Branch office security: What are the real problems?
Branch office security: What are the real problems?
When it comes to IT security, almost all businesses using IP networks to transmit data will know that they have to protect themselves, and they will have systems in place to keep their data secure.
However, this is often focused at the head office. For workers that are not located at the central office — whether this is a branch office environment or a remote worker at home — the question of security is a harder one to answer. It also affects IT security thinking in general: How should I keep these remote locations secure and what problems are there around managing this?
The number of companies that have remote workers or branch offices is growing. This expansion comes alongside greater use of the internet for communication and collaboration. Typical examples of branch office IT deployments are retailers, travel agents, estate agents and petrol stations: The IT requirements at each location can be fairly basic and IT skills at these branches often don't exist.
Support and security of such branch office environments can be a significant challenge if not approached correctly.
The two primary challenges are implementing business policies and managing branch office IT.
The first area to consider is how to manage many branch networks efficiently. Because each branch office is small, it will typically not have any on-site IT staff available to support users if something goes wrong. The emphasis therefore has to be on how the central IT department can provide this support and security. However, the amount of time that can be spent on this activity could start to have a serious impact on productivity and costs if not carefully planned.
The typical branch office environment needs often the same functionality as the head office when it comes to security — firewall, VPN, IPS, web and email security are all just as important to remote workers as those at headquarters. For the central IT team committing human resources to an implementation or upgrade can be very expensive, especially when dealing with multiple offices.
If you are starting a new branch office, being able to control and manage an update to security systems centrally, without having to put an engineer on the road for several days, provides a far better return on investment and much lower costs. Preconfiguring each system at the head office is one approach, but in most cases adjustments must be made on-site. This leads to a different configuration in each location, which makes it hard to keep track. Dedicated solutions for central management exist, but are expensive and often very complex.
Another approach to solve this problem is to use a kind of “thin client" approach for security. Instead of running firewall, VPN, IPS, web and email security functions on an expensive branch office device, all functions are provided via a centralized powerful security gateway which can sit in your head office or in the cloud (e.g. at a service provider). A small remote Ethernet device in the branch office only forwards all traffic to the central device where it is scanned and filtered, before it is sent to the internet. Hence the remote device behaves like a thin client.
These remote Ethernet devices can be sent unconfigured to the branch offices. Its complete configuration is done on the central gateway. When the branch office device comes online, it automatically retrieves its setup information from the central provisioning service, configures itself and establishes an encrypted tunnel to the head office, without requiring IT staff to be present.
Once you have the IT network protected, the next point is to look at the company's existing policies around how IT assets are used. From access to the internet for personal use through to application installations and stopping unauthorized software, this set of rules for IT can be extrapolated into the branch office environment. Most of these guidelines should be the same — for example, not allowing peer-to-peer software to be installed without a valid business-use case.
However, there may have to be more flexibility considered when implementing this at the remote worker level, as they may be using their own IT resources rather than company-provided tools. In this case, making sure that end-users are educated about what they can and cannot do when on the company network is paramount.
Another point to consider around IT usage policies is that bandwidth at the branch office may be more limited. Branch office environments tend to be smaller, so typically the internet connection into the building will be smaller; there may also be only one network connection into the site. This may mean that rules on site access and surfing may have to be stricter, to ensure that all the bandwidth available is being used for business purposes and that the central IT team is able to support users properly.
The cost of maintaining a branch office network — particularly one with tens or even hundreds of sites — is another factor that has to be considered over time. Again, the ability to manage IT security settings remotely alongside other centralized IT resources can play a powerful part in keeping costs down. By using the remote Ethernet device approach, branch offices can even be managed as if they were located just within another in-house department and connected through an ultra long Ethernet cable.
In cases where IT plays an important role in the success of an organization, this method improves the profitability and productivity, proofing other approaches inappropriate.
A company's security is only as strong as its weakest link. Yet this is often not recognized at the branch office level, or organizations face higher costs in order to maintain separate solutions at each office, hindering their day-to-day activities.
What is needed is a new approach to branch office security that recognizes these requirements, and ensures that each branch office remains secure by only using the skills that already exist at the head office.