How can businesses deliver flexible, scalable and secure remote access to staff during incidents, while controlling costs? Nick Lowe describes a new approach to the problem.
If you’d looked through the business continuity plans of the world’s top 500 companies in March of this year, it’s unlikely you’d have found a scenario that covered a volcanic eruption in Iceland. Yet just a month later, the giant ash cloud from the Eyjafjallajökull volcano closed airspace in Europe for six days, paralysing transport links, stranding employees away from their homes and workplaces, and bringing disruption to businesses worldwide.
As often happens with such unexpected events, it has forced businesses to review their business continuity plans, to accommodate a wider range of eventualities.
For most organizations, secure remote access for staff and partners is a core part of business continuity planning, to ensure that business can continue if normal workplaces are not accessible or usable.
Organizations want a remote working solution that is secure, flexible enough to scale quickly to accommodate unexpected events, and that doesn’t require expensive, ongoing licensing, maintenance and support.
This last point is critical, because in normal circumstances the remote access solution would not be utilised to anywhere near its full capacity. This can create a conflict between the need to control costs, and the need to deliver rapid, business-wide availability.
It’s this conflict that presents real challenges, both for businesses and for the IT teams that have to deliver and manage the contingency access solution.
The numbers game
The first challenge is establishing how many remote users the business will need to support. A client-based VPN solution may not give the required flexibility, because it needs client software to be licensed and deployed before users can get access.
Typically, only management and senior staff have VPN clients deployed on their laptops or home PCs. How should the business roll out secure access to all staff quickly in a business continuity incident, if VPN clients are not already set up?
As such, the solution must be flexible enough to accommodate both fully managed devices (company laptops and smartphones) as well as unmanaged devices without VPN clients (home or partner PCs, Web kiosks).
It also needs to give close management over users’ access, with the ability of to grant or restrict access rights depending on individual needs, levels of trust, device type and security status.
At the end (point)
The next challenge is ensuring (and enforcing) security compliance at each endpoint. Traditional VPN solutions need each remote user’s PC to have up-to-date protection against malware, and the latest software patches. Without these, malware could use the remote session to attack the corporate network, or a Trojan could capture sensitive information on the endpoint PC itself.
The solution needs to include data encryption to stop usable information remaining on endpoints, and cache cleaning to remove all traces of work from the PC when the session ends. It should also be unobtrusive in action, so it doesn’t interfere with the user’s activities, while applying security to protect against external threats and the user’s own mistakes or oversights.
Meeting these requirements could prove both complex and prohibitively expensive if conventional, point security products – such as separate VPN, anti-virus, data encryption, personal firewalling and intrusion prevention – were to be deployed on a large fleet of corporate laptop PCs.
The result is that enterprises need an alternative approach to remote access, to help cut both the complexity and the expense from contingency planning.
A secure PC in your pocket
For a number of years now, the idea of giving users a personal ‘PC on a USB stick’ has been an option, with multi-gigabit thumb drives now available at small-change prices. But security concerns mean this has not been recommended for corporate deployments, as conventional USB sticks don’t support remote access or security apps, such as anti-virus and encryption.
However, secure flash drives are now available with on-board, automated hardware encryption, which secures stored data against drive loss or theft. These devices also support central management by IT teams.
So why not use a secure drive as the platform for a portable workspace solution? Using virtualization techniques, the solution could create a virtual desktop for the user when inserted into the USB port of any PC, anywhere. This would transform the host into a trusted endpoint for the duration of the session, with a secure VPN connection for accessing the corporate network.
This way, users could be presented with the same desktop view that they have in their offices, complete with their shortcuts and files. Ergonomics are straightforward, as users simply insert the device, key in their passwords and start working. Data is manipulated using the host PC’s apps, while remaining secure in the secure virtualized workspace generated from the flash drive.
This protects the integrity of both local data and the corporate network, shielding it against malware, hacking attempts and data loss or theft. No data is written to the host PC, and malware on the host PC cannot access the secure workspace.
When the user ends the session, the secure virtual workspace would disappear and, because all data is written encrypted to the flash drive – bypassing the host PC – leave no trace of the session or VPN connection.
Even when the solution is not in use, all information would be automatically encrypted on the flash drive, so user credentials, files, documents, and other confidential data remain protected if the device is stolen. As mentioned earlier, such devices can now be centrally managed, so that corporate policies can be applied, and drives re-provisioned if lost.
The key to continuity
A secure virtual workspace solution of this type would resolve the problems of cost, complexity and scalability for remote access in contingency planning. It would enable companies to give staff and partners consistent, controlled, secure access that is completely independent of the host PC.
The solution would also be far easier and cheaper to deploy and manage than a fleet of corporate laptops. It’s pocket-sized, making it easier for staff to carry with them wherever they go; it would remove the headaches of controlling a large number of endpoints while delivering large-scale remote access; and it would keep confidential data secure at all times.
Events like the Icelandic eruption are unpredictable and very rare. But by taking a fresh approach to secure access as part of their business continuity planning, enterprises could enjoy a more flexible approach to remote working, and be better prepared the next time that the unexpected strikes.
Nick Lowe is head of Western Europe sales for Check Point. He is an expert across IT security, from technology development and evolving threats to compliance and security reporting. He oversees all activities with Check Point's customers and partners in the region. http://www.checkpoint.com/
•Date: 17th June 2010 • Region: UK/World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here