As it is with most organizations today, the Lewis Group, an Upland, California-based real estate development group, faced a slew of potential risks when it wanted to provide its executives with access to their email from the road. Leakage of confidential data, viruses, and "shoulder surfing" were just a few of the concerns that came to IT managers' minds.
This meant that they needed to find a way to provide secure remote access from any computer – whether in a hotel, airport, customer or other site – without compromising the privacy of the firm's business dealings.
"We're a privately held company and the family that owns it, along with their people at the top of the company, want to be discreet and private about how they do business and who they are working with. They feel that most of their assets are in their relationships with people," says Dan Harman, IT administrator at the Lewis Group.
"They would not allow remote access if we were not able to do it in a way we knew was as safe as technology could make it."
The company decided to deploy an SSL (Secure Socket Layer) VPN from Whale Communications, combined with SecurID tokens from RSA Security for two-factor authentication. About 50 of the company's 300 employees now have tokens, most of them being business directors, managers or sales executives.
Like the Lewis Group, many other companies are looking to provide their employees with remote access to corporate applications, but are leery of putting their own networks at risk. With workforces becoming increasingly mobile, and with internet threats growing, companies are turning to a variety of technologies and strategies to secure mobile users.
Remote workers present a number of risks to the corporate network if their companies fail to implement proper controls, says Nick Galletto, a partner with Deloitte Security Services.
For instance, employees could unwittingly unleash viruses and worms into the network from insecure PCs. Other risks include confidential data left behind at a kiosk or an intruder looking over a user's shoulder to obtain passwords or other data. Plus, insecure wireless networks can allow intruders to eavesdrop and snatch information. Moreover, laptops and PDAs can be stolen, along with the sensitive information stored on them, he warns.
"The biggest challenge we see with remote users is taking the same level of policies you have implemented in your office and extending that to the remote site," says Galletto.
Helping businesses to establish policies for remote users – such as having a firewall enabled and updated anti-virus protection – is something that Deloitte consultants are doing more and more for customers. Companies should also use VPNs or SSL VPNs to encrypt traffic, deploy strong authentication that's either token- or certificate-based, and implement secure wireless access points that have an authentication gateway and use encryption, advises Galletto.
Productivity needs are pushing companies to provide remote access. This is especially true in healthcare, where shrinking staff and an aging population are pressuring the industry to increase productivity, observes Michele Taylor, senior solution marketing manager at SonicWall. At the same time, the healthcare industry must comply with HIPAA requirements to keep patients' data private and secure.
At the Bone and Joint Clinic in Franklin, Tennessee, appliance-based IPsec VPN technology from SonicWall helps boost productivity while ensuring HIPAA compliance, explains Duane Murray, the clinic's CEO. Doctors use the VPN to securely pull up patient records from home in order to answer questions that come up in the middle of the night.
"To be able to look at notes or an operative report that is back in the office is very helpful for the physicians," says Murray.
The VPN also allows staffers at facilities outside the main clinic office to update patient charts remotely, and it also speeds up network and server support. The clinic installed a SonicWall PRO Series firewall with 200 VPN clients at its headquarters, TZ 170 appliances at remote locations, and it uses a Global Management System for network monitoring.
For Imerys, a global minerals processor, devices from Cisco Systems provide IPsec VPN connectivity for its mobile workers. But the Paris-based company wanted a way to "provide access from any machine on the internet for its staff, who prefer not to lug their laptop around on short trips," says Dave Bailey, senior manager of e-commerce and messaging at Imerys. His company uses Whale Communications' SSL VPN, which is also called a clientless VPN because it does not require client-side software and it provides users with browser-based access from any internet-connected system.
SSL VPNs are gaining popularity as companies look to leverage any internet connection, not just for their employees, but also for partners and e-business, says Aimee Rhodes, strategic relations director at Whale.
"You're talking about organizations that want to roll this out to a very diverse user base. It's not just IT staff or executives, for whom you want to spend time and money managing an IPsec VPN," she comments.
When it comes to remote access, organizations have a range of concerns, from ensuring a PC has anti-virus to cleaning the cache so no user credentials, files or data are left behind, and logging off when they are done at a kiosk. "From a security perspective, they're looking for the ability to granularly control access to the applications. Not just the entire application, but parts of it," says Rhodes. "From home, you don't mind if they print, but if they're at a business site or hotel, you might not want them to print."
Endpoint policy compliance – that is, making sure machines have firewalls and anti-virus protection to prevent worms from infecting the network – was a top concern for Chugach Alaska Corp. and its mobile workforce of about 60 employees, says Randy Reed, director of information technology at the firm, which operates in several business areas by and for Native Alaskans.
"We can do that with the Whale VPN device, because it does policy checks when they connect," reports Reed. "The nice thing is we can create custom pages that pop up. If the users don't adhere to a policy, that pop-up will tell them where to go to get their virus pattern update or whatever they should do so that they adhere to that policy."
Imerys uses Whale's eGap Remote Access Appliance for email and a corporate intranet, as well as certain applications, including a consolidation, reporting and performance management system from Cartesis called Magnitude, which it makes available via Citrix Systems. For now, the company's ERP system is only accessible via the IPsec VPN."It's a matter of which applications you want to publish and make available from the outside. If you have a true VPN client where it's your own company equipment, sure you can give them access to that. But if it's going to be from a web kiosk or somewhere else, you don't want to publish certain applications no matter what. It's truly driven by the business and what it is comfortable about making available," he says.
While Imerys uses a combination of VPN technology, the South Carolina Department of Probation, Parole and Pardon Services (SCDPPPS) is deploying the Net6 Hybrid-VPN Gateway to provide its agents with secure remote access to case files in courtrooms that are scattered across more than 50 counties. Net6's hybrid device intercepts all traffic at the network level and encrypts and transports information using SSL, according to Net6's chief executive Murli Thirumale.
SCDPPPS opted for the hybrid approach because an IPsec VPN was too hard to support and presented too many network configuration issues, while an SSL VPN would require the agency to "webify" its thick-client PowerBuilder application and mean additional costs, says David O'Berry, the department's director of IT services.
Instead of manually installing client software on each and every laptop, O'Berry's staff emailed a URL, which downloads the Hybrid-VPN client to the system. O'Berry says the Hybrid VPN was more cost-effective than an SSL VPN product he considered, and also provides endpoint security and remote control capabilities.