The basic toolkit to secure remote access for the mobile worker should strike a balance between the desire of the remote worker to connect from any place at any time with the resources required from an organization to support that use, including the cost of securing the connection, says META Group analyst Chris Kozup.

The cost of adoption is falling and the cost of postponing is rising as the business case for the productivity of wireless connectivity becomes stronger. Companies need to focus on securing the remote worker in the 2004 and 2005 time frame to exploit the opportunity and to keep up with their competitors, Kozup says in his report, "Securing the Mobile Workforce."

The META Group recommends that companies create no more than eight user profiles and group all employees into one of them. They could be based on job function, software application, title, geography or division, but should not be customized for each individual.

Four examples are: the dedicated home worker who may have a corporate PC and a fixed office location; the casual remote worker who may have a personally owned PC and little use for email; the IT administration remote worker who requires secure access to corporate systems remotely; and the mobile worker with a corporate laptop and multiple connection options.

"Companies need to establish a policy that matches usage types to security solutions," says Kozup. "And for the home worker, the battle is to get them to use something."

Six areas need to be addressed to ensure security services for the mobile worker: data transport, user authentication, a personal firewall, personal threat management, data protection and hardware protection.

Determining who is using the mobile device, what applications that person needs to access, where they are located, and what device platform they use, will enable a security administrator to draw from the six security services to determine the appropriate security model.

When a remote user is on the road, META advises companies to make security the user's responsibility, but a VPN connection should be made a requirement for any connecting remote worker. Organizations using Wi-Fi or wired networks in the office should move to the new IEEE 802.1x standard, which offers port-level authentication.

For secure transmission, META Group predicts the IPSEc VPNs and SSL VPNs will coexist but that their popularity will flip over the next two years. Currently, 80% of remote workers with VPN access are using IPSec; META predicts that by 2006, 80% of remote workers with VPN will be using SSL.

Security policy needs to be centralized to be effective and it needs to have corporate-wide visibility.

"And it needs to be enforced to be effective," Kozup says, noting that one client company that threatened to fire any employee that connected a rogue access point.