Securing the Virtual Team

Posted Saturday, August 1, 2009 - 10:40 by admin

Abstract

Today’s business environment is becoming increasingly mobile. The paradigm of the previous generation of going to work at the same office for many years at a time is changing. As contemporary business practices evolve, an ever­larger percentage of our workforce is using mobile computing devices.

This flexibility of when and where to do business has many benefits, but brings with it a number of challenges, not only for the corporate IT department, but also for risk management, compliance, corporate communications and sales & marketing teams. The price of staff doing business remotely is that they need access to sensitive data and to interact with your core business systems while away from your offices – and outside your main security controls.

Laptops are routinely lost or stolen; USB memory sticks are dropped; emails are accidentally sent to the wrong person. The consequences may just be embarrassment, or may be far more serious. Recent laptop losses have figured in international news, such as when Ernst & Young personnel lost a laptop containing personal information about IBM staff.

http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/

Incidents involving loss of client data have led to bad press, brand impact, falling share prices for public companies, loss of customer confidence, relationships and sales opportunities, and can lead to fines if compliance or legal requirements are breached.

This article discusses approaches to solving these problems and managing them in a cost­effective and user­friendly way, while providing appropriate controls that meet compliance and legal obligations.

Castelain has already implemented many of the solutions discussed in this document to secure its own virtual team as well as those of its clients.

Understanding the problem

Properly understanding the problems of mobile security, how they arise, their ramifications and how to address them is critical to finding a solution that suits you and your business as usual. There is no single approach that suits everyone.

As your staff become increasingly mobile you will have to confront questions such as:

  • can I work from home tomorrow?
  • can you e­mail me that (confidential) report?
  • can you review the draft document I’ve just prepared?
  • can I use my dongle to store this stuff?

These questions are eminently reasonable, indeed most people wouldn’t think twice about answering ‘Yes’ to all of them. This is hardly surprising; in many consulting organisations, staff need to be able to re­use work done earlier; they need to share material; they need to collaborate on documents, even when they are not in the same country.

The security problems of this business approach revolve around two things: secure remote access and secure usage of data. This is not just about firewalls and VPNs, virus scanners and malware scanners — it’s about securing the entire usage of data across the user base, the devices on which data is processed and any media used to transport and store it.

The risks can come from a number of areas: loss, theft, interception, malware, data corruption or hardware failure to name a few. A good starting point is to list your data assets and risks, then work on mitigation strategies that suit your environment and your willingness to accept risk.

In doing this, the ramifications of security breaches also need to be considered. After all, if a thief steals one of your staff member’s laptops, it can be more than your company’s reputation that is at stake: your company can be liable for large fines; directors can be held personally liable and even imprisoned.

Defining a realistic security policy

Most companies have based their security policies upon ISO/IEC 17799:2001 or similar recognised standards that prohibit connecting company assets directly to foreign (non­company owned or controlled) or un­regulated networks (like the Internet). This approach is clearly not practical for organisations with a mobile workforce who need to use Internet cafes, wireless hotspots and even clients’ networks to stay in touch with their customers and team.

An organisation’s security policy must accommodate their business model and business practises. Failing to develop a realistic policy, or crafting an ill­fitting policy leads to the policy either not being applied properly or worse – viewed as “optional” or not followed at all.

Basic business sense: don’t set rules that you can’t police or that will almost certainly be broken.

ISO 17799 and similar standards should not be viewed as rigid, prescriptive formulae, but more as guidance notes that provide a common framework for creating and managing policy. A core tenet of these standards is that security measures and controls should be appropriate to the business; the Preface of ISO 17799 states: “Not all the controls described in this Standard will be relevant to every situation. It cannot take account of local environmental or technological constraints, or be present in a form that suits every potential user in an organization. Consequently this Standard might need to be supplemented by further guidance.”

