Copyright Computerworld, Inc. Feb 26, 2007| [Headnote] |
| Most companies still lack policies for virtual offices. Here are some ways to allay the huge data risks they pose. |
TELECOMMUTERS ARE nothing new at 
TriNet Group Inc., a human resources outsourcer in San Leandro, Calif. In fact, a significant part of the company's workforce operates remotely, either out of their homes or in small satellite offices, all on laptop computers, according to Bob Dehnhardt, the company's network and information security manager.
But over the past 18 months, Dehnhardt has grown increasingly concerned about the rising number of mobile computer security breaches in the news, most notably the theft of a laptop and external drive from a U.S. Department of Veterans Affairs employee - an incident that compromised the personal data of (6.5 million veterans and iiffnilitary personnel. So last year, he helped institute a series of security policies, including a requirement that gall employees who work at home must sign a contract. One of the contract's provisions states that such employees must be willing to open their homes for inspection.
"Working from home is a privilege, not a right," Dehnhardt says. "It has numerous advantages to both the employer and the employee, but it also constitutes a very real security risk for the company. There have to be rules and policies in place to protect the employer from this risk, and both parties must agree to them."
But TriNet is ahead of the curve in home-worker security. Despite network attacks, virus onslaughts, data loss and other hazards that remote users can introduce, many U.S. companies haven't bothered to establish security policies for teleworkers, according to Runzheimer International Ltd., a Rochester, Wis.-based provider of employee mobility products and services. In Runzheimer's 2006 survey of 87 organizations with mobile workers, 62% of respondents said they were concerned about the security of company assets located offpremises, but only 46% reported that they have a virtual office policy.
"A lot of companies are just hoping that nothing will happen," says Jack Gold, a mobile technology consultant at Runzheimer. "And yet for a reasonable amount of effort, they could eliminate 90% of the potential problems."
For starters, telecommuters should use only company-owned equipment for their work, not their own home computers, Gold says. That way, IT can ensure that the equipment is loaded with virus protection software and other control devices. By keeping operating systems and application versions standardized, IT can also centrally manage virus updates. "If you rely on the end-user community to take care of their own systems, you're in trouble," Gold says.
At TriNet, telecommuters use centrally managed laptops. "This gives us a means of enforcing policy, since we own the equipment, and it also reduces the workload on our support people, since they don't have to troubleshoot why Billy's World of Warcraft installation broke our critical internally developed application," Dehnhardt says.
Another Method
The American Academy of Ophthalmology takes a different approach to managing security on home workers' computers. Until recently, the organization used only the security available in Microsoft Windows Active Directory and its virtual private network (VPN) software.
As viruses began disrupting bandwidth on the corporate network, however, Vice President of IT Joe Carr decided to take further measures. He installed Safe Access, an appliance from Superior, Colo.-based StillSecure that ensures that user devices have updated virus-protection software and appropriate firewall status before allowing them on the VPN. "We've had productivity in the office interrupted due to viruses, so we needed to make a change in the way people managed their equipment outside the office," Carr says.
Carr is also testing a policy in which Safe Access will check on the last time home workers performed virus scans on their machines. If more than a certain amount of time has passed, it will require a scan before allowing the device onto the VPN. "We test new policies with users to make sure the action is working before ratcheting it up academywide," he says.
Another TriNet policy forbids home workers from storing corporate data long term on their laptops, Dehnhardt says, although he doesn't know of any technology to help him enforce that. Instead, telecommuters are expected to access data through the company's VPN and store data on network home folders, which are backed up nightly. They're also discouraged from using USB or thumb drives because they can easily be lost or stolen.
Of course, some data must reside on the laptop for times when the employee has no network access, like during customer visits. In such cases, remote workers are instructed to take only the data they need for that visit and delete it from the laptop immediately afterward, after saving any changes to the network drive, Dehnhardt says. "It's a fine line to walk," he acknowledges.
Mark Rhodes-Ousley, an information security architect and co-author of Network security: The Complete Reference (McGraw Hill Osborne Media, 2003), agrees that data should mainly reside in centralized corporate repositories. "Home workers should be granted access to view and change data only from a distance," he says. That can be facilitated with systems that provide front-end access, such as secure Sockets Layer VPNs.
