Endpoint
10/7/2010
10:28 AM
Connect Directly
RSS
E-Mail
50%
50%

Two Ways For SMBs To Secure Their Home Workers

Giving work-at-home employees unfettered access to your systems is so 1999; now, clean virtual private networks or terminal services can help

In the slowly recovering economy, telecommuting has become an essential way for businesses to retain valuable workers, increase productivity, and support "green" initiatives. But from a security perspective, telecommuting can also be dangerous -- if you don't have the right technologies in place.

For small and midsize businesses (SMBs), telecommuting is taking off. Nearly 60 percent of SMBs plan to increase their use of telecommuting to cut costs in the next 12 months, according to survey conducted by Staples Advantage, the IT service of the well-known office-supply chain. Yet many SMBs don't have the expertise in-house to deal with security -- about 40 percent rely on external IT support to run their operations, the study found.

"Technology has now made it a lot easier for people to telecommute, and the evolution of this technology is such that we are going to see more and more organizations have people working from home," says Jim Lippie, president of Thrive Networks, which handles Staples' IT service.

Managing the security of telecommuters is a challenge, especially if workers share their computers with other family members. Tackling the problem generally involves one of two solutions, according to security experts. You can leave management of devices in the hands of employees and use network access controls to enforce controls. Or you can give the telecommuter a "virtual desktop" hosted on your company network, enabling you to manage the home worker's devices from the data center.

Pairing network access controls with a virtual private network can give SMBs some control over their remote employees' systems and help ensure the most obvious security measures have been taken, says Dave Ahrens, security architect for Internet telecommunications firm Avaya.

"Some solutions do push down a system check to make sure that the end user's PC is up to date with patches and up to date with antivirus," Ahrens says. "Those are all capabilities that VPN vendors are providing."

In addition, current virtual private networks allow the company to put stronger authentication controls in place, deterring potential attackers. Companies should not, however, treat the data coming from their employees' systems as clean.

"It depends on the budget for a small or medium enterprise, but once you have the VPN, you can put a firewall behind it to filter out any traffic that is coming through ... or an IPS [intrusion prevention system] or an IDS [intrusion detection system]," Ahrens says.

For companies that want to centralize the management of their telecommuters' desktops, a terminal server is an ideal solution, Thrive's Lippie says. The telecommuter logs into the terminal server using strong authentication and is presented with a desktop on which to work. However, the desktop is running on the terminal server, not on the worker's home machine.

The ability to separate a telecommuter's system from the corporate network makes terminal servers very secure, Lippie says.

"When they are in the terminal server, it does not matter how messed up their home computer is," he says.

Thrive recommends terminal servers to its clients as the preferred method of allowing employees to work from home securely and still access corporate resources. While Citrix is the most well-known vendor of terminal servers, Microsoft's Small Business Server also has the option to run terminal services.

"Having a terminal server -- or something of its kind -- is absolutely essential," Lippie says. "The last thing you want from an IT management perspective is to have multiple different people working from their home machines with very little oversight or policy enforcement."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.