Developing a security policy takes time and has to meet the requirements of the business and its customers. Nearly all companies have various legislative or financial compliance frameworks, which are a good starting point, as they stipulate minimum standards and provide a basis for other controls. Think about what your company does and how it works; a realistic security policy includes all these things and provides a control framework into which systems can be implemented and companies can co­operate and share access to systems and data.

Above all, a realistic security policy will provide a consistent reference point to explain what needs to be done, to what extent and why.

Working out the business requirements

Businesses with a mobile workplace need systems that are secure but flexible.

Before investing in any security solution or technology it is essential that you understand and document the business requirements. (Despite what some vendors claim no security product addresses all risks and one size does not fit all!)

If you were to ask a representative cross­section of your business for their business requirements around security, they would probably say that:

  • it must be easy to use
  • should ideally be transparent to the user
  • must integrate into all core systems (ideally every system) consistently
  • should provide industrial strength security to the mobile environment
  • should allow staff to share documents and communicate remotely
  • should not cost too much to implement
  • must work with current and legacy systems
  • must be future­proof
  • should be self­documenting
  • should not create excessive work for the IT department.

For anyone who has worked in IT, this ‘wish list’ of requirements will be familiar, but it is not necessarily unrealistic.

In documenting your business requirements, don’t forget to define your success criteria. The issue here is that, unless you set success criteria alongside the requirements it can be hard to agree whether an initiative has met its aim. Setting success criteria provides both a ‘direction’ and a ‘distance’ to which the business users and IT department can agree.

The business requirements normally fall into three main groups: constraints, enablers and features. A common mistake is to try to address all these requirements as a single group and in a single solution. The UNIX philosophy of having a number of small tools that have specific functions can work quite well here and make integration and planning easier. It also makes it possible to select ‘best­of­breed’ options for each group of requirements and divide the initiative logically into separate tasks.

Finding a solution

Many vendors offer bundled solutions. Many of these solutions are for the small or home office (SOHO) markets and are of limited use in the corporate sector. These SOHO packages rarely scale well beyond a very small number of seats and often introduce more management issues than they solve. It is often better to choose your own components that fit your company’s needs, environment and existing skills and capabilities.

The concept of KISS (Keep It Simple, Stupid) pays dividends when choosing solutions. To avoid unnecessary integration issues with existing infrastructure, it is a good idea to use standards­based solutions and open protocols. If your organization uses a combination of Mac, Windows and Linux machines, it makes little sense to choose a solution that only works for one and not the others.

Use what you’ve already got

Major costs in implementing new security systems can come from training staff, buying in new skills that don’t exist in­house, and the loss of productivity during system implementation. If you have a specific skill­set or capability inside your environment, it makes sense to look at what you can do within your existing capabilities before buying a brand new solution.

The easiest way to ensure a successful outcome is often to re­use existing capabilities, skills and, where appropriate, toolsets.

Calculate the real cost

Few initiatives get past inception without a fairly robust business case. Despite this, many projects end up going over budget ­ usually because vendors and staff tend to underestimate the deployment and training costs. If your product vendor is doing the implementation work – then agree on a fixed price up front. Talk to others in the industry about what the real cost is likely to be and the pitfalls to avoid.

Security is not cheap, but inadequate security has the potential to be significantly more expensive.

Standard recommendations about capital and on­going costs apply when calculating the costs of any solution; experience has shown that it is worth calculating security solutions beyond a single hardware lifecycle, with five years being a good period.

You need to weigh the cost of security initiatives against the cost of not doing anything. Large numbers often appear when you realistically estimate the costs of loss of productivity, extra work, brand damage, fines and so forth, although FUD (Fear, Uncertainty & Doubt) should be avoided wherever possible. Many vendors use inflated figures based upon such FUD to justify the costs of their products. You should work these costs out for yourself and decide how much risk you can bear before inviting vendors to ‘assist’ you with business cases.

In the end, pragmatism and good business sense should rule the day.

