Modernizing Authentication — What It Takes to Transform Secure Access
A decade ago, secure remote access was a right enjoyed by a privileged few: road warriors, executives, sales forces, etc. But ubiquitous high-speed Internet connectivity, coupled with explosive growth in mobile devices, have increased expectations. Meanwhile, new mandates continue to accelerate demand for safe, anytime, anywhere access to corporate networks and services.
According to Forrester, 62% of information workers in North America and Europe routinely conduct at least some business offsite. A recent Microsoft study found the average teleworker spends four days per month working from home. Many more "day-extenders" log back in at night and on weekends. Adding fuel to this fire, the Telework Enhancement Act that went live June 9 requires federal agencies to draw up policies to govern and promote teleworking.
Between teleworkers, day-extenders, and new mobile devices, IT departments are being challenged to enable secure access by ever larger, more diverse populations while simultaneously grappling with shrinking budgets and compliance mandates.
Free Security Resources
Securing Today's Remote Access
The necessity of business owners delivering remote access to business users continues to rise at a notable rate. Working remotely is part of the new way that business gets done, from wherever you're sitting. Remote access needs now span across the organization. But making that access secure has the potential of being cost prohibitive if yesterday's security models aren't brought up to date. Read this white paper to learn the risks of remote working and discover the value of next-generation two-factor authentication to ensure that remote access is secure.Download
To help them with that challenge, we consider five emerging alternatives that can help businesses enable more cost effective but safe remote access by this rising tide of users.
Let business needs drive deployment : Many companies have legacy remote access infrastructure that dictates who can receive access, from what kind of device. Perhaps it's an older VPN that requires software on trustworthy endpoints and is thus incapable of delivering safe access from home PCs or smartphones. Perhaps it's a mobile access gateway that offers authenticated, encrypted wireless access but only to one kind of smartphone.
Of course, there are limits to every secure remote access solution. But it can still be very helpful to take a step back, inventory business access needs and associated risks, and then map those onto potential solutions and acceptable use policies. Some use cases might be met more effectively by non-traditional secure access alternatives such as those identified below. But you cannot determine that without a top-down needs and risk assessment.
Consider secure cloud apps : Remote access users have long fallen into two camps: those requiring secure network access and those requiring secure application access -- primarily messaging. The latter are usually given TLS-secured Outlook Web Access and Exchange ActiveSync; solutions that satisfied immediate needs but cannot be directly leveraged to support other applications.
As broader capabilities become necessary, employers may move users and their smartphones and tablets onto the corporate VPN. However, given growth in cloud services, it could make more sense to move selected applications instead.
"For many SMBs, renting a secure cloud app is easier than installing that application in-house," said Siamak Farah, CEO of cloud provider InfoStreet. "Cloud solution providers can deliver endpoint-agnostic secure access to most of the applications that SMBs need from email, CRM, and calendars to ERF, file-sharing, and teleconferencing. While this might not meet all enterprise [remote access] needs, for SMBs it can be a significant improvement because applications can be added quickly with the server side secured by the provider."
In addition to cloud applications, consider cloud Intranets that let remote workers collaborate securely without tunneling back into the corporate network.
Focus on corporate assets, not devices : As Farah noted, endpoint device independence (or lack thereof) can play a huge role in facilitating (or inhibiting) remote access. But enabling access from a broad range of devices does not mean ignoring device type or security posture. To that end, many remote access VPNs can now detect endpoint device characteristics, assess risks, and install required security programs or settings -- often without IT or user assistance.
However, these "look before you leap" VPN best practices can still be limited by device type and ownership. Smartphones and tablets may never support the same deep checks that laptops and netbooks do; users may have reasonable expectations of privacy on non-corporate-owned devices.
To avoid circling this drain, consider refocusing security policies on protecting corporate assets instead of the devices used to reach them. For example, virtual desktop infrastructure (VDI) alternatives (e.g., Citrix XenDesktop, VMware View, RingCube vDesk) can completely insulate the work environment from the endpoint device by leaving that environment inside the data center.
Keep your eye on data : While VDI can be a good alternative in some cases, it is not an efficient or even practical solution for others; especially disconnected users who require corporate data access. In those cases, VPNs protect data in transit but must be paired with endpoint measures (e.g., device PINs, remote wipe, disk encryption) to protect data at rest. This is why IT departments have long devoted so much effort to securing the laptops used for remote access and why the specter of devoting similar effort to lock down smartphones and tablets looms so large.
Before heading down this all too familiar path, evaluate secure access alternatives that compartmentalize business applications and data from the rest of the endpoint. Products like Good for Enterprise, NitroDesk Touchdown and Enterproid Divide create encrypted sandboxes on mobile devices, giving IT a cleanly segregated work environment to configure, monitor, and delete when the device is retired or lost.
For personal or public laptops PCs, a conceptually similar approach is a bootable secure environment such as MXI Stealth Zone. These alternatives still employ conventional over-the-air protection (i.e., VPN tunnels, SSL-encrypted ActiveSync) but terminated at more manageable and trustworthy "virtual endpoints."
Build for mobility : Forrester recommends adopting a "mobile-first" mindset when planning new content and collaboration tools. Extending this sage advice to security, perhaps it is time to stop thinking of secure access as "remote." Today's endpoints are mobile, roaming from home to office to hotel throughout the business day. Expecting all "remote" access traffic to enter the corporate network through a perimeter device (VPN or messaging gateway) is no longer a given. Moreover, risks vary as devices roam between public and private networks so consistent, gap-free protection must be ensured.
When evaluating any secure access expansion or alternative, consider how well an approach will work both on- and off-premise. For example, VPN clients like Cisco AnyConnect and JunOS Pulse are location-aware; transparently switching between security policies appropriate for each network (e.g., maintaining an always-on VPN tunnel unless connected to the corporate WLAN).
When roaming occurs, minimize security impacts on usability, using mobility aids to keep users logged in through coverage gaps. Finally, fragmented and duplicated policies not only frustrate users they're costly to maintain and lead to mistakes. Look for unified policy management that can help IT enforce consistent access rights as users roam throughout the enterprise.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28 year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.