Ten things to keep in mind when evaluating remote usersby Steve Ragan - Nov 3 2009, 01:30
When it comes to the workplace, IT has to deal with remote users. It’s a fact of life, and one of the reasons why endpoint security consumes a good deal of time and effort from the IT department. Jeff Hughes from Lumension recently gave us a list of ten things to consider during security evaluations of remote users.
If you’re reading this, there’s a good chance you’re doing so on a laptop. Laptops are a considerable part of an IT department’s budget, and are everywhere. IT has to do something for all the sales and marketing staffers who constantly travel, and the idea of lugging a desktop around just doesn’t sit well with them.
So you get them a laptop, and with it will come the joy of remote support, battles over application installs, and the issue of explaining why they do not need administrator rights. All of that is just the helpdesk alone, IT management has the job of crafting a security policy for remote workers, and this is much easier said than done.
Often it is the organization’s own users who cause the most damage on the network, and pose the most risk. This is why Hughes said that, “it makes sense to consistently and periodically review your security measures for remote users.”
For the organization itself, the first thing to consider when performing security evaluations for the remote workers is the use of VPN. Hughes said that it is wise to require all users to use the VPN, as it encrypts traffic from point to point.
At the same time, there is the issue of actually getting the staff to play along. As a contractor, I had to deal with remote users who often complained about VPN speeds, and the fix for those complaints required a serious investment at the colocation facility. However, the usage of a VPN for anyone working outside the office should be a mandatory requirement for network design.
The second and third items Hughes suggested revolve around anti-Virus and patch monitoring.
“This policy is easier to implement if you have issued company laptops. It's more difficult if the employee is using their own laptop. However, you should maintain a written corporate policy that requires all remote users to verify that they are using AV/AS software on their personal hardware. Many AV vendors offer considerable discounts on software purchased through the employer for the home user employee. Ask your AV vendor if they offer such a program,” said Hughes.
Patching, as mentioned, is the third item to review. All of the software on a remote worker’s system should be regularly updated. Not just the anti-Virus, but all applications. This means Adobe, Firefox, and all Microsoft or Apple operating system patches. More often than not, the lack of updates will lead to problems. When a remote worker who has a system infested with Malware enters the network, they can singlehandedly wreak havoc.
Password management, which is the fourth item on the list, is also important. Remote users need to be kept on the same schedule for password resets. The best practice is that passwords are changed every 90 days. There are snap-in products for Active Directory that will assist in this.
Lastly, there needs to be solid policy in place. “This policy must be read and signed by all remote users, which may mean your entire company. The remote usage policy should outline patching expectations of personal hardware and specify applications that are off limits when connected to the network,” Hughes noted.
Other items discussed by Hughes include five things for employee security. Such as a requirement that every laptop have a firewall installed on it. Some security suites include a firewall, but IT should make the effort to provide instructions on how to implement personal firewalls, such as the one in Windows or the one used by the corporate security suite.
Another item on the list deals with responsibility. This means keeping track of the laptop, and never leaving it out in the open where someone could walk off with it. The other item that will fall in line with this principal is encryption. Assume you ignored the responsibility part of laptop safety and someone walked off with it. Should the data be encrypted, then the information is useless. Most of the laptop thefts are done for the value of the hardware, not for information mining. Yet, there is always that risk that sensitive information will wind up in the wrong hands.
Lastly, Hughes offered his thoughts on social networking. “Be careful on the latest social networking sites. Web 2.0 has brought new security challenges with dynamic content sites (iGoogle, Facebook, etc.) that allow you to post personal and confidential information with the click of a mouse. This can get you and your company into big trouble down the road.”
Tell us, what is your policy for remote workers? How do you manage remote worker policy? Were there extra costs associated with its implementation?