Q&A: Securing Mobile Workers

By 2006, over half the U.S. workforce will be mobile. Security managers face a daunting task.

Thank the dot-com boom for loosening company attitudes toward telecommuting and working on the go. Kudos to Moore’s Law, broadband, and Wi-Fi for not only enabling slim, powerful portables, but the network pipes to move information quickly.

Then thank it all for the resulting security problems. Simply put, security hasn’t kept pace with the mobile revolution. As a result, “IT managers find it virtually impossible to keep up with the increasing security threats that mobility presents,” notes Yankee Group analyst Matthew Kovar.

Users able to connect from anywhere while using corporate machines means one thing: security problems. Security managers have a hard time ensuring the tall guy in the corner table with a latte isn’t using a wireless packet sniffer to watch any sensitive corporate information flying by.

The problem is only going to increase with the number of mobile users. According to an Access Markets International survey, by 2006 over half the U.S. workforce—67 million workers—will be mobile. Of course, they’ll want to connect from hotels, café Wi-Fi hotspots, their hotel rooms, and home broadband connections. Each poses its own security risks.

To discuss the difficulty of securing mobile workers, and what companies can do about it, Security Strategies spoke with Skip Taylor, vice president of product marketing at Fiberlink Communications, a remote access software maker and managed VPN services provider.

How has the mobile connectivity security landscape changed in recent years?

Customers [used to think] they were covered because the VPN was encrypted. Today, however, the device is a larger target than the dial-up [connection]. Now security managers are saying, “I have people who want to access our environment from places like coffee shops and hot spots, and we don’t have a way to control that access, or know that it’s happening.”

Has security kept pace with mobile technology advances?

Well, IT is struggling to solve those security problems. It’s great that Internet connectivity is so ubiquitous and easy to get—that’s the good news, and by the way, the enterprise is really much more exposed now. That’s the bad news.

Back in 2001, the best result, if you will, for alerting people to the problem is when Microsoft got hacked via a [remote worker’s] cable modem. It really helped validate what we’re trying to tell customers. When users have bought their own broadband, they could get hacked down the [broadband] tunnel.

What about ensuring mobile users don’t deactivate their PC firewall or antivirus?

Mobile or distant users often never get their updates because they don’t come home, or into the LAN, to do them. With Fiberlink’s Extend360 intelligent access manager, if Skip isn’t, say, within two [virus signature updates] of the current release, [IT might say] we’re not comfortable with him connecting to the network. Or maybe I want one user to have Wi-Fi access, but not another. [In the Extend360 client manager user interface], IT managers can also permanently gray out or remove a connection type, regardless [of whether Extend360 detects the option to use it], if an employee isn’t allowed to use it.

Why might a company want to block some users from Wi-Fi?

Cost control. IT’s got a budget for remote connectivity or mobile access, and they’re saying [to telecommunications companies] they want the lowest cost, per dial, you can give me. Give me, say, an average cost per user of $20 per month, and that’s the budget. And now these users are going into a hotel room, and as you know it costs $9 or $10 in some hotels to get a night’s usage of hotel broadband or Wi-Fi. So in two nights of using that, I’ve matched my old budget—in two nights. Users can be spending $100 per month for mobile connectivity, and oftentimes IT isn’t even aware, because it doesn’t come into their budget for remote access. Users often write it off in other ways, hide it as a taxi receipt. We give you cost control. So, for example, senior staff can use anything, but others can’t.

Another situation is where a company can say, "Listen, I have this very sensitive financial application where if they’re coming in over a dial-up application, they can have access to it, but I don’t want them going into a Wi-Fi hot spot, a coffeehouse, and not knowing that’s vulnerable, and trying to access it. Is there a way you can let a customer not run or access a particular application?"

Well, we have [a feature called] restricted application protection in our Dynamic Network Architecture application. So under Wi-Fi, we’ll look and if they launch this application, we’ll shut it down. Or a more recognizable example is Kazaa. More and more users are getting tagged for using file sharing, and if a company’s opinion is "I don’t want that application used when they’re connecting to the network," they can block it.

Does the application deny or reject users who have a disallowed application running?

It can deny, or they can say, "If I see a policy infraction, how firm do I want to be?" An example might be shutting you off the VPN, logging policy infractions, then not giving you access until IT reviews the case and manually allows the computer on again. Now of course we might not be able to shut down a home user’s cable connection.

What about malware that targets users’ firewall and antivirus settings?

We have a persistent policy enforcement agent, it runs all the time … running policy checks whether the customer is trying to connect or not. Today, there are so many Trojans attacking personal firewalls, trying to shut down the vehicle used to block them, so … we sit and watch for the firewall to go down—and not just the executable. We watch via the APIs, and if we see it go down, we’ll bring it back up and log the incident. What we are doing on a real-time basis is trying to keep that up and running.

Can you clean the offending virus or worm off the computer?

Well … we also have partnerships [with a variety of companies] such as BigFix. So we can distribute patches via Fiberlink’s Extend360 [software] to [secure] vulnerabilities. Mobile users are just a pain in the keester, and if we’re able to give tools to IT that are about more than just giving users access, then we’re helping IT solve the [overall] mobile connectivity challenge.

Inventory management is another popular request for our software—what’s on machines, what are the vulnerabilities? Companies want to know if they’re exposed, but they just don’t know … [what’s] going on out there besides a Microsoft security patch.

Can you secure insecure connections?

We know that we’re going to be in a position where we won’t always be able to provide access, so … what if a customer is using a cable modem and we don’t make a nickel [via Fiberlink managed VPN services], can our device protect them? Yes, regardless of how they’re connected, it will ring home to see if that device is in compliance, from a policy perspective.

Are companies using smart cards to help strengthen mobile user access?

Not yet. I don’t think it’s that mainstream. When you have Bill Gates stand up at the RSA Conference [earlier this year] with a an RSA smart card in his hand, it’s becoming mainstream though. That surprised a lot of people. Smart cards could also be leveraged as an alternative way to get access behind the firewall.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.