Taking the high road

Managing mobile workers is the IT manager’s idea of a nightmare. Professionals thrive on certainties and remote working adds unpredictable elements to the equation.

  • E-Mail
By  Simon Duddy Published  August 21, 2005

|~|Isaac,-Kevin_m.jpg|~|“Leaving passwords on post-it notes may be laughable, but if you transfer that innocence to workers using their notebooks outside of the office, it becomes a real risk.” - Kevin Isaac, regional director for Symantec Middle East and North Africa.|~|Enterprise mobility is an enormous boon to business. Businesses must reach out to their customers and partners and that means employees have to hit the road. Employees can do this much more effectively with devices such as PDAs, mobiles and notebooks and while connected to the corporate communications infrastructure or applications such as CRM. While the executives rejoice at the extra orders coming in and the happy smiles on customers’ faces, IT professionals are left to deal with the details of securing these endeavours. The problem for the IT manager is that every device that is taken out of the office and every remote channel that connects to the enterprise, has the potential to cause damage as well as enhance the business. “IT departments define mobility as a danger zone. The challenge for IT is to provide mobility without making the enterprise less productive,” says Nidal Abou-Ltaif, managing director for Avaya Middle East and North Africa. So now that the gauntlet has been thrown down to IT managers, what is the exact nature of the threat? The first concern must be for the devices that employees take out of the office. Any portable device is a target for theft or can be lost by careless staff. The real risk reaches way beyond the loss of mere hardware, however. Such incidents can be leaked to the media and cause embarrassment, plus the information contained on the device could be used by rivals to undermine tenders, for example. Most worryingly for IT staff, if access privileges on the device fall into the hands of hackers, they can infiltrate the organisation’s network. “Notebooks are much more vulnerable to hackers and viruses as outside the network, significant layers of security are removed. Furthermore, individual users may not have the same level of integrity as network managers,” says Justin Doo, managing director of Trend Micro MEA. Portable devices are only half of the mobile enterprise story, however, as extending enterprise communications becomes increasingly popular. The momentum for this has come from communications and network vendors such as Avaya, Nortel and Cisco, with the idea being that the mobile worker should have enterprise-class communication on the move, such as the ability to be reached through an office extension number. For this to work, the enterprise has to be able to extend the local area network (LAN) environment over a wide area network (WAN), typically the internet. While this is enticing, the open nature of the internet sets alarm bells ringing in the ears of network managers. The alarm bells are undoubtedly ringing, but is anyone listening? The good news is that awareness of these issues, at least among IT professionals, is high. While the IT department was caught off guard by these demands several years ago, most teams have well developed processes in place. “Companies take mobile security seriously but until recently many took an ultra-defensive posture, in that, if they could not do what they wanted to do securely then they would not do it at all,” says Dean Bell, regional director of BorderWare. Bell says this applied to connectivity from remote areas and even use of web mail services like Hotmail. Greater familiarly with mobile enterprise concepts and more refined technology solutions have led to greater confidence in the IT department when it comes to dealing with the challenges of mobility. Remote access solutions have gained sophistication in recent years. They have evolved from a simple on/off formula, where remote users had full access to the network or none at all. Nowadays companies have refined this to dictate the level of access and rights a user is entitled to, with technology capable of calculating this automatically based on criteria such as user designation, location, device, connection and available bandwidth. Technology is available and if correctly implemented should be robust and flexible enough to counter any threats. Remote business communication leans heavily on virtual private networks (VPN), which create virtual tunnels through the internet by encrypting data at the send point and decrypting it at the receiving end. “VPNs enable secure access for individual remote users without requiring dedicated pipes. By using a friendly interface, Nortel VPN users do not see what is taking place in the background and don’t need to be technical to use the service,” says Joe Mehawej, marketing & technical sales, Nortel Middle East. While VPNs are an accepted weapon in the IT department’s arsenal, they use encryption and traverse the internet and so are subject to quality of service (QoS) issues. See the box — Managed VPNs — for a possible solution to this. While VPNs guard against net information being intercepted, they cannot combat a determined attempt by a hacker to use a compromised machine or account to access the network. This is why it is necessary to authenticate users attempting to access the network. Standards and protocols such as 802.1x and EAP can be used to police users and devices accessing the enterprise network, locking out those without the correct credentials. This type