Securing the remote estate
Lock ‘em down or set ‘em free?
Workshop One of the challenges of managing a remote desktop estate is security. It’s not a new problem, but it has been raised higher in the collective consciousness in the last few years, thanks to the proliferation of smaller, cheaper and more portable devices.
Its not enough to blame human nature - although sitting here as I type I know full well that if I were to leave my laptop on the train, its contents would be available to the next person opening it up, such is my laziness. We may talk the talk, but we don’t always walk the walk. What can we do about it?
It would be great to be able to say that we just need the right products in place. There’s no shortage of them – from personal firewalls and anti-virus and disk encryption, to Network Access Protection (NAP) and virtual private networking (VPN). Despite all such things the remote desktop estate is not what anybody would call ‘secure’. Is it?
So what’s the problem?
The issue is not an issue because of a lack of available products to use to counter the forgetfulness or the bad luck of people entrusted with the safekeeping of portable computers. Nor is it an issue because organisations have not established rules, policies and procedures designed to minimise loss or damage.
The problem is the gap between these two areas in a vital place – where the rubber hits the road. I wager that most mobile users don’t have then faintest idea exactly what is expected of them, despite being given a decently specced machine with appropriate security features and the ‘new joiner’ briefing on security procedures.
So what is reasonable to expect users to do to protect their kit, and more importantly the company information contained inside it? Our research suggests that beyond ‘getting the technology right’, the biggies are ‘smart deployment’ and ‘smart use’. In practical terms this means being a bit more savvy about how laptops and other mobile devices are rolled out, for example by setting appropriate policies, ensuring users are aware of their obligations and making it easy for them to co-operate.
Sounds good, but is this just motherhood and apple pie in your organisation? As ever, we’d love to hear about the issues you face in this area, especially if you have managed to solve them!
The weak link is typically the senior management who:
a) Usually understand nothing about security (IT or otherwise);
b) Won't listen to what they are told and won't read even the shortest user guide;
c) Will not follow the company IT / Security policies that they signed;
d) Demand that they have Admin rights so they can install various crap, often of dubious origins.
You can argue but you will lose - but it will still be your fault and not theirs when their system gets trashed. Even the best security strategies, carefully planned and implemented are vulnerable to the utter irresponsibility of those at the top.
Not an easy one really.
Where i work their are multiple domains with different security requirement levels.
One for example has fully encrypted machines with a request for username and 2 passwords to get the machine into a usable state remotely, and then the wireless is disabled in the bios using the passworded bios to stop it being turned back on, to ensure no interception at all.
At the other end of the spectrum was an old domain where users had been let loose and had a simple VPN connection to get back into the network. Obviously this worked on all but the worst net connections in the world and users had local admin rights as well... always great for fault finding...
The most common is a middle level approach where the machine is encrypted and all connections are managed thru one software set and the only way to power the machine on is to have a seperate device plugged into it, which also requires its own access code ( kind of like an RSA token, but better) and this then allows fully encrypted (2048 bit) tunnel to be formed back into our network. Dead easy stuff.
Users are also told not to leave any important stuff on their machine. As its encrypted if the HDD gets a tiny it iffy the whole lot is nigh on impossible to get back. They are meant to have a laptop to log back into the office for a reason so nothing should be stored on their machines that is considered secure.
And after all that the sole support is for the solutions is often quite busy and not likely to be without work for a long time :D
Keep IT Simply Stupid ...... for Big Brother has Help which you cannot even Imagine
Methinks it is delusional to imagine or to expect that any machine connected to and transferring information/metadata over the Internet and Networks InterNetworking is secured, with that information/metadata being thought to be exclusive and free from unknown and/or unauthorised third party knowledge.
If you want privacy ....stay off the Internet, for it does not accept the application of rules or third parties imagining that they can share information secretly for personal/singular advantage, with impunity and immunity, causing a collateral disadvantage elsewhere.
And to rant and rave in any sort of disagreement and campaign to prove the opposite will only end up in proving the point.