Over the past few months, birdflu has progressively crept closer to the U.K. What’s this got to do with security you might ask?
That was my reaction when I took the first call from one of our clients about this. However, it soon became apparent that people were worrying about their contingency plans in case employees asked to work from home to minimise their contact with others who might potentially have been exposed to the virus.
Trying to anticipate the sudden demand for remote access in advance is no easy task and security managers will need to consider a number of security issues if they are to be prepared. They will need to carefully review the way employees access corporate systems remotely, including how users are authenticated and the level of access they will receive. They will also need to consider the security impact of having a large proportion of the workforce suddenly working from home and how to educate a workforce used to working from an office where security and access to the corporate network are taken for granted. Although it might seem like early days, with this number of security issues to consider, it's a race against time to ensure security is covered if avian flu hits the U.K.
Taking a broad perspective
With the potential for increased numbers of employees accessing information remotely because of avian flu, it is important for security managers to get remote access right. They will need to assess who is connecting to the network, what they are using to connect in order to determine the level of network access to grant and how are they connecting in order to provide a robust security solution.
Firstly, security managers need to determine the identity of the person trying to access the corporate network by using a variety of authentication techniques. User name and password security can be combined with stronger technologies such as two factor authentication, where users need to supply information from something they have, such as a token, and something they know, like a PIN. For even higher security whilst the majority of the workforce works remotely, security managers could consider three factor authentication.
Security managers will also need to speak to business people to determine the level of access they anticipate different groups of employees needing and adjusting the level of remote access to suit this. From a technology point of view, this will need to be balanced with how secure the employee's desktop computer or laptop is, in order to allocate the appropriate level of access rights. This can be done by using an endpoint integrity check which assesses the security threat of each device and adjusts the level of access accordingly.
For example, employees using their company laptop from home are using a fairly secure device which should have up-to-date anti-virus software and firewall so it can be granted a higher level of access. However, should the employee connect from their company laptop at a wireless hotspot, they will not be as secure because potentially other people can see what is on the employees' laptop, so the level of access will be restricted. Employees using a public computer in an internet café will face the heaviest restrictions because of the risk of the next person to use the terminal having access the corporate network if the browser is not closed and the session ended properly.
Finally, security managers need to control how their remote users are connecting to the network. One method of achieving this, is an SSL-based (Secure Sockets Layer) VPN link. An SSL VPN is easily accessible from remote locations through a standard web browser and allows high levels of controls over access based on such factors as connecting device, location and an endpoint security assessment. Once a level of trust has been established, relevant authorisation to corporate assets can be granted. This gives administrators the power to restrict user access to limit the potential damage of an unauthorised person gaining network access.
While all these security considerations are essential for security managers to consider before bird flu hits, they also need to consider that third parties such as suppliers and consultants may also require secure remote access to the corporate network.
Despite all the security measures discussed, it is not enough just to have all these measures in place. Businesses must ensure that all employees are educated on the security risks associated with working remotely and their role in using mobile devices to store sensitive information during this time. By following these steps security managers can ensure that the business is fully prepared to adapt to the working needs of employees during an bird flu epidemic and that this can be done while maintaining the same high level of security as if employees were working from their office desks.
Surviving bird flu – remote access top tips
The author is a security consultant at Morse.