Where’s your Remote Control?
Managing the Increasing Vulnerability of a Decentralized Workforce
More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive. Being productive is good. Behaving less responsibly is not. I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:
- 33 percent of respondents said they 'don't see anything wrong' with sharing their work computers with friends and family
- Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files
So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down. And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.
Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials. This makes it impossible to trace any action back to an individual.
I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!). In many cases, consultants can still access files/networks from old engagements. Think of the Lending Tree debacle from earlier this year. Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue. How many of us know people who claim they can still log in remotely to their former accounts?
Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open. This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process.
I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged. The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open. Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off. Good, bad or ugly, how do you manage your remote access?
-David Ting