Tools of the trade

There are some ‘tools of the trade’ that can help and some common sense approaches that can save a lot of time, money and loss of productivity. As previously mentioned, an important one is to adopt standards­compliant toolsets and use open standards. These avoid proprietary protocols and allow future­proofing, re­usability and interoperation with other systems.

The next few sections discuss potential solutions to particular challenges and how to use the following tools and approaches:

  • encryption
  • segregation
  • security in depth
  • strong authentication.

Securing data on laptops

Laptops get lost. Very few companies will find the replacement cost of the laptop itself an issue, but the loss of data, the need for re­work and the potential for confidential information being disclosed are serious concerns. A later section will discuss protection against data loss, but this section concerns protecting against unauthorised disclosure.

You can’t prevent a laptop being lost, but there are a number of steps that can help prevent other people getting access to the information stored on it: BIOS passwords, Trusted Security Modules (TSMs) and disk encryption are three of them.

BIOS passwords

Just about every laptop can have BIOS passwords that activate when you switch the machine on or try to change the base settings. These should be set with non­obvious passwords (don’t use the asset tag number) and recorded in a central support location.

Trusted Security Modules

Many laptops now have TSMs that can store passwords, keys or biometric data and you should use these wherever it is practicable. Some can also be configured to perform hardware­level hard disk encryption. This is not quite as secure as it sounds as many implementations of this function only encrypt the disk to a specific laptop; this prevents the disk being read in a different machine but in the parent laptop any user can read it.

Disk encryption

With the ever­increasing CPU power in modern hardware, software­based, full­disk encryption packages that have reduced impact on usability are becoming available, such as SafeNet’s ProtectDrive, PGP’s Whole Disk Encryption and LUKS (Linux Unified Key Setup). Full­disk encryption is particularly useful if you want a transparent security solution, but it has a number of integration and technical support challenges that can make it hard to use in large­scale environments.

Factors to consider in choosing a product include:

  • What’s Encrypted ­ Many “full disk encryption” products don’t actually encrypt everything that’s on the disk but instead encrypt all of the files stored on the disk.
  • Support for public key technology ­ Some full­disk encryption solutions use symmetric keys only, which can be difficult to manage in a mobile environment and are vulnerable to social engineering attacks when widely deployed with common or limited keys.
  • Support for cryptographic tokens – Using cryptographically­enabled tokens provides a number of security and usability benefits. Tokens can securely store very strong keys, protected using a relatively simple password. (Cryptographic tokens normally lock if someone attempts to guess the password.)
  • Performance overhead – Encrypting anything requires processor time. The performance penalty will depend on the product and algorithm used.

An alternative to full disk encryption is to encrypt only a specific data drive or set of folders. Many operating systems provide support for this natively. This requires the user to be aware of the need to store files in the secure locations rather than wherever the application wants to put them.

Partial disk encryption doesn’t generally protect automatically­created metadata or registry­based information. In some cases, this can lead to controls being breached or circumvented.

Whatever solution you choose, it is important to involve your users in usability testing before you deploy it. As the depth and strength of security increases, usability often decreases, and finding the happy medium is the key to ensuring that your people actually use the solution.

Securing email

Many vendors provide solutions for securing email. Beyond SPAM filtering, many companies are now choosing to use secure email. Sales teams and professional consultancies often need to send sensitive data using email.

Using secure email allows staff working in the field to send and receive email containing sensitive information. It can also provide proof of the origin and authenticity of an email to the recipient – a feature that is critical to some businesses.

Most email packages already support secure email using the S/MIME standard, though the degree of difficulty in implementing secure email can vary from package to package.

Using secure email brings up a number of challenges: managing keys, backing up encrypted emails, recovering email from ex­employees’ data stores, controlling unauthorised transmission of company IP, privacy legislation compliance and so forth. A multitude of products offer solutions to these issues and finding the best ones for your organisation can be a daunting task in itself. Quite often a combination of approaches can be required:

  • SPAM filtering to cull unwanted email
  • S/MIME to encrypt email, prove who sent it and prevent them denying having sent it
  • Data labelling and email content inspection technology ­ to prevent sensitive documents accidentally being sent to the wrong person
  • Cryptographic tokens and token management technology to hold the encryption keys used and assist in data recovery.

