Securing the Unknown

Separating access from place

During our current round of interviews with enterprise IT folks, I have had the opportunity to discuss many aspects of the emerging virtualized enterprise. One of the most important changes is divorcing access from place: making the ability to reach and use systems location independent. Many companies have gone a long way toward making all of their enterprise systems and applications accessible, whether by expanding terminal services, creating virtual desktop environments, shifting to web front-ends for services, or using SaaS for key services.

The security of the endpoint becomes the key security consideration in these circumstances. After all, no matter how good the VPN is, or how fiendishly complex the passwords, all is lost if the machine has been taken over surreptitiously by some spear-phishing attack on the company’s staff. A key-logger with which to capture passwords and the ability to work from a node known to the VPN give the enterprising criminal a chance to begin probing for weaknesses from the inside. Although most companies recognize the importance of insider threats, adoption of inward-facing defenses (and accompanying changes to network architecture to mitigate the damage of insider compromise) trails awareness.

One approach to providing more secure remote access is to allow access only from company-controlled hardware. The more a company wants to empower work-from-anywhere, though, the more onerous this burden becomes as it requires providing a well-secured company laptop (which in most companies still cost almost twice as much as desktops) to every teleworker. Hardware, software and licensing, and support costs rapidly mount and inevitably the organization has to become selective about who it makes this investment in. The goal, though, is not to have to assume you can know in advance all the people who might contribute if freed from location restrictions, but to make the enterprise itself borderless and empower anyone who might want to work, whenever and wherever they wish to.

To make this happen, the company has to provide for secure endpoints that are inexpensive. The lowest-impact way to make this happen, currently, is by combining remote access technologies like terminal services or virtual desktops with a simple bootable secure client.. By providing end users with, say, a tightly locked-down Linux image incorporating a web browser and remote-desktop client on a USB stick or CD, the company can avoid supplying laptops to everyone, or having to decide in advance who can contribute remotely and who can’t. Instead, they can hand users a secure data key, tell them to boot from it, and feel much more secure about what happens next.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in