Remote access makes the home computer a part of the company network, Rhodes-Ousley explains, whereas front-end access makes only the user interface accessible, separating users and their computing environments from the actual servers that manage the data. This technique presumes that users have a good broadband connection, Gold says, because dial-up could never handle the traffic load.
Everyone agrees that home workers should keep data encrypted, but relying on end users to do that is risky, says John Girard, an analyst at Gartner Inc. "Typical office applications have the ability to encrypt," he says, "but the choice is often voluntary, and the user can usually choose a simple, weak password and encryption algorithm."
That's why it's best to run the home PC as a virtual machine that's encrypted, where the user logs on to bring up an image of a company workstation, he says. Or home users could run an on-demand virtual session that encrypts saved data even if the workstation is otherwise not managed by the company, Girard says. This is possible with software such as Cisco Systems Inc.'s secure Desktop, Symantec Corp.'s On-Demand Agent and Check Point Software Technologies Ltd.'s Integrity Clientless security secure Workspace.
At TriNet, all home laptops are encrypted using software from Beachhead Solutions Inc. in Santa Clara, Calif. The software provides centralized encryption management and remote data destruction if the laptop is lost or stolen.
Dehnhardt uses IPsec for encryption on TriNet's VPN, and he requires home wireless networks to be encrypted using Wi-Fi Protected Access when accessing the VPN. The only way to enforce this now, however, is through a signed statement and employee training, he says. "We don't have the [resources] to support home wireless equipment," he says. "It's better to educate the users to protect their home environment than to do it for them."
Dehnhardt also advises home workers to change their default service set identifier and administrator passwords on their wireless access points.
This year, TriNet managers will also periodically visit the homes of remote workers, in accordance with the company's policy for inspections of home offices for ergonomie, safety and security reasons. "If employees do not agree to this, their VPN access and laptops will be pulled, and they will not be allowed to work from home," Dehnhardt says.
This is an unusual policy among U.S. companies, according to the Runzheimer study. Only 13% of respondents said they conducted irregular or initial inspections as part of their virtual office policy. "There are some privacy concerns as to how frequently these inspections should take place and what advance notice is required," says Heidi Skatrud, a vice president at Runzheimer. "But companies absolutely have the authority to enforce security policy in people's homes."
| [Sidebar] |
| TRAINING FOR VIRTUAL OFFICE EMPLOYEES |
| Percentage of organizations that offer their teleworkers the following types of training: |
| PC/network connectivity 72% |
| E-mail usage 67% |
| Business applications usage 67% |
| Safety and security of virtual office 39% |
| BASE: 87 organizations; multiple responses allowed |
| RUNZHEIMER INTERNATIONAL'S TOTAL EMPLOYEE MOBILITY BENCHMARKING REPORT. OCTOBER 2006 |
| [Sidebar] |
| ON GUARD |
| Here are some tips from research firm Gartner for ensuring that home workers' wireless networks won't harm the corporate network or expose sensitive company information. |
| Turn off the service set identifier broadcast on all internal, nonpublic, nonguest access points. When this feature is off, the access point won't advertise its presence and will foil casual attempts to catalog access points. |
| Migrate to WPA2-compatible wireless LAN network interface cards (NIC), wireless drivers, supplicants and access points on all new purchases. Require the current best standard, WPA2, on all new WLAN equipment. Devices with non-Windows operating systems, especially smaller handheld devices, may need to use a third-party WPA2 supplicant. |
| Install a personal firewall in every laptop with a wireless NIC. Wi-Fi capabilities open up another attack path against laptops, particularly when they are used in public hot spots. The personal firewall built into Windows XP has minimal capabilities but is better than nothing. |
| Keep WLAN card drivers up to date. Vulnerabilities have already been discovered in some WLAN card network interface drivers that can cause exposure down to Layer 2 in the network stack. |
| Turn off peer-to-peer/ad hoc networking. All WLAN cards can link to other client systems without involving an access point, thereby losing all protection brought by strong authentication. Permanently disable this feature in registry settings. |
| Don't allow wireless and wired NICs to be active at the same time on a client system. When a client device is connected to a wired LAN, malicious software could use the wireless network for eavesdropping and network bridging. |
| -MARY BRANDEL |
| [Author Affiliation] |
| Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at marybrandel@verizon.net. |
My Research
