In November 2002 SonicWALL published the results of an independent survey into the attitudes of British businesses towards teleworking and the steps most commonly taken to ensure home workers connect to the office securely.
The survey confirmed home working is indeed a growing trend. Out of a base of 400 UK companies interviewed, 83 per cent said they have staff who work from home on either a regular or occasional basis. The remainder, however, were still extremely wary of adopting teleworking as part of their business model and cited security as one of the key reasons for this concern. So why should security concerns act as a barrier to teleworking for some companies? And are there any guidelines that companies considering a teleworking initiative should follow?
Technology advances such as broadband internet access and mobile communications are causing changes in working practices. Employees can reasonably demand flexible working hours, companies can be more productive and reduce costs, business partners start to expect to have real-time access to company information. Everything is conspiring to force companies to provide access to the core enterprise network for a disparate community made up of branch office staff, telecommuters, after-hour workers, contractors, business partners and mobile employees. And once you start providing access for this community then the network becomes open to unwanted outsiders too.
In the past, the popular approach to safeguarding against unwanted internet access has been to place high-end security solutions at the main entrances to the enterprise network. But in an age where the number of network entrances is growing to meet the needs of remote offices and mobile workers, these are no longer enough. It is generally impractical to provide costly high-end enterprise security solutions for remote sites and mobile workers. Yet protecting remote offices and workers connected to the enterprise network requires the same degree of security as the main entrances. Not only do they place their own data and applications availability at risk, they also provide an unguarded 'back door' into the headquarters' network.
The survey found widespread agreement (84 per cent) that responsibility for computer security for home workers should lie with the company. Yet attitudes differed widely as to what measures are necessary to achieve this. The majority of respondents (74 per cent) claimed to always check who has access to the company's computers and in most cases it is the company that sets up the link. Some businesses go as far as supplying the computer or laptop for remote workers, while others insist on having someone check the home user's equipment before granting access. Even so a quarter of the businesses with home workers claimed not to run any checks on the home-based equipment at all. And when it came to asking who else at home had access to the employee's PC, half of the companies interviewed said this was something they never checked.
Nevertheless the message about the need for security for remote workers does seem to have hit home. Only two per cent of businesses surveyed said they had no security at all. Security measures currently deployed between the teleworker's PC and the corporate network consist of either a virus checker (85 per cent) or a firewall (71 per cent) or both. Other aspects of security for the home worker such as content filtering (44 per cent) and virtual private networking (VPN) (33 per cent) are not so widely used.
Where companies do not yet allow staff to access to the company's computers from home, expense and concerns about security are among the biggest concerns. Here VPN, once exclusive to all but the largest corporations, may start to make a difference. At the small office/remote worker end of the market most firewalls now come equipped with built-in VPN capability.
So how can companies prevent non-secure home networks from compromising their corporate networks? What can be done to protect remote workers against the constant threat of new viruses and worms? What is the best way to expand the telecommuting network without opening new security holes? How can they successfully manage a diversified, constantly changing telecommuting workforce? Finally, and perhaps most important of all: how do companies retain control over a network of widely distributed remote access points?
The arrival of affordable broadband internet connections and interoperable standards-based VPN enables secure communications links to be deployed quickly and at a cost that even a small to medium-size business can contemplate. VPNs can be used to connect mobile users using dial-up internet connections, link two LANs together via the internet, allow remote offices and users to securely access internal TCP/IP applications running on the corporate intranet, and enable secure access to the corporate extranet for vendors, partners, and customers. Some VPN vendors have already anticipated the growth of home networks and have designed their VPN equipment so that the network activities of other family members cannot inadvertently leave the VPN tunnel open to unwelcome visitors.
To stay safe, businesses should make sure their VPN solutions meet the following criteria:
- Isolate. Where the teleworker's PC is on a shared network at home it should not be possible for the VPN tunnel to be accessible to anyone else on the home network.
- Enforce. Companies should consider giving teleworkers security levels at home that comply with the basic minimum corporate standards, thereby enforcing a multi-layered defense mechanism that incorporates firewall, anti-virus, content filtering and authentication.
- Scale. Most firms will need multiple VPN connections, so it is important that the solution should be scalable to allow security measures to be deployed rapidly via a web browser.
- Manage. The company's service professionals should be able to remotely manage the solution so that the VPN links remain in full control of the organization at all times.
- Perform. Stateful inspection performance, where malicious attacks are detected at the application layer rather than at operating system level, is essential.
- Comply. Solutions should be IPsec, ICSA certification and PKI-standards compliant.
As technological advances such as mobile data communications bring corporate applications such as email and CRM to remote workers via their laptop, mobile phone or Pocket PC, it seems likely that commercial pressures to allow people to do their job from any location as opposed to their desk will continue to build. At the same time the ability to establish VPN links will become easier and less expensive. The fact that just one third of companies with remote workers are currently using VPN points to significant growth in this area. New advanced encryption standards and greater interoperability between competing solutions should help to convert even the most conservative business over to the mobile working era.
Harry Gostling is U.K. country manager for SonicWALL (www.sonicwall.com).