Securing shared data

Consultants spend much of their time outside their offices and giving them secure access to shared company data can be a major problem.

There are several strategies, such as replicating data stores, that have limited application and quite often introduce more problems than they solve. A key to solving some of these issues is to review exactly what data you need to be distributed and what you don’t. Many products, such as mail archiving, document management and code version control solutions can be put to good use for mobile teams. A particular piece of data is retrieved from the central, secure storage only when required, rather than being ‘handed out’ to everyone. Version control is often used to resolve conflicts and gives multiple users access to common data with vastly reduced risk. The enabler for this approach is secure communications back to the company network. With the advent of fast wireless networks and 3G networks, this is becoming increasingly easy to implement.

Mobile teams need access to the latest data. If data is out of date, decisions can be based upon incorrect information, sales forecasts can become skewed and pipeline management systems affected. Good connectivity and frequent communications back to the core network are essential to maintain the security of the data, in terms of integrity and availability.

Perimeter security

Many organisations spend large amounts on perimeter security technology while allowing remote workers to connect with relatively low security connections. This creates an obvious vulnerability.

Virtual Private Networks (VPNs) are commonly used to enable remote workers to connect to company networks. There are several types of VPN, ranging from the standard Windows PPTP (Point­to­Point Tunnelling Protocol), to far stronger IPSec­based solutions from vendors such as Cisco, Juniper and Nortel.

Once connected to a VPN, many users are automatically connected to the company’s core networks. This has its risks, as remote, isolated devices are more likely to have viruses/malware/Trojans, etc. A number of solutions offer a ‘de­militarized zone’ for remote devices that enforce mandatory policies before granting the users full access. This approach of ‘security in depth’ can significantly reduce risks to the organisation and its data.

Operational considerations

No matter where they are, users need IT support — mobile users especially so. Mobile users need IT support services quickly, easily and without a fully operational laptop. This last point may seem blatantly obvious, but how many times have you had a network issue and been asked to email through the details or log the fault through the intranet?

Areas to consider when providing and supporting any mobile environment are:

  • ensuring laptops have on­board base images for emergency field recovery and compressed software repositories so people can get up and running without returning their laptops for a full rebuild; this is built into many laptops, with some major vendors offering detailed advice and toolsets to build these images
  • mandatory, non­customisable profiles for users; these greatly reduce complexity in remote troubleshooting
  • remote data backup of your user’s local data — no matter what you say, users will save wherever the program feels like storing it (My Documents for example) — you can also use the backup system to find out exactly what information has been lost if a laptop goes missing
  • store the IT support number in all company mobile phones — it may be memorable to the IT team, but frustrated users can forget it in the heat of the moment
  • pre­plan a ‘back to base’ solution for your staff; sometimes replacing a laptop by taxi, with a standby spare held by your IT support team can solve a major hassle and avert disaster.

Summary

In summary, there is no quick and easy answer, but there are many ways for an organisation to handle the issue of mobile security. Bad stuff, inconvenience and loss can and will happen at some stage. How well you prepare for it in advance determines how it affects you and your organisation.

The current business trend towards distributed, highly­mobile teams is compromising all the controls and security systems that companies have been implementing for years; we don’t all work on highly­localised networks from fixed desks, using terminals and desktops with all our data in centralised data centres. Many of us are on laptops, going wireless from coffee shops, sharing documents with colleagues half way around the world over the Internet. Do we know who is listening in?

Now is the time to re­evaluate the current and future risks to your business, your assets and how you need to address them, rather than implementing solutions to problems that existed five years ago.

Castelain can help

Castelain has worked with a number of consulting companies, sales teams and support organisations to find appropriate, scalable, working solutions that not only support rather than hinder the users, but enhance the security at the data level to protect a company’s most valuable resource – its data.