Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Security Manager's Journal: You can't secure every employee's home

We recently deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been using to provide strong authentication for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but not in every way, as you'll see), but the software tokens can be used on mobile devices such as phones; they are much less expensive; and they can be deployed more quickly and easily. What's more, when a user no longer needs access, it's much simpler to disable a software token than it is to retrieve a hardware token from somewhere like China, Russia or India.

Of course, RSA suffered a notorious security breach last year, but after I was briefed on the details, I felt comfortable moving forward.

Deployments such as this software token rollout can be interesting, because you have a chance to learn about some scary practices that had been going on without your knowledge.

For example, once employees got word that their hardware tokens will no longer be operational, some of them started asking for software tokens to be installed on their home PCs and Macs. Clearly, they had been taking advantage of the fact that the hardware tokens could be used with any computer. Our VPN client allows full network access, and that, combined with our lack of Network Admissions Control, meant that we were ending up with untold numbers of noncompany computers on our network. Naturally, I can't vouch for the integrity of any of those noncompany assets. Home PCs are often used by family members and other people, any of whom might install untrusted applications, click on things they shouldn't and end up infecting our internal production network.

I'm also concerned about protecting intellectual property, which is my responsibility. We are free to inspect the contents of any device we have issued to our employees, but we have no legal right to inspect any personal device, even if that device is connected to our network. In addition, laws are vague in some states and countries regarding our ability to monitor activity when an employee is using a personally owned device. If such an employee were to leave the company, our intellectual property could easily go with him.

For good measure, let's throw in the risk of license compliance issues.

Help Desk Too Helpful

While employees might not be aware that they shouldn't be connecting to the network from their own PCs, our help desk personnel should know that, right? Truth is, they've been helping employees install the VPN client on their home PCs. As an experiment, I called the help desk with an urgent request for access from my home PC. They actually sent me the full VPN client and walked me through the installation on my computer. After that experience, I reviewed some help desk tickets and found that the techs had also assisted in the installation of the VPN client on PCs at public Internet kiosks and hotel lobbies.

These exception requests are being met with a stern response. If an employee needs to access our network from home or another remote location, then the company needs to issue that employee a laptop. In many cases, the employee already has a laptop and is just too lazy to take it home or prefers using a Mac. But until we deploy a more secure method of remote access, such as a virtual desktop environment or a sandboxed VPN, I will hold the line against these sorts of exceptions.

Trouble Ticket

At issue: When software tokens replaced hardware tokens for two-factor authentication, our manager discovered that a lot of noncompany computers had gained access to the corporate network.

Action plan: Lay down the law on remote access, with no exceptions.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Macs, RSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security
Latest Blog Posts
Whitepapers
  • Backup and Recovery as we Know it is Changing
    Increasing complexity in the data centre, including the rapid deployment of virtual servers, ever-expanding compliance requirements, and increasing amounts of sensitive data on mobile devices has put more strain on backup and recovery. Read on.
    Learn more »
  • Seven Ways Business Activity Monitoring (BAM) Makes Your Supply Chain More Efficient
    webMethods Optimize for B2B offers a set of technology capabilities commonly described as Business Activity Monitoring (BAM). To appreciate the value of Optimize and how it operates in conjunction with webMethods Trading Networks, it is helpful to understand the basic concepts behind BAM and how the technology is applied in a business setting. Read on.
    Learn more »
  • Why performance management? A guide for the midsize organisation
    Midsize organisations are uniquely positioned to take advantage of a performance management approach to business. Compared with larger companies, they have more agility to bring information and people together and respond faster to changing market conditions. With one performance management solution, midsize companies can turn disconnected data into information, turn information into valuable insight and turn insight into action.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments