5 Best Practices for Securing Remote Access
New ways to enable safe anywhere, anytime remote access are being demanded by the rising tide of mobile workers.
A decade ago, secure remote access was a right enjoyed by a privileged few: road warriors, executives, sales forces, etc. But ubiquitous high-speed Internet connectivity, coupled with explosive growth in mobile devices, have increased expectations. Meanwhile, new mandates continue to accelerate demand for safe, anytime, anywhere access to corporate networks and services.
According to Forrester, 62% of information workers in North America and Europe routinely conduct at least some business offsite. A recent Microsoft study found the average teleworker spends four days per month working from home. Many more "day-extenders" log back in at night and on weekends. Adding fuel to this fire, the Telework Enhancement Act that went live June 9 requires federal agencies to draw up policies to govern and promote teleworking.
Between teleworkers, day-extenders, and new mobile devices, IT departments are being challenged to enable secure access by ever larger, more diverse populations while simultaneously grappling with shrinking budgets and compliance mandates.
To help them with that challenge, we consider five emerging alternatives that can help businesses enable more cost effective but safe remote access by this rising tide of users.
Let business needs drive deployment : Many companies have legacy remote access infrastructure that dictates who can receive access, from what kind of device. Perhaps it's an older VPN that requires software on trustworthy endpoints and is thus incapable of delivering safe access from home PCs or smartphones. Perhaps it's a mobile access gateway that offers authenticated, encrypted wireless access but only to one kind of smartphone.
Of course, there are limits to every secure remote access solution. But it can still be very helpful to take a step back, inventory business access needs and associated risks, and then map those onto potential solutions and acceptable use policies. Some use cases might be met more effectively by non-traditional secure access alternatives such as those identified below. But you cannot determine that without a top-down needs and risk assessment.
Consider secure cloud apps : Remote access users have long fallen into two camps: those requiring secure network access and those requiring secure application access -- primarily messaging. The latter are usually given TLS-secured Outlook Web Access and Exchange ActiveSync; solutions that satisfied immediate needs but cannot be directly leveraged to support other applications.
As broader capabilities become necessary, employers may move users and their smartphones and tablets onto the corporate VPN. However, given growth in cloud services, it could make more sense to move selected applications instead.
"For many SMBs, renting a secure cloud app is easier than installing that application in-house," said Siamak Farah, CEO of cloud provider InfoStreet. "Cloud solution providers can deliver endpoint-agnostic secure access to most of the applications that SMBs need from email, CRM, and calendars to ERF, file-sharing, and teleconferencing. While this might not meet all enterprise [remote access] needs, for SMBs it can be a significant improvement because applications can be added quickly with the server side secured by the provider."
In addition to cloud applications, consider cloud Intranets that let remote workers collaborate securely without tunneling back into the corporate network.
Focus on corporate assets, not devices : As Farah noted, endpoint device independence (or lack thereof) can play a huge role in facilitating (or inhibiting) remote access. But enabling access from a broad range of devices does not mean ignoring device type or security posture. To that end, many remote access VPNs can now detect endpoint device characteristics, assess risks, and install required security programs or settings -- often without IT or user assistance.
However, these "look before you leap" VPN best practices can still be limited by device type and ownership. Smartphones and tablets may never support the same deep checks that laptops and netbooks do; users may have reasonable expectations of privacy on non-corporate-owned devices.
To avoid circling this drain, consider refocusing security policies on protecting corporate assets instead of the devices used to reach them. For example, virtual desktop infrastructure (VDI) alternatives (e.g., Citrix XenDesktop, VMware View, RingCube vDesk) can completely insulate the work environment from the endpoint device by leaving that environment inside the data center.