Protecting Mobility

Strong layered defense strategies help increase productivity

• By Steve Neville
• Apr 13, 2007

FROM Barcelona to Berlin and all across Europe, workers today need to access corporate information outside the workplace. Remote access frees workers from the restrictions of the corporate work environment. By working from any location and at any time, employees can collaborate more effectively, work more efficiently and ultimately be much more productive. The ability to develop a flexible personal work schedule is a major benefit provided by remote access—one that can have a major benefit on employee morale and productivity. Who hasn’t seen a coffee shop on a sunny day overflowing with workers accessing information on their laptops and other mobile computing devices?

For these reasons, many organizations are making the infrastructure investments to equip employees with the tools to work from any location at any time. However, the flexibility provided by remote access is accompanied by an important requirement.

What It Takes
Keeping proprietary assets, customer data and personal information secure from unauthorized access is of the utmost importance. As more mobile devices are deployed and used on a regular basis, the enterprise security architecture begins to lose the power to protect and prevent incidents.

Organizations turn to Virtual Private Networks (VPNs) to provide secure remote access. VPNs allow organizations to take advantage of the Internet, providing access to information for remote users and branch offices while helping reduce the communication costs compared to dedicated leased lines or the cost of establishing local and long-distance telephone connections. While not all laptops or PDAs contain sensitive customer data, online attackers know that devices used by mobile workers are often the path of least resistance into a corporate network. The security implications are obvious: Mobile workers are a weak link in network defenses.

Unfortunately, many organizations learned the hard way. Simple user names and passwords no longer provide strong enough authentication for users of these mobile devices. Implementing a solution that requires additional authentication of the user will add security and limit vulnerability to attacks for mobile workers.

Managing VPNs
Virtual private networks must be secured by multi-factor authentication to provide protection for sensitive corporate information and to prevent damage to the organization’s brand. A variety of security providers offer multi-factor solutions designed to help minimize the risk of fraudulent activity. Some solutions provide grid cards. Some provide hardware or software tokens, or one-time passwords, knowledge-based authentication and biometric solutions. Few vendors, however, provide all of these authentication options in an open authentication platform that can be tailored to the needs of specific user groups within an organization. And it is this flexibility that is essential.

For example, in many large-scale enterprise implementations, hardware tokens and biometric solutions may be too expensive to be feasible as a single solution for all users, but can be desirable for a specific subset of users who need the assurance tokens can provide.

Grid cards have become a popular alternative because they are efficient to deploy, inexpensive to implement—particularly with large enterprises—and simple for end users to use and understand.

An alternative to deploying a grid for authentication is the use of a one-time-password list. With this approach, end users are provisioned with a list of randomly generated passwords that are typically printed on a sheet of paper that is distributed to and carried by the end user.

Increased Verification
Another authentication method is the use of knowledge-based authentication. Knowledge-based authentication challenges a user to provide information that an attacker is unlikely to be able to provide. Based on shared secrets, this allows the organization to question the user, when appropriate, to confirm information that is already known about the user through a registration process or based on previous transactions or relationships. For example, during enrollment, a user may select and provide answers to easily remembered questions such as year of birth, origin of birth or favorite pet.

In addition to providing a range of authentication options, it is essential that a remote access security solution be compatible with leading VPN software from vendors like Check Point, Cisco, Citrix, Nortel and Juniper. The remote access security solution also should offer support for leading applications such as Microsoft Outlook Web Access and other commonly used business applications.

Mobile workforces demand the flexibility that remote access can provide in order to be more efficient and productive. It is the responsibility of IT to provide this access in a secure manner so that corporate information is not disclosed to unauthorized individuals. Careful consideration of security solutions is required. Select a remote access security solution that provides the broadest range of authentication options and that is compatible with leading VPN remote access software vendors and critical Microsoft applications.