Secure remote access - the way to go

There are technologies out there that make working from home, an internet café or on the road secure. So, asks Stewart Baines, what choices should you be making?

These days it’s not uncommon for non-managerial staff to be given a pool laptop and packed off home with a pile of work to complete by the morning. In flexible working lexicon it is called 'extended day working'. It also encompasses those that dash home to pick up the kids or avoid rush hour before returning to work on their home PC. The DTI estimates that 2 million people now spend part of their working week away from their office, perhaps just like this.

Increasingly flexible working is something required in most white-collar jobs – it is no longer a term confined to peripatetic field staff or archetypal road warriors.

And it's presenting a significant challenge for IT departments that have to support multiple ways of working.

“Companies have been ‘de-perimeterised’ over recent years. Boundaries are being pushed back,” says Alan Coburn, a senior consultant with consultancy firm DNS. “The traditional perimeter has been the firewall. Remote workers mean that it has now been extended to the laptop or the home PC.”

With the boundaries removed - or at least pushed back - IT managers still have to maintain network security and data integrity, with multiple methods of accessing company files – including email, remote access, extranet and virtual private networks (VPNs).

“Remote working policies in the past have been one-size-fits-all. Whether it's been for peripatetic staff or users that just want occasional remote email access, they’ve tended to get the same direct dial remote access service,” says Coburn.

Remote access to the company LAN is a common, if under-utilised means of empowering flexible working. Not only do companies have to maintain a fleet of laptops to ensure the client software is secure but it has traditionally been very slow – direct dialling into a remote access server (RAS) is normally limited by the capabilities of a narrowband modem.

The advent of broadband has solved the speed problem – but not the challenge of network security. Direct dial can be very secure, connecting to the LAN via the internet much less so. A number of virtual private network standards can be deployed but are incompatible with many existing RAS services.

IPSec VPNs have become popular alternative to traditional RAS. However, using the public internet to access company servers has meant that access clients still need to be monitored and maintained by IT staff, leaving companies with a considerable overhead in company laptops. Acknowledging the incessant march of SSL VPNs – which use a standard web browser to access applications over the internet – has been the recent news that Nortel has introduced SSL into its heavy-duty IPSec VPN range.

"The remote user needs to be able to focus on their job and not network access issues to be effective. Enterprises will benefit if they are able to use a single VPN platform to provision either SSL or IPSec with common interfaces for management, access controls and user interface," says John Girard, a research director with Gartner Group.

Richard Davis, sales director of storage and security services firm HarrierZeuros, says: “Where the recent SSL VPN appliances really do typically score is in their ability to facilitate secure clientless browser-based access to any application from almost any device. They’re great because you don’t have to install client software but at the moment we are not really seeing our customers throwing out their old Cisco or Nortel equipment in favour of this and certain organisations are still opting for the 'thick client' IPsec VPNs."

DNA is one of those that have consolidated their remote access with an SSL VPN, from Whale Communications. DNA is a law firm with 3,000 employees around the world, around 40 per cent of whom are mobile workers who attempt to work from airport lounges, client sites, hotels and their homes. Dene Rowe, DLA’s UK IT infrastructure manager, wanted a secure means for them to access the lawyers’ Exchange server.

“The internet is everywhere. Harnessing it to provide a solution that could allow everyone full remote access with a simple internet connection – from home, a PDA or internet café – was my ideal. But we had to ensure security was not compromised. Our customers’ trust that we will protect their information is crucial to our continued success,” says Rowe.

Dartford Borough Council has also trodden the SSL route, having implemented Neoteris’ Instant Virtual Extranet appliance. The council wanted to provide remote access for home workers and field workers.

“In the past we have found dial-up remote access is an unacceptable solution because some of our client/server applications require too much bandwidth,” says Richard James, head of IT, Dartford Borough Council.

“We looked at installing a [IPsec] VPN but the implementation would have been complicated and the costs prohibitive,” James explains. “An SSL VPN proved extremely easy to install and manage and offers a low cost of ownership. We could perform all the requested tasks out of the box.”

While SSL may prove more flexible and cheaper to deploy than IPsec VPNs – which typically require a company to own the laptop so they can manage the VPN client – they are by no means cheap. Any PC can have an SSL client but it requires some re-working of enterprise applications. Most applications will need to be re-engineered to support XML.

For smaller organisations, who can’t accurately predict who or when flexible working is needed, there is an answer in a rather ingenious little software tool called GoToMyPC, from Experticity. It supports access to work PCs from home or any location with a web browser, with pretty minimal set up costs. A subscription-based service which can support anywhere between one and 100 users, GoToMyPC is not strictly remote access.

No data is ever transferred – it turns the remote computer into a remote terminal by capturing screen refreshes and forwarding them, while also supporting remote mouse and keyboard commands. Because of this, no application integration is ever needed – anything that runs on a desktop PC is operated remotely. Anyone with problems syncing files on work and home PCs and indeed, on the laptop as well, would find this extremely appealing.

Yet despite all the efforts made to protect the integrity of the network, data integrity continues to be threatened by carelessness. Transport for London recorded 400 laptops and PDAs left in London taxis last year. Countless more are not handed in.

How much private and confidential data is held on unsecured laptops is anyone’s guess – whether patient records, details of yet-to-be-announced mega-mergers or client case notes in a high-profile legal trial. Considering that enabling network access for remote users can cost anywhere between £300 and £3,000, the small cost of encrypting a laptop’s file system should be a small price to pay for ensuring the integrity of the hard drive and cache and any network login settings that may be stored on the computer.

“Although the use of an organisation’s own laptops should be inherently more secure than using an internet café, it still raises the issue of how much corporate information is exposed if the laptop or PDA is stolen,” says HarrierZeuros’ Davis. “Although Windows XP and many third-party file-encryption type products can mitigate the risks, how many companies actually use this is a different matter.”

So why aren’t IT managers pushing for this basic perimeter? Smart card readers with two-factor encryption can be had for around £50. As biometrics improves, fingerprint readers could make laptop security even tighter. Panasonic, for example, has recently launched a budget iris recognition camera for protecting PC and network access for around £200.

Even if no important files are ever stored on a laptop hard drive - instead being accessed over the web via browser - it can still present security issues. Passwords and whole files can he cached in temporary folders for some time. Many developers – including Roke Manor Research and Whale Communications – have developed cache erasers, removing anything on a hard drive that could refer to a remote access session.

Remote access used to be an inflexible process, with users having to attain a privileged status before being granted keys to the company LAN. However, much has changed – SSL VPNs, software like GoToMyPC and cheap file encryption tools mean securing the unending march to flexible working shouldn’t prove too technically challenging.