NCC: It's all about layers

Working outside an organisation's physical domain brings certain responsibilities with it and the road warrior must take caution along in the kit bag...

Working outside an organisation's physical domain brings certain responsibilities with it and the road warrior must take caution along in the kit bag, writes Danny Dresner, head of standards at the National Computing Centre.

Mobile equipment - from the laptop to the smartphone - can take employees beyond the boundary, even if they are working within the four walls and the perimeter fence. Organisations welcome in any number of customers who are permanently beyond their jurisdiction. Who can really be sure anybody really is who they claim to be? How often have you asked a virus to take the Turing test?

Like an onion

We need to break away from the model of inside and outside. It's too simplistic and attenuates reality, as do most models. The modern pattern of connection is one of onion skins that should be under our control. Defences should be peeled away for legitimate users - that's those who should, not just those who could - to reveal the information underneath. The layers an employee can shed are not the same as those a customer can shed.

Build your protection from the following five components:

1: Understand the real digital footprint of your ICT estate

This is your management of hardware, software and data assets. Don't forget corporate data on personal equipment.

2: Create a responsible user community

Think about the ownership of your ICT assets: whose PC is it anyway? Beware the personal attachment to corporate equipment that engenders unacceptable use. Keep users within your community by fighting isolation. Remember that mobile workers may miss out on warnings distributed on site.

Offer support to remote users rather than leaving them to the fates of their own making. Teach users with significant access that when they are outside the boundary they hold the keys to the front door in full view.

Privilege requires policy and responsibility. And pay for that responsibility with the means to allowing for personal disaster recovery in a blame-free (virtual) environment.

3: Administration

Keep it as centralised as operational cybernetics permits. Have sensitive security policies that cover corrective and preventive action. For example, can applications on the mobile device initiate specific types of connections?

Stop malware from being loaded onto the mobile devices in the first place. Monitor what is going on. Don't wait for the bad news of how deep the infection has reached. Detect and so prevent malicious activity. And keep on top of that patching.

4: Technology

Limit what activated malware can do if it does penetrate.

Use all those partial defences too. Keep anti-malware, a personal firewall and VPN connections active.

And secure your quality of service! The greater the need to connect, the greater the opportunities for interception and uncontrolled introduction of risky workarounds.

5: Defence in depth

Finally (or perhaps to return to the beginning), combine steps 2, 3 and 4.

Danny Dresner is head of standards at the National Computing Centre

Infosecurity: sumo lessons >>

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management