of technology can also be used to deal with those staff who are merely weak rather than nasty. For example, a user’s device could be compromised by malware without his knowledge. This malware can be programmed to exploit the next occasion the user logs on to a network. If the user’s IT team is not ready, one weak employee can give a virus a way-in to the soft underbelly of the enterprise and cause untold damage. “The prudent network manager must take steps to ensure mobile devices are free of viruses before allowing them to connect to the enterprise network,” says Abderrafi Belfakih, manager of systems engineers at Cisco, which uses its network admission control (NAC) scheme to play a part in countering this brand of threat. It scans devices that connect to the network and checks that antivirus protection is up to date, for example. Authentication will deter many attackers, but when users carelessly compromise their own authentication by losing tokens, or disclosing passwords, hackers can fool edge security and enter the network. This is where advanced policies and behavioral security come into their own. Advanced policies make sure that users only access network resources that are useful to them and behavioral tools, such as intrusion prevention systems (IPS), monitor the network for unusual activity. Usually, once the hacker or virus is inside the network, the mis-deeds that result stand out like sore thumbs against normal network activity. Some companies, such as Symbol and Trend Micro, are also introducing mobile IPS technologies to make it more difficult for hackers to compromise client level devices. Like traditional network security, a defence in depth approach is best advised as no one solution or approach is a silver bullet. At Juma Al Majid, senior executives access the corporate network remotely, with the IT team taking a layered approach to security. “To make sure this access is secure, we impose three levels of security including token authentication, VPN clients, and user names and passwords,” says Hussein Ali Ghanimah, head of IT at Juma Al Majid. “We are also piloting a very interesting product at the moment called Citrix Secure Gateway. It allows very high security plus ease of management and integration between different authentication and security vendors and products,” he explains. The layered defence approach places a stern obstacle course in front of would-be intruders, but this can be expensive to set up and maintain, plus can have negative effects on legitimate users, for example making log-on a more difficult and time-consuming process. At the end of the day each company has a different tipping point and must find a balance between keeping costs down and legitimate users happy and making life difficult for the bad guys. “In calculating risk; cost should be weighed against the benefits of increased mobility, and decisions such as favouring speed or security, or a balance between the two need to be made,” says Ramesh Bhandari, technical product manager for Symbol at OnLine Distribution. While technology is important, awareness is key. A lot of staff use mobile devices and then bring their work into the office or connect remotely to applications and databases with no idea of the security implications. Corporate security policy should make awareness of these issues a must for staff. While these lessons are easily absorbed by the IT team, regular security, awareness and corporate governance training should be held for non-IT staff who work in a mobile environment. “Leaving passwords on post-it notes may be laughable, but if you transfer that innocence to workers using their notebooks outside of the office, it becomes a real risk. Training and adequately communicating procedures are important when considering empowering your workforce to go mobile,” says Kevin Isaac, regional director for Symantec Middle East and North Africa. Enterprise mobility is here to stay and while it presents a stern challenge to the IT team, it is one that the enterprise can gear up for. If anything, the real challenge is not setting up a posture but maintaining it, when the natural tendency of people is to get careless and complacent with time. The IT manager can only hope that it is his policies that keep staff on their toes rather than a damaging attack. Managed VPNs If managing VPNs is too much of a chore for the enterprise, the option of outsourcing this task has emerged in the region in the last year. Service providers like Batelco are keen to utilise their multiprotocol label switching (MPLS) networks to give organisations an easier and perhaps more secure way to extend enterprise communications to workers on the move. The MPLS infrastructure runs on the service provider’s own backbone, and using MPLS labeling, network operators can segregate one customer’s traffic from the others, which enhances security. Many of the organisations that deploy MPLS VPNs do not encrypt the data they transmit, such is the confidence they have in MPLS. They know that for the data to be compromised the service provider itself would have to be infiltrated. Security is not the only benefit of the technology, as data can be more easily prioritised than on IP networks, which can be used to give priority to voice and video applications, for example. The momentum of MPLS VPNs is restricted somewhat by reliance on an individual carrier’s infrastructure. However, with the development of standard network-to-network interfaces (NNI), service providers will be able to extend coverage by using other carriers’ networks.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code