|
|
|
|
|
Security: how much is too much?
07 February 2010 By Gordon Smith
Deciding on the appropriate level of security for VPNs isn't a question of company size but risk profile, according to security consultant Brian Honan.
"Do a proper risk assessment and determine which people are allowed to have remote access and under what conditions, and who authorises this. You might also think about whether you should be monitoring their access," he said.
This option might scream’ big brother', but it can be vital for preventing security lapses." If you're monitoring your systems and you see your chief executive logging on from two different places at once, an alert will kick off to tell you that shouldn't be happening," said Honan.
When assessing his own profile, Honan decided on total shutdown." I have a lot of sensitive information on my clients, so my policy is that I don't have remote access to my network at all. I've decided it's too risky to provide it," he said.
He joked that he may be slightly overdoing the paranoia, but insisted his own policy was based on sound decisions about the information on his system. All companies thinking about VPNs should go through a similar process, he said.
"Evaluate the risk against the value of the data you're trying to protect. Remote access is seen as a convenience, and an awful lot of people don't do a proper risk assessment and see the potential dangers," said Honan.
Those dangers, especially in the current climate, could involve disaffected staff. That's why it's important to keep VPN user details absolutely up to date. Anyone leaving the company should be disconnected from the VPN permanently.
"I have seen examples where a disgruntled employee left a company under a cloud, then connected back into the company through the VPN and caused problems by changing network settings," said Sharptext's John Conlon.
Regular audits of a company's VPN technology and processes were essential to minimise the chances of a data breach, said John Ryan, of Calyx Security. AVPN risk assessment should be based on several key criteria.
"The aim is to secure your remote access to prevent hackers from using your VPN as a tunnel to your internal network, and to verify that you have end-to-end security and not just an encrypted tunnel," he said.
This process should also cover a review of VPN policy and procedure, as well as the network's architecture. This kind of rigorous check called for external resources, Ryan said.
"Security is a very specialised area and while it is important that organisations have a good understanding of their own security environment, it is more cost-effective and more secure to engage the experts when undertaking an audit like this," he said.
Although VPNs create a secure tunnel for data to pass through, this very feature prevents virus scanning. "One option is to put in place an area where the traffic terminates - a sort of demilitarised zone. Data is checked there before being allowed through to the company network," Ryan said.
Some companies allow the use of home PCs to connect to the company network, but Honan said this could be a security risk." If someone else in the house is using BitTorrent you have a risk, whereby there's an unsecured device connecting securely to the company network," he said.
|
|
|
