Enforcing Remote and Mobile Client Security Policies

By | November 3, 2004

By the year 2010, researcher Gartner Inc. predicts, 80% of key business processes will involve the exchange of real-time information involving mobile workers. At the same time, the most recent edition of the Symantec Internet Security Threat Report found that up to 80% of all security vulnerabilities discovered in the first half of 2003 came from client machines susceptible to remotely executable attacks.

As the report observed, “Since global access is a mandate in today’s business environment, companies have created numerous Internet-enabled applications.”

For IT administrators in today’s rapidly evolving business environment, it all adds up to a formidable, and often bewildering, challenge: how to verify that mobile client machines are secure before they connect to enterprise networks?

Ignore security risks at your peril

As we know, today’s real-time enterprise is increasingly mobile. But in the headlong rush to mobility, many enterprises overlook the need to adequately secure their on-the-go workforce. Gartner summarizes the environment aptly: “Mobile devices may be small, but their security issues are not because there are so many devices, and enterprises tend not to apply rigorous security and management to them.”

Among the security issues that mobile enterprises face: a susceptibility to more complex worms and viruses — known in the security industry as “blended threats” – that are becoming the attack of choice among Internet vandals. Such threats often exploit several different flaws to increase the chance of infecting a computer system. The number of attacks that could be classified as blended threats in the first half of 2003 was 20 percent higher than in the previous six months, according to the Internet Security Threat Report.

That´s especially disturbing news for clients that regularly travel outside the perimeter firewall and connect to the network. Why? Because blended threats such as Nimda, Code Red, SQLSlammer, and Blaster specifically targeted laptops outside the firewall in order to gain unauthorized enterprise network access during an ISP connection. (Laptop users can also become unwitting victims – or “zombies” – used for Distributed Denial of Service attacks, or more sophisticated attacks.)

To help safeguard their mobile users against blended threats, as well as such recent mass-mailing worms as MyDoom and Netsky, it is essential that enterprises adopt and disseminate explicit information security policies that address the use of mobile devices. Unfortunately, many companies either don´t have such policies or have policies that are wordy, hard to understand, vague, incompatible with other company policies, hard to implement, or impossible to enforce. Real-time enterprises can’t allow such deficiencies to persist, and for good reason: mobile computing introduces significant risks. Indeed, Gartner has identified five major risk areas associated with mobile computing:

# Social risks (mobile processes can change staff computing behavior)

# Technical risks (these are associated with untried and fast-evolving technologies)

# Legal risks (these can concern privacy and data protection)

# Integration risks (such as dealing with legacy systems)

# Financial risks (from unexpected events that can undermine return-on-investment models).

Moreover, as all too many administrators know, the boom in mobile computing took many IT departments by surprise, with the result that much equipment was introduced into organizations by individual employees and workgroups, rather than through the IT department or other proper channels. The result of this “backdoor” introduction was that mobile equipment wasn’t put through the normal process of understanding its capabilities and limitations before implementation. Consequently, efforts to secure these myriad devices came as an afterthought, or were not sufficiently rigorous.

That’s why it’s paramount that explicit policies be in place to help users prevent malicious code from entering the enterprise network. For a step-by-step approach to crafting a general security policy, see Symantec’s handbook “E-Security Begins with Sound Security Policies.”

On a practical level, it is strongly recommended that any security policy mandate use of a client security solution that integrates antivirus, firewall, and intrusion detection technologies. Specifically, the client firewall technology should automatically instruct the antivirus scanning and intrusion detection engines to scan all incoming and outgoing files. If a threat is detected, the antivirus or intrusion detection engine can then instruct the firewall to increase security measures and block the threat.

On a personnel level, keep in mind that translating information security policies into workable, day-to-day procedures is no minor task. It is strongly recommended that you work closely with all mobile workers who will be affected by these guidelines. As Symantec’s Stuart Broderick has written, “Many organizations have discovered that people who are not involved in the development of the process often feel no ‘ownership’ for the process and think that their knowledge of how systems operate is of no value. … As a consequence, such personnel are apt to ignore the process and adopt an ‘I know better than that’ or ‘We’ve always done it this way’ attitude.”

Coming up: client compliancy initiatives

What else can enterprises do to ensure that their increasingly mobile workers are complying with security policies? One of the more important recent developments in this area involves client compliancy initiatives, which are designed to promote enforcement of remote and mobile client security policies. Such initiatives recognize that the growing variety of methods employees are using to access networks poses a new level of risk to corporate security. Client compliancy initiatives therefore enable IT administrators to verify that client machines are truly secure before they connect to the network.

Specifically, administrators have the ability to set admission control policies that included a consideration of the security posture of client machines attempting to attach to the network. Out-of-compliance machines – such as those that are deficient in, say, operating system patch level or antivirus state – could be denied access, quarantined, or sent to a separate location for remediation, while machines that are in compliance with the organization’s set policies would be granted access to the network.

Bottom line: client compliance initiatives will help prevent remote and mobile users from becoming the weakest link in the enterprise network environment. Enterprises can expect further developments in this area throughout 2004.

Conclusion

An effective corporate information security policy