end-point security

Securing remote workers is a major security challenge, but combining different technologies will help strike the right balance between security and usability

The need for adequate end-point security has become a growing concern as more and more organisations allow their staff to work remotely. To support this demand the IT industry has developed products to ensure that remote or roaming workers are authenticated and secure. But identifying which technologies to employ is not always obvious, and getting user buy-in can be half the challenge.

The first challenge is identifying the risks. Steve Robinson, European head of information security at investment bank Lehman Brothers and a keynote speaker at the InfoSec conference in April, says the risks include people working from home, hotels, internet cafés or a supplier's or client's offices. Outsourcing, offshoring and satellite offices are also a security risk.

Robinson adds to this list the latest emerging technologies of wireless, 3G and hand-held devices. "An organisation's IT security group needs to assess each specific risk and implement systems to enable the business to take full advantage of today's technology to maximise their remote working capabilities," says Robinson.

The types of technologies available to help secure remote workers include two-factor authentication virtual private networks, often used in association with two-factor authentication biometric technologies data encryption, and tracing technologies.

To be most effective, end-point security should be used with other technical innovations and processes, says Robinson.

Steven Furnell, a professor of information systems security at Plymouth University, says that when considering these technologies companies must look at how they will affect end-users.

"Although we might be happy enough entering a 10-character password to access a laptop, this would be less acceptable on a PDA that is frequently used for short periods. Indeed, such devices are often left entirely unprotected against unauthorised access, with users considering even basic Pin protection to be inconvenient," says Furnell.

"Although various products are available that can prevent data being transferred to and from mobile devices and removable media without authorisation, they will not prevent users entering sensitive information into the devices directly. As such, user awareness and encouragement to make appropriate use of the available security will represent crucial accompaniments to the technology."

So what is the best approach to achieving security with remote workers? Donal Casey, security consultant at IT consultancy Morse, says that most organisations tend to build up layers of security when securing remote workers.

This could start with a layer of anti-virus software and an application patching system, followed by a user access control system to stop users having administrator access to the IT system.

Next would be a personal firewall. This used to be the responsibility of the user, but is now coming under the IT department's remit.

Next, says Casey, organisations should look at end-point policy management software. This determines which applications the remote device runs and is allowed to run, and how it is allowed to connect to the corporate environment.

Wireless protection is another level above this that some organisations deploy, and may include wireless encryption and policies.

Two-factor authentication

Two-factor authentication systems from suppliers such as RSA Security and Verisign are widely used among enterprises and add a layer of security by asking not just for a login password or Pin, but also for a physical security token.

RSA's system, SecurID, uses an electronic device as the physical token, which changes the Pin code every 60 seconds. Users include Bradford & Bingley, Rolls Royce and Bentley Motor Cars and Staffordshire Police.

In the case of Staffordshire Police, the technology has meant it can give more than 2,000 police officers mobile and secure access to the Police National Computer (PNC) and confidential information.

Each officer carries a personal RSA SecurID token on their belt, which generates a unique "one-time" passcode every 60 seconds. This must be entered, together with the officer's private Pin, to gain access to the network and the PNC.

Staffordshire Police uses the system to link officers to a Citrix-based thin-client system over a GPRS mobile link, using a ruggedised PDA or notebook.

Ian DeSoyza, project manager at Staffordshire Police, says, "RSA Security's secure mobile and remote access system has now allowed our officers to report a crime at the scene within a secure systems environment. Previously this was just not possible."

Virtual private networks

Another measure to control remote access to a corporate network is through a virtual private network (VPN) technology such as Secure Sockets Layer (SSL) or IP security. This can be used in combination with a two-factor authentication system such as SecurID.

Secure VPNs give password-protected browser-based access to applications and data from any remote computer, encrypting traffic at both ends so it remains secure.

EDF Energy employs more than 11,300 people in the UK, and gives a significant proportion of the workforce secure remote access. In the summer of 2004, it implemented an SSL VPN appliance to give its remote workers secure access to corporate applications, the intranet and Microsoft Exchange e-mail.

The security appliance, from Microsoft subsidiary Whale Communications, allows remote workers to access corporate applications over the web using a secure login, and wipes away any confidential data after use.

According to John Harries, strategic projects manager at EDF Energy, the cost savings from using the appliance were immense compared with giving each worker their own preconfigured secure laptop that needed to be kept up to date.

Biometric technologies

Another way to secure user access to corporate networks and sensitive data is through biometrics. Often employed as a form of two-factor identification, biometric technologies work by matching certain physical characteristics to information in a database. The physical element could be from a fingerprint, iris or face scan. Voice patterns can also be read.

ING is one company that rolled out fingerprint readers to its dealers on the trading floor to increase security and boost productivity. The bank is using biometric fingerprint identity management technology from Bio-key International and fingerprint readers from Zvetco Biometrics, so that dealers can access computers in the central dealing room quickly and securely.

ING said that in the past these activities were impeded by passwords that were easy to forget or lose, and as a result needed to be changed frequently.

Another innovative user, Humberside Police, issued biometric USB drives to staff to maintain data security. The devices from MicroRiver use fingerprint recognition in addition to password-level protection so that only authorised users can access information.

The New York branch of Japan's Shinkin Central Bank recently introduced finger vein authentication technology. The Hitachi system was implemented in the bank's trading room, operation room and the server room.

To enter a secured room, an ID number is entered into a keypad and the finger is placed on a reader for validation of the vascular pattern. Employing this type of biometric system eliminates the need for keys or cards.

Data encryption

Apart from securing user access to data, there are many technologies available to secure the data itself. One method is data encryption.

The Ritz hotel in London uses software from Pointsec Mobile Technologies to encrypt data on all its executives' mobile devices in the event of an incorrect password being entered.

Richard Isted, IT manager at The Ritz, says, "In the beginning, senior executives were hesitant about the new security application. It took a while for them to get used to their device locking after 10 minutes if they were not using it.

"Luckily the new security application is adaptable, so I adjusted the profiles to suit each of our end-user's requirements - in this case changing the time-out feature to 30 minutes. It was not long before everyone had become accustomed to the encryption software on their mobile devices."

As an alternative to full-disc encryption software, storage supplier Seagate Technologies recently launched the Momentus 5400 FDE.2 drive with built-in encryption.

The drives, which are currently shipping in notebooks from ASI Computer Technologies, use technology that automatically encrypts the whole drive on boot-up unless the user has the right password.

Tracing technologies

Other technologies focus on preventing the theft of hardware, such as PDAs and laptops. Tracing technologies in laptops can be used to secure data and can help to locate stolen laptops and can deter thieves both inside and outside the company.

Many laptop suppliers sell tracing technologies as a feature. One such supplier is Dell, with its Computrace tracking systems.

"Embedded into the basic input/output system, Computrace notifies you when a stolen or missing machine is connected to the internet and sends a signal alert of the location of the equipment. This advanced data protection technology can even be used to remotely wipe sensitive information in the event that your notebook is lost or stolen," says a Dell spokeswoman.

End-point security has developed to the extent that there are now many layers of technology available to secure both remote users and their data. It is up to the organisation to find the approach that best works for them.

Data protection: the expert view >>

End-point security: a matter of trust >>

Mobile security: the balancing act >>

RSA: SecurID >>

Comment on this article: [email protected]

Read more on IT risk management