In this regard information technology is no exception. First there was the teleworking revolution we were all repeatedly promised was on its way. The one which never actually transpired, then quietly sneaked up on us with barely anyone realising that it had happened. Then there's the Internet, which has gradually acquired a life of its own and, in due course, has liberated the masses.
Hand-in-hand with these technology shifts has been the emergence of what has been dubbed the 'Knowledge Economy', which has enabled millions of people to disconnect their place of work from the work itself. Increasingly, work is no longer a place, it's something we do – and we want (or need) to do that work in more widely dispersed locations than ever before.
The scale of remote working
Independent analyst IDC forecasts that the number of US-based mobile and remote workers will reach 51 million by 2005. That represents an increase of nearly 40% across the four years from 2001.
More importantly, perhaps, an IDC census of network executives has found that one third of respondents in Europe indicated mission-critical and business-specific applications are the ones most used by mobile and remote workers. The need for secure connectivity for an increasingly mobile enterprise workforce has never been more urgent.
It's hardly surprising that numerous industry analysts forecast an explosion in the market for secure connectivity services. For example, IDC estimates value the 2001 global remote access services market at $3.7 billion. By contrast, 2006 estimates for all remote access services market sectors stand at a staggering $48 billion.
Increasing use of the Internet as a traffic medium for remote access services connections has led to a raft of associated security technologies aimed at protecting both client and host. The overheads added by these multi-vendor solutions have, in some deployments at least, led to remote access solutions consisting of anything up to a dozen vendors' solutions. These will typically include Internet diallers, Virtual Private Network (VPN) clients, personal firewalls, personal intrusion detection systems, laptop encryption, radius servers and two-factor authentication servers to name but a few co-resident technologies.
When flexibility and security collide
Such an overhead has given rise to massively over-complex, immobile and cumbersome solutions being deployed by large strands of corporate users. The inescapable conclusion of these related yet disjointed strands is that a fundamental issue is not being adequately addressed. That's an inescapable fact.
In truth, conventional remote access solutions technologies have had two conflicting demands: the need for access flexibility and security. When remote access largely meant banks of modems and point-to-point connections, security was relatively straightforward (even if access was constrained by the need for a direct dial-in point, connection speeds and cost).
However, the Internet radically shifted the security/access balance, and the associated critical issues. To begin with, the historical infrastructure limitations were – almost overnight – swept away. The Internet's global ubiquity has extended (almost without limitation) the theoretical access possibilities. Homes, shops, even social spaces now enjoy Internet connections.
In response to the new security threats engendered by this change, VPN technologies emerged from the likes of Checkpoint and Nortel. These overlays provided a secure access tunnel into a corporate network, but in real terms they only ever address part of the problem even when they're correctly implemented – while leaving even more issues unresolved if they're poorly installed.
Nonetheless, many of these 'second generation' remote access technologies faltered because of the inherent limitations of the Internet infrastructure on which they rely rather than any concerns over security. If you think about it, it's a simple equation. 128 bit VPN-encrypted sessions carried over a 33.6k/56k modem are – for the most part – painful to use. Connecting over a GSM link is just about unthinkable.
We're now at a stage where 10/100 Mb Ethernet LAN access is taken for granted. Trying to run a LAN-based application with VPN using 128 Mb encryption over typical 33.6/56k remote access solution speeds is poor at best. Broadband is a partial answer, but it's still at least one order of magnitude slower – without any consideration of rising contention rates as its popularity increases. Then there's the consequential implications for transfer rates.
Ubiquitous remote access also opens up new security considerations. The obvious ones concern issues associated with any 'always on' connection. Much has been said, and rightly so, about the security risks associated with hijacking an endpoint into a VPN-protected network. Any security must work at protecting vulnerabilities to the very ends of the link. A remote worker with an insecure broadband access can represent a very soft way into an otherwise secure company infrastructure.
One of the most common ways of ‘quickening up’ the limitations of low connection speeds is for remote applications to cache data locally. Which is fine – until someone leaves their laptop in a taxi, or has it stolen from their car
It should also be borne in mind that security regimes cannot rely on the user having a correctly installed and configured personal firewall or intrusion detection system. However, such issues may be (relatively) easily addressed through properly designed and implemented internal firewalling and secondary intrusion detection regimes.
Human fallibility: the real problem
What is much harder to address is human fallibility – and we're not just talking here about the oft-quoted and very real issues surrounding social engineering.
Remote applications continue to store critical, often highly sensitive data on local drives. One of the most common ways of 'quickening up' the limitations of low connection speeds is for remote applications to cache data locally. Which is fine – until someone leaves their laptop in a taxi, or has it stolen from their car.
That raises the spectre of securing data integrity even against any form of local unauthorised access – as has been addressed with the launch of Tripwire's hard disk drive encryption system.
With such labyrinthine systems the potential for a vulnerability to be exposed is significant, and all of these measures will come at a price. Although hardware costs continue to fall, leading edge spec machines will always be more expensive than mature specifications. Newer devices like personal digital assistants (PDAs) may be decades away from having the ability to run many of today's business applications. Indeed, there's a possibility they may never be able to do so.
If simplicity is the essence of good design, then most of today's security approaches require a radical rethink. Perhaps somewhat surprisingly, the answers are beginning to emerge not by addressing security matters, but by going back to networking basics. In recent months, Citrix has managed to refine the integration of strong authentication and browser-based remote access services connectivity in creating a secure end-to-end means of delivering applications to users anywhere, anytime.
No doubt other vendors will soon be offering similarly competitive products.
Looking for next generation solutions
'Next generation' remote access solutions bypass the issues of desktop/PC protection through the simple expedient of a thin client architecture which almost completely removes all of the issues which typical access security systems attempt to address. No applications are run locally. Therefore, the integrity of the desktop/laptop becomes much less of an issue for end users.
The thin client/browser also directly addresses the traditional issues of bandwidth/throughput difficulty experienced with some of the earlier remote access services solutions, for the first time managing to break the security-performance tension of other approaches. By exchanging only screen bit refreshes across a connection, large bandwidth requirements are negated – thereby ensuring usable remote access over all connection types, including low speed connections (such as the standard 9.6k GSM link).
Not only does this technology dramatically improve the performance of bandwidth-hungry applications, it also eliminates the issues surrounding local storage and protection of sensitive files. This opens the possibility of memory, bandwidth and data-intensive applications being accessed from lightweight, low cost and portable devices such as the humble PDA – or even mobile telephones – at some point in the years ahead.
A constantly changing landscape
Although an exciting development, it would be wrong to consider this emerging approach as a panacea. For a start, it will not be a suitable way forward for all installations – though it clearly has a place.
Perhaps more significant is the fact that security is a constantly changing beast. No sooner has one gap in a company's defences been plugged than another rears its ugly head elsewhere. Experience tells us that even the most static of installations typically becomes increasingly vulnerable with time.
Source
SMT
Postscript
David Henderson is business development manager at Diagonal Secure Networks (www.dsnuk.co.uk)
No comments yet