Security considerations for laptops and visitors

Wirelessly connected laptops and visitors raise security issues for companies

The long view of security strategies for your network.

[My friend and colleague Robert L. Gezelter has contributed an interesting article on the security and accessibility implications of pervasive workplace Internet access. The following is his text with minor editorial changes. - M.E. Kabay]

Over the last decade, laptop computers and network technology have become almost universal in workplaces. Many or most of the employees toting laptops are not field personnel; indeed, most of them rarely leave their office buildings. So why are companies spending extra money to pay for laptops?

In a recent speech, Intel Chief Financial Officer Andy Bryant stated that issuing employees laptops instead of desktops was a reasoned business decision based upon costs of business operations, not on employee convenience. His staff found that meetings were pausing, or failing to reach answers, because of the absence of information normally available on employees’ personal computers. Bringing laptop computers to the meetings closed the information gap.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

[My friend and colleague Robert L. Gezelter has contributed an interesting article on the security and accessibility implications of pervasive workplace Internet access. The following is his text with minor editorial changes. - M.E. Kabay]

Over the last decade, laptop computers and network technology have become almost universal in workplaces. Many or most of the employees toting laptops are not field personnel; indeed, most of them rarely leave their office buildings. So why are companies spending extra money to pay for laptops?

In a recent speech, Intel Chief Financial Officer Andy Bryant stated that issuing employees laptops instead of desktops was a reasoned business decision based upon costs of business operations, not on employee convenience. His staff found that meetings were pausing, or failing to reach answers, because of the absence of information normally available on employees’ personal computers. Bringing laptop computers to the meetings closed the information gap.

The next logical step has been to access the corporate network using wired Ethernet or wireless LAN connections, bringing additional information into the decision-making process.

However, this scenario raises major security issues.

Protected facilities with wired connections for each machine, where everybody has the same access to the corporate network are the simplest - and admittedly, the least interesting - example.

More illuminating is the common situation where the network is wireless, the attendees are a diverse group, and the access to the corporate network is different for different classes of attendees. Some meeting attendees will be outsiders with no access to their hosts’ intranet, yet requiring access to their home company intranets. Sometimes outsiders may be friendly - for example, members of the project team from other participating companies. In other situations, the outsiders may be less than friendly - for example, customer technical and managerial representatives, government regulators or inspectors.

We need to provide secure access to appropriate information for both employees and visitors. We can do so by implementing a hierarchical security system. The solution is to treat network access as a digital dial tone available to residents and visitors but with security restrictions enforced after the users have connected to the first layer of the network services.

Wi-Fi security has a place in the security spectrum, but that place is as a coarse screen to keep random interlopers at arms length. As for wall jacks linking to wired LANs, the most cost-effective security uses VPN technologies to provide secure access to authorized personnel and the ability to deal with the full nuances of the security environment within the corporate intranet. Everyone else just gets access to the external Internet.

[MK: Even there, visitors’ use of corporate Internet access should still be controlled by firewalls using egress filtering to ensure that visitors are not making the host facility liable for damages or criminal prosecution by engaging in acts such as denial-of-service attacks or downloads of child pornography.]

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.