MATHIAS THURMAN
Trouble
Ticket
At issue: When soft-
ware tokens replaced
hardware tokens for two-
factor authentication,
our manager discovered
that a lot of noncompany
computers had gained
access to the corporate
network.
Action plan: Lay down
the law on remote
access, with no exceptions.
You Can’t Secure Every Home
Unauthorized network access from home PCs has been
widespread, and finding that out was just a fluke.
monitor activity when an employee is
using a personally owned device. If such
an employee were to leave the company,
our intellectual property could easily go
with him.
For good measure, let’s throw in the
risk of license compliance issues.
WE RECENTLY deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been
using to provide strong authentication
for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but
not in every way, as you’ll see), but the
software tokens can be used on mobile
devices such as phones;
they are much less expensive; and they can be deployed more quickly and
easily. What’s more, when
a user no longer needs
access, it’s much simpler
to disable a software token than it is to
retrieve a hardware token from somewhere like China, Russia or India.
Of course, RSA suffered a notorious
security breach last year, but after I was
briefed on the details, I felt comfortable
moving forward.
Deployments such as this software
token rollout can be interesting, because
you have a chance to learn about some
scary practices that had been going on
without your knowledge.
For example, once employees got word
that their hardware tokens will no longer
be operational, some of them started
asking for software tokens to be installed
on their home PCs and Macs. Clearly,
they had been taking advantage of the
fact that the hardware tokens could
be used with any computer. Our VPN
client allows full network access, and
that, combined with our lack of Network
Admissions Control, meant that we
were ending up with untold numbers of
noncompany comput-
ers on our network.
Naturally, I can’t vouch
for the integrity of any
of those noncompany
assets. Home PCs are
often used by family
members and other people, any of whom
might install untrusted applications, click
on things they shouldn’t and end up in-
fecting our internal production network.
JOIN IN the discussions about
security! computerworld.com/
blogs/security
Our help desk has been helping employees
install the VPN client on their home PCs.
Help Desk Too Helpful
While employees might not be aware
that they shouldn’t be connecting to the
network from their own PCs, our help
desk personnel should know that, right?
Truth is, they’ve been helping employees
install the VPN client on their home PCs.
As an experiment, I called the help desk
with an urgent request for access from
my home PC. They actually sent me the
full VPN client and walked me through
the installation on my computer. After
that experience, I reviewed some help
desk tickets and found that the techs
had also assisted in the installation of
the VPN client on PCs at public Internet
kiosks and hotel lobbies.
These exception requests are being
met with a stern response. If an
employee needs to access our network
from home or another remote location,
then the company needs to issue that
employee a laptop. In many cases, the
employee already has a laptop and is
just too lazy to take it home or prefers
using a Mac. But until we deploy a more
secure method of remote access, such as
a virtual desktop environment or a sandboxed VPN, I will hold the line against
these sorts of exceptions. u
This week’s journal is written by a real security manager, “Mathias Thurman,” whose
name and employer have been disguised for
obvious reasons. Contact him at mathias_
thurman@yahoo.com.
