Security beyond the doors
As more firms mobilise their workforce, security becomes ever more pressing. James Matthews-Paul examines the state of play
As headlines touted the end of infrastructure as we knew it during this summer's Olympic Games, many British businesses elected not to fight what they could not beat.
They approved myriad flexible working measures, meaning that their staff could avoid the daily commute during this period, working from home on a selection of personal devices.
But with the remote working trend showing no sign of abating, what are the repercussions at the enterprise level for remote data and information security, and how can the IT channel guide businesses to a more secure future?
A new, "digitally native" workforce expects to enjoy the advantage of anywhere, any time data access, conversant as they are with Dropbox, iCloud and Gmail. The personal cloud alone is a $2.2tn (£1.36tn) market, according to Gartner Consumer Research.
The few board members working on the move are no longer the only road warriors; employees at all levels are extending their working hours and becoming more productive, not least thanks to BYOD. The cloud has removed another layer of opposition to staff
putting in those extra few hours.
Two developments are driving even more momentum, and SMBs will soon need to shift their technology practices to catch up. IPv6, officially launched worldwide in June, is the gateway to a hyper-connected world where most electronic devices will have IP addresses, and 4G will enable the type of wireless connectivity that can support big data on the move.
The cloud provides a scalable, future-ready option for this support where in-house IT structures may eventually plateau, becoming too expensive to scale to handle the file sizes and protocols necessary.
Channel to the rescue
The IT channel can stand to benefit, and to help. Any company with employees working remotely must seriously consider improvements at the infrastructure level while providing a flexible and future-proof solution.
With Q2 2012 research by Vanson Bourne showing that three out of four enterprises are investing in server, storage and desktop virtualisation this year - and many buying into private cloud, flexible working and big data management options for the first time - it would appear that businesses are keen to invest.
Security is the lingering question. Loss of data or intellectual property can be particularly risky in the case of a client or staff member's personal information, which could contravene UK and European data protection law.
An annual study by the Ponemon Institute and Symantec found that the average cost per capita of a data breach in the UK rose to £79 per record in 2011, up from £71 in 2010 and £47 in 2007.
"Notably, negligent employees or contractors pose the biggest risk to organisations, responsible for more than a third (36 per cent) of all data breaches," Symantec said in a statement.
And the FBI in May this year urged additional caution on the mobile front, warning of malware attacks via requested "software updates" over hotel internet connections.
The logic extends to BYOD, where third-party applications and jailbroken devices could also have an impact on an enterprise's network or data security. But securing the device is difficult for a business that does not own the client device in question, so robust end-point security should ring-fence any sensitive data held therein.
"To ensure that all mobile devices are secure within the enterprise's IT security policy, most smartphones and tablets have to be issued with a security certificate," explains Gregory Webb, vice president of marketing at security vendor Venafi.
Certificate expiry can mean loss of network or remote access functionality, and if key management is not automated - and the certificate must be located on one of several servers - many work hours could be lost.
"Making sure watertight security policies are in place is essential when it comes to businesses adopting the cloud, irrespective of the devices that will be accessing it," urges David Ellis, director of new technology and services at distributor Computerlinks.
"This is a good opportunity for the channel to add value by advising customers on what they need to include to make sure corporate assets are kept secure."
Venafi's Webb concurs: "Managing certificates in an enterprise-wide, holistic manner is a vital part of IT security. Venafi has seen the area of certificate management becoming a key battlefield in the struggle against hackers, malicious insiders, thieves and criminals.
"Bad management of certificates is now a critical weakness in many enterprises."
However, Andy Kemshall, co-founder and CTO at SecurEnvoy, argues that a different approach is needed when the devices concerned do not originate from within the organisation.
"Strong authentication solutions based on certificates or smartcards cannot work with BYOD so the only way forward is two-factor authentication - either based on tokens, or tokenless.
"With tokenless two-factor authentication solutions, such as SecurAccess, the user is sent their passcode by SMS, which they save on their phone until they need to use it. Once it has been used, they are immediately sent the next one -- meaning it is there ready and waiting for them when they next need to authenticate themselves.
"For businesses, the benefit is significant cost savings over physical tokens, and the ability to get the system up and running quickly and easily. For the channel partner supplying them, tokenless works on a subscription model, giving them stable, repeat business each year."
Infrastructure-led solutions
A panel session at the online Virtual Security Summit in September, held by CRN's sister publication V3, argued that tackling this issue at the infrastructure level rather than on the device itself provides several advantages, each of which could help the IT channel in advising its customers.
Andy Bushby, technology director for information security at Oracle, said access policies can be controlled and changed internally if implemented in this way, and can identify users by the context of their attempted
connection.
Richard Mardley, strategic business director of consultancy aurionPro SENA, agreed. He told the panel that such a policy allows jailbroken devices to be refused access, for example, or for criteria-based rejection to be performed.
An off-site engineer using a secure network remotely may need mission-critical information to complete a job, and that is permissible. But is that really the finance director logging in to peruse payroll data at
10pm on a Friday?
The channel can help companies implement an application-fluent network that recognises different traffic types from various user and device profiles, prioritises the traffic and approves or denies service as appropriate.
Computerlinks' Ellis agrees with a device-agnostic approach.
"Resellers can then offer technologies such as mobile device management, which extend existing enterprise and network security policies across mobile platforms. This way, it should not matter which device is accessing the network because it will be forced to comply with corporate policy," Ellis says (pictured, left).
"It will also be subject to the scrutiny of other security technologies, including firewalls, anti-virus, anti-spam, content filtering, application behaviour control and jailbreak detection."
The answer lies in consultation. BYOD might not be right for everyone in the business, and the option to wipe any device if lost may benefit both company and user. Critical data could be kept in the private cloud, with other information in its public counterpart, offering the best of both worlds.
Every business is different, so IT resellers should be prepared to advise not just on the technology implementation, but also the appropriate corporate acceptable use policy and types of encryption.
With companies becoming less location-centric and workers
more opportunistic, there is sure to be good business in helping everyone along the path of least resistance -- so long as it is secure.