Security's Everyman

Security's Everyman

Tuesday, August 28, 2007

Is Telecommuting safe?

An article on DarkReading tells us that Federal Information Security Chiefs don't think that teleworking is a security risk. Sounds like a good poll for next week to me.

When I first saw the headline "Federal Security Officers Say Telecommuting Is Safe"my initial thought was "these are the same guys who regularly get D's and F's on their security reviews and they are telling us what is safe and what isn't safe!" Not sure I really want to listen to them on this. I'm not saying that telecommuting is or isn't safe. A comment such as that can't be made carte blanche. The answer to this is again "It depends". It can be safe provided that the right controls are in place.

If you give a user a laptop with admin privileges, a T-Mobile Hot Spot account and tell him to go work where he wants then I'd have to question the security of your telecommuting program. If done correctly I believe that a user can work remotely from most places and still remain secure.

Here is my list of what needs to happen to make telecommuting as safe as possible. This is assuming the use of a company provided laptop. If we get into using personal systems then things get a little more complicated.

  • User has user level access only.
  • Laptop runs AV, HIPS, Personal Firewall that can't be disabled by the user.
  • When connected to company network a security posture of the laptop is done via NAC. This is true whether it's via VPN connection or direct (wired or wireless) connection on site.
  • USB ports and CD/DVD copying is disabled.
  • Autorun is turned off for CD/DVD drives.
  • Wireless radios are disabled when connected to wired network.
  • Bluetooth is disabled
  • Use a 3G, EVDO or similar card for access when not on a company approved secure wireless network.
  • Train the user on how to be secure and reinforce this on a regular basis.
  • Ensure that you have the proper security policies in place to CYA when the user manages to do something that you can't protect against.
I know that there are more things that can be done. Some of you will think that this is too much and some will think that it's too little. But remember, there has to be a trade-off between security and usability. If you go too tight then the user will be unproductive, calls to the help desk will be frequent and the user will try to find ways around your controls.


LonerVamp said...

People telecommute from home...which means their home network is suspect...yada yada.

I was always interested in that dichotomy. Gov't mandating telecommuting in response to things like 9/11: Can we still operate if a building is gone? Can people still work if they have to from a remote location or home? Versus the security needed and how quickly information can get spread all over.

cdman83 said...

An other important aspect is securing the data when it is on such a mobile device:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.