Breach, Data Security, Incident Response, TDR, Vulnerability Management

Closing a tough security gap

The world is getting smaller. And yet, the security implications of a constantly connected, mobile workforce have grown larger.

Once confined to offices and cubicles, the global workforce is on the move, presenting new challenges to information security. According to recent research, IDC predicts the number of worldwide mobile workers will reach one billion by 2011.

The workday is no longer restricted to an office or even the ‘nine to five' workday of our parents, as people travel routinely for work and as more employers offer tele-commuting as a perk.

For many of us, it's hard to tell when the work day begins and ends, especially when traveling for business. Who among us hasn't entered that gray area when you are working from the road, after hours and you want to check your personal email account from your corporate-issued laptop? Or conduct some personal banking or just catch up on the sports headlines after finishing some work at home?  

These all seem like reasonable reasons for roaming employees to surf the web. But when does seemingly harmless recreational surfing turn into something a lot more dangerous?  

Workers surfing the web outside the corporate firewall present exactly the same security risks as those who work from a traditional office.

The biggest risk comes from users who surf unprotected while ‘on the road' and return with malware-infected laptops that expose the corporate network to data theft. This is a growing problem primarily because malware is increasingly popping up on “legitimate,” brand name sites. The ScanSafe Threat Center has reported on countless instances of sites unknowingly hosting malicious code including MySpace, Facebook, The India Times, Tom's Hardware and others.

In addition, roaming workers can violate corporate Internet usage policies, by browsing inappropriate material, often exposing companies to legal liability. Uncontrolled recreational web surfing can drain valuable bandwidth and have a negative effective on productivity.

The problem, however, is that many existing approaches to securing remote employees have not been able to adequately secure these road warriors when surfing the web. All too often, once roaming employees go beyond the corporate firewall, the web security perimeter does not or cannot move with them.  

Indeed, roaming worker security habits (or lack of) are a cause for concern. Remote workers frequently engage in risky online behavior including hijacking neighbors' wireless networks and sharing computers with non-employees. According to a recent survey by Cisco (which polled 2,000 remote workers in 10 countries), 21 percent of remote workers surveyed allowed friends, family members and other non-employees to use their work laptops for internet access.

In a recent survey of IT managers from our global customer base, 65 percent of respondents reported instances of roaming workers tampering with or disabling security features on their laptop when working remotely. Forty percent reported they had been hit by a security threat as a result of a roaming worker's use of their laptop in the last 12 months.

So what are some of the existing approaches to enforcing Web usage and security policies for roaming employees? Are they working?

VPNs aren't up to the challenge

One prevailing misconception about roaming security is that a corporate VPN will protect roaming users from Web threats. Unfortunately, VPNs are not the cure-all that many enterprise security managers assume they are.

An obvious short coming of VPNs is that they only work when they are turned on.  Research shows that the majority of the time users do not use the VPN when surfing outside the office, opting instead to connect directly to the Internet. In fact, recent research found that employees use the VPN only 17 percent of the time. After all, why go through the trouble of logging on to your VPN if you only want to do a bit of Web surfing or check personal email?

Client-based and server-based solutions don't provide complete protection

Traditionally, security for roaming workers has been addressed either via client-side solutions (like desktop anti-virus) or by server-side solutions—URL filtering software and/or appliances deployed in the DMZ. However, both these approaches only partially solve the problem and in some instances, can create new problems.

Desktop anti-virus only protects from malware—known malware for which a signature exists. Anti-virus solutions do not perform content filtering and can't enforce a corporate acceptable Internet usage policy. Client-based anti-virus software requires constant updating and is a drain on PC performance. This often frustrates users so much that they disable it.

Appliance-based solutions only offer URL filtering and do not deliver protection from malware—leaving remote users open to Web threats. These solutions typically crawl the web to build databases of known “bad” URLs to identify unwanted web traffic rather than actually scanning each web page in real-time to identify malware. The net result is that they can often miss many new exploits, leaving users unprotected.

An additional drawback to appliance-based roaming security solutions is that they backhaul web requests from roaming users to a central point or points within the corporation boundaries, making it a single point of failure and resulting in bandwidth congestion and costs. This can also result in significant latency, for example, if the user is in Tokyo and the nearest box is in New York.

Creating an elastic perimeter for roaming employees

To truly protect roaming users, a solution should provide complete web security and policy enforcement no matter where and when employees connect to the Internet. In other words, it should allow for an elastic security perimeter that moves with the employee without introducing latency, increased bandwidth costs or requiring constant updating. Software-as-a-Service (SaaS) solutions are a good fit for roaming security because all the heavy lifting is done in the cloud.

According to Gartner Inc.'s report, Pros and Cons of SaaS Secure Web Gateway (SWG) Solutions, “The primary advantage of a SaaS SWG is its suitability for the growing population of small office/home office and mobile workers and Internet-based meshed architecture.”*

SaaS solutions can seamlessly extend corporate security policy to hotels, airports, remote offices, homes or anywhere else employees might use their laptops. All the scanning of web content is done in the cloud in real time, there's nothing to deploy. SaaS solutions merely require traffic be redirected to take advantage of the service provider's global network. This eliminates the need for IT staff to manage and update a premise or client-based solution. This is particularly important for companies with limited IT staff.

In addition, judging from available research, a roaming web security solution should be tamper-resistant. Existing solutions make it all too easy for users to disable.

Finally, when looking for a solution that will protect roaming employees from malware and enforce your usage policy, keep in mind that you'll probably want centralized policy-setting and reporting so that you can seamlessly set policies with no endpoint client hassle or updating. You'll also want a solution that can implement policy changes immediately without waiting for updates to be pushed out to appliances or client software.

The world is getting smaller, demanding that people work anytime, anywhere. Can you say the same of your web security solution?

Dan Nadir is vice president of product strategy for security vendor ScanSafe and is based in San Mateo, Calif. For more information, visit

* Gartner, Inc., Pros and Cons of SaaS Secure Web Gateway Solutions, Peter Firstbrook, April 16, 2007

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.