One of the challenges of managing a remote desktop estate is security. It’s not a new problem, but it has been raised higher in the collective consciousness in the last few years, thanks to the proliferation of smaller, cheaper and more portable devices. Its not enough to blame human nature - although sitting here as I type I …
Not an easy one really.
Where i work their are multiple domains with different security requirement levels.
One for example has fully encrypted machines with a request for username and 2 passwords to get the machine into a usable state remotely, and then the wireless is disabled in the bios using the passworded bios to stop it being turned back on, to ensure no interception at all.
At the other end of the spectrum was an old domain where users had been let loose and had a simple VPN connection to get back into the network. Obviously this worked on all but the worst net connections in the world and users had local admin rights as well... always great for fault finding...
The most common is a middle level approach where the machine is encrypted and all connections are managed thru one software set and the only way to power the machine on is to have a seperate device plugged into it, which also requires its own access code ( kind of like an RSA token, but better) and this then allows fully encrypted (2048 bit) tunnel to be formed back into our network. Dead easy stuff.
Users are also told not to leave any important stuff on their machine. As its encrypted if the HDD gets a tiny it iffy the whole lot is nigh on impossible to get back. They are meant to have a laptop to log back into the office for a reason so nothing should be stored on their machines that is considered secure.
And after all that the sole support is for the solutions is often quite busy and not likely to be without work for a long time :D
Keep IT Simply Stupid ...... for Big Brother has Help which you cannot even Imagine
Methinks it is delusional to imagine or to expect that any machine connected to and transferring information/metadata over the Internet and Networks InterNetworking is secured, with that information/metadata being thought to be exclusive and free from unknown and/or unauthorised third party knowledge.
If you want privacy ....stay off the Internet, for it does not accept the application of rules or third parties imagining that they can share information secretly for personal/singular advantage, with impunity and immunity, causing a collateral disadvantage elsewhere.
And to rant and rave in any sort of disagreement and campaign to prove the opposite will only end up in proving the point.
The weak link is typically the senior management who:
a) Usually understand nothing about security (IT or otherwise);
b) Won't listen to what they are told and won't read even the shortest user guide;
c) Will not follow the company IT / Security policies that they signed;
d) Demand that they have Admin rights so they can install various crap, often of dubious origins.
You can argue but you will lose - but it will still be your fault and not theirs when their system gets trashed. Even the best security strategies, carefully planned and implemented are vulnerable to the utter irresponsibility of those at the top.
It's a fine line
amanfromMars 1 has hit the nail on the head in a delightfully abstract fashion! No system is secure, just more secure and AC @ 12:10 makes an excellent point regarding the unforgiving nature of encryption software. However, IMHO encryption software is still worth the risk for the level of protection it offers.
Every organisation needs to find it's own unique balance between the two extremes of entirely locked-down and entirely open. The are some organistions, including those I've previously worked for, who are more than happy to manage a whole world of support calls for drive mapping access and printer installations which could be avoided with a more lenient security policy. For some, nothing's worth the risk of a breach, not even doubling the supoprt teams workload!
For the majority of us, as long we've got the users encrypted, with some kind of device control to limit the use of USB sticks and drives and a decent SSL VPN the group policy afford to be loosened up a little. The right end-point controls and firewall rules can usually catch most 'user indiscretions' It's hard not to use this old chesnut but it is true that the least secure link in the chain is the pink squishy bit between the chair and the computer!
The policies and new joiner documentation may well exist in your office, but is it for box ticking purposes or is it a genuinely informative and helpful document? At the end of the day the time and effort going into educating your workforce is what will determine the overall security of you're estate and that fact alone is enough to render most support staff hysterical and fleeing the office with handfuls of their own hair!
Theory vs Implementation
As the article states, there is a gap "where the rubber meets the road." The issue isn't that you can't throw gobs of time, effort, money and software at securing information that is taken outside the corporate firewall, but rather that for it to be effective, everyone has to buy into it, and be vigilant.
There is a significant disconnect between the typical Network Admin, who understands the finer points of information security, and the people who have to implement it. The Network Admin can look at the "value" of information, and say "we must do X to secure it." If X isn't convenient, then it will simply never be implemented. All security and access measures have to be looked at from far more than a "necessity" standpoint. They absolutely must be looked at from an ease of use standpoint as well.
As an example, think about a fingerprint reader that is integrated into a notebook. Easy to use feature, right? Now how often do you think it would get used if it was a USB device that you had to dig around your notebook bag for, plug in, and then wait for the OS to pick up before you could use it? Now think about passwords. You are asking your users to remember how many? And how many different times a day (on average) do they have to type them in? How many user/domain contexts to they have to track? It’s easy for me to hold hundreds of these in my head, but this is my day job. The Sales Drone in the field who is worried about meeting this quarter’s quota, and has to track 2500 customer phone numbers will not be remembering that pile of passwords. Just like they use an address book for their customer contact info, if you give them too many passwords, they are getting written down on a sticky.
If you can make your security measures easy to remember, easy to use, and easy to build into a person’s daily routine you will find virtually no resistance to implementing those measures. If your security measures are a pain even that very same Network Admin simply won’t partake in them.
Somewhere along the line IT, the End Users and Business Management have to sit down and talk about all of this. It may be that there is no way to provide a level of adequate security for some types of information that is convenient to use. If that’s the case then despite the fact you could create a system to secure that information, you simply have to accept that it can’t be taken outside the company firewall, because the system won’t be used. Security is never something that should be dictated from on high. It is something that requires a careful balance. The opinions, expertise and feedback must come from all people involved in its design, implementation and most importantly…daily use.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star