Working remotely: What are the solutions?
Be here now
Workshop It’s funny how far mobile computing has come in the last ten years. It enables a flexibility of working that only a decade ago could have been considered by some to be in the realm of Star Trek.
Notebooks and smartphones are well understood, while new waves of ultraportable computers such as netbooks and tablets (where are those tricorders?) are now emerging. It’s exciting stuff, but the movement of large tracts of computing outside of the corporate defence perimeter raises questions of security around access to applications and information, while management and support are both raised to a whole new level.
Connectivity to systems and applications is one of the critical elements to a long term mobility strategy. But even today, many companies do not have a managed approach to providing access. This approach, if left untackled, can be both dangerous and damaging, and can lead to a management nightmare.
Employees may take it upon themselves to copy information to work on while out of the office. Any sensitive information copied, if lost, could be damaging, both financially and for a company’s reputation. Also, data quality can become an issue as employees may have out of date, duplicate or incorrect information.
All is not lost, as there are many solutions that can be used to provide access to systems and information, of varying levels of capability and sophistication. One of the oldest and most established is to use the Virtual Private Networking (VPN) capabilities of installed security equipment, usually firewalls. Surprisingly, despite the widespread installation of firewalls with VPN capabilities, many companies still do not implement VPNs for secure remote access.
Part of the reason for the resistance to implementing VPNs has been the perceived complexity and cost of implementation. Much of this reputation, deserved or not, has come from IPSec VPNs. These often had custom clients, a less than stellar reputation for compatibility and caused both performance and management overheads. In the past this may have been true. But modern IPSec VPN systems are much more integrated.
Operating systems now feature (mostly) compatible clients built in, while IPSec systems integrate more tightly with corporate networking and directory policies. SSL VPN technologies, which often require new kit or licences, leverage web technologies to provide secure access in a clientless manner. This can take a lot of the sting out of implementing and maintaining VPNs compared to IPSec, especially if access to data is controlled through front-end applications or through systems such as application virtualisation.
Getting a grip on access, applications and systems can be a challenge too. Simply providing access to the network may solve the access challenge, but may introduce bigger problems. Performance and reliability are two perennial bugbears, as are the security implications of having direct access to data and systems from remote PCs that may have been exposed to malware or hacking.
Channelling access through server-side applications and restricting direct file access is one effective approach to remote working. This may be provided in the traditional client-server model such as Outlook and Exchange Server, with SharePoint or similar content management systems. In these cases, it is worthwhile also looking at deploying intelligent network traffic and application optimisers as a way to not only improve performance (as you have told us those pesky mobile people have expectations that are now sky high) but also to manage bandwidth cost and utilisation effectively.
Another effective way, so you have told us, is to provide secure remote access through using virtual applications or virtual desktops. These run the applications on the server, ensuring that data is kept centrally and securely. By running servers or applications centrally, not only is security much enhanced, but performance and reliability are too - all the while keeping data transfer to a minimum.
Remote working also raises the bar for support and management. Taking advantage of some of the latest management innovations can cut support costs and make remote PCs more secure. When remote users hit snags for whatever reason, telephone support can be a difficult proposition. It is not always possible to do home visits, especially if the user is at a hotel or other location. The ability to either view the users' screen or control the PC can aid diagnosis and repair, and PC operating systems and other tools generally allow this, provided that they can boot.
This capability is also being extended by manufacturers to allow low level, out of band access to the PC, independent of the operating system. This functionality is supported by the firmware of the PC, which is as close to allowing physical access without actually being there. This helps with one of the biggest issues that you raised short of having to actually replace faulty items.
When integrated with the management tools, this can help to get employees up and running again more easily. In instances where the operating system is rendered unbootable this can be a life-saver. Poorly tested security updates or application and operating system patches that have unexpected compatibility issues. And we can be sure that it will happen many times again.
Loss and theft are all too real in the big, bad world of remote working. In the past, this was unfortunate, and resulted in a loss of productivity and assets. Now it carries a burden of responsibility due to data protection legislation.
In addition, there are current or impending duties on notifying people of a possible loss of their personal data, with all the subsequent impact on reputation and finances. So it makes sense to both secure and manage the data on the devices to make sure that loss or theft will be an inconvenience and not a major media event.
Full disk encryption is gathering steam. With recent advances to accelerate encryption to make it both faster and more power efficient, it is now also finally starting to become realistic even while mobile. With new solid state disks (SSDs), performance may even be pleasing to mobile employees. And PCs are also borrowing from their smartphone brethren, with the ability to remote wipe a machine, and to disable it and delete the keys stored in the Trusted Platform Module (TPM) should the PC go ‘walkies’.
In amongst all the noise of data security and management, it is easy to get lost in some of the new technologies. Identity and Access Management (IAM) is a hot potato for example, particularly when it comes to remote access. We should all do it, but it requires a lot more than just managing remote access to get management to commit to deploying IAM company-wide. It may be best to flag the most sensitive roles or departments, and look to ease IAM in gradually, using such areas as a beach-head.
Access control is another buzz-word, which has yet to live up to its hype in either Network Admission Control (NAC)or Unified Access Control (UAC) forms. While the concepts are sound, the cost and sophistication required to make access control work means that, in many cases, IAM will not be all that relevant except for companies that approach security as a core competency, either through regulation or through reputation.
So, what about you and your organisation? Are you passing on the VPN game? What are the inventive ways users have found to bypass security controls? If you would like to offer up practical advice or tales of comedy/woe, you know what to do. ®
Sigh: what I find really depressing about remote working isn't the technology choices or lack thereof, but that PHBs still form the biggest obstacle. "If we can't shoulder-surf, we don't believe you're doing any work", regardless of whatever one may or may not produce.
As for the technology itself, back in the day I had a kilostream and a pair of DEC bridges, the remote one needing resetting by an IT bod on average twice a day, leading me to regret not choosing the much bigger and uglier router instead. Access to the intarwebs (such as it was) was provided gratis by the company through their network, which was a workable solution in terms of their own data integrity and kept everyone happy provided I didn't do anything that would also get me booted off an ISP.
But that was 18 years ago, and thanks to the observation in the first paragraph, I've had little chance to see how things have progressed in that time.
Maybe someone should sell the resulting lack of commuting as a "green" issue... nah, it'd make a difference so it would never work.
Yes, but I don't like leaving a SSH server open to world+dog, so for me it's SSH over VPN (SSH server firewall only allows certain IPs)
Until ~'97 it was rsh, from then ssh.
Small businesses just need some pragmatism
We use Draytek Vigor routers for VPN - they also do VOIP options if you want it (we use Skype instead) and can have two broadband links. To control our server remotely for a single connection (it gets you on as the console) I prefer RADMIN - the server end is peanuts, the clients are free and the bandwidth is very low - I've even used it on a 40k dial up. You can tune the colour bit-level to help the bandwidth. It gives the added advantage if two of you connect to the RADMIN server you can both see and work on the same session.
I have to say the quality of the VPN applications has improved over the years, we use the Vodafone VRAC remote access client, but it takes me nearly 17 minutes to login from power up (power up laptop, login in to laptop, start windows, login into windows, start VRAC app, login to VRAC). Cumbersome but at least with broadband it’s reasonably quick. In a previous job I once logged in on a dialup line and it took MickySoft outlook 5.5 hours to resync my email!!!!!!
Now if only MickySoft didn't keep fucking up my roaming profile when login on different machines.