Handing over lock and key
Swine flu and the snow might have been good for something, after all. Some businesses prepared for the possibility of a pandemic by implementing measures to al low staff to work remotely instead of travelling to the office.
Mass illness never materialised, but when bad weather brought the country to a standstill last month, the same business continuity planning came good. Instead of battling hazardous commuting conditions, staff could work from home and still access all of the files and folders needed to do their jobs.
Virtual private networks (VPNs) are an essential part of enabling this, since they allow people working outside the office to access any designated information or applications stored on their company’s systems. For companies that didn’t have a business continuity plan in place, the resulting lost productivity made the need for remote access all the more pressing.
Until recently, the way to implement a VPN was to buy a dedicated network connection from a telecoms provider. That might be cost-effective for a company with some branch offices, but it quickly becomes cost-prohibitive to enable this for every remote user.
It’s far easier and cheaper to use the internet, but it is a public infrastructure and inherently insecure. As such, it’s not ideal for sending and receiving potentially confidential company data.
Software-based VPNs overcome this obstacle by creating a ‘tunnel’ over the internet so that the traffic can pass privately between the user’s computer and the company servers.
There are two main types of VPN, according to John Ryan, general manager of Calyx Security.
“Site-to site VPNs are typically used for one organisation to communicate securely with another organisation, and client-to site VPNs are used to provide access to resources for end-users outside the corporate network,” he said.
Site –to site VPNs typically use firewall technology at each end of the connection to ensure effective authentication and encryption. For client-to site VPNs, a common approach is to use Secure Sockets Layer (SSL) – the same technology that is used to safeguard credit card purchases on sites like Amazon.
“SSLVPNs free employees from being bound to particular locations, laptops or devices for the purpose of accessing internal resources,” said Ryan. “Users access all of their internal resources through a single, convenient, customisable,’ portal’ webpage – from any web browser, anywhere, any time.”
“Two years ago, you had to download software to your laptop, configure it, point it to the right server and connect to the server. Now that it’s web-based, it’s a whole lot easier,” he said.
Despite the recession, VPN sales were a steady part of “healthy’‘ IT security spending last year, according to John Conlon, enterprise sales manager with IT distributor Sharptext.
Some of this may have been linked to sales of firewalls and routers which had VPN features built in, he said.
The basic level of SSL VPN security is to prompt people for a username and password when they log on. Security experts say these should be chosen carefully.
“You’re creating the opportunity for a link into your business from the outside. It is another door to your company that you are opening so, therefore, you have to manage that efficiently,” said Michael Conway, managing director of Renaissance.
John Power, security business manager with CA Ireland, said passwords should be made up of at least eight characters and should not be easy for others to guess.
“They should include a combination of alphanumeric characters and symbols such as an exclamation mark. Don’t use your home address, company name or your employee name in your password, and don’t leave your password stuck to your laptop on a post-it note,” he said.
An added responsibility for companies when providing VPN access is to ensure the data they are working with is not saved to laptops outside of their control.
“They should have policies enforced around it. For example, sending data to a Gmail account should be disabled; there should be no printing and no saving to a USB memory stick,” said Power.
Other measures include restricting users so that they can sign on to the VPN only from designated devices.
“For example, if the logon is not coming from an authorised machine, IP address or domain, you don’t allow access,” said Power.
Conway said that best practice was to include an additional level of authentication to ensure the person logging on was who they claimed to be – especially if there was confidential accounts information or customer details at stake.
There are various technologies available for authenticating remote users more safely than with passwords alone. One option is a physical token, which generates a new password every time the user logs on. Another is to have a PC-based token that is itself activated by a password.
An alternative is not to issue a separate device that people have to keep, but instead take advantage of one they already have. Sending a password by text message to a mobile phone was a useful way of guaranteeing the user was genuine, said Power.
At the moment, two-factor authentication is most widely seen in the financial services sector. This extra level of security is hardly surprising, given the sums of money involved. Onetime password systems needed a lot of expertise to implement, said Conlon.
“They would normally be implemented at the high end of enterprises, but the technology hasn’t filtered down to the rest of the market,” he said.
As well as establishing the user is bona fide, another important step is ensuring their PCs aren’t compromised.
“Network access control means that, when a remote user logs on, the system looks at the spec of your machine to see whether your antivirus and security settings are up to date,” said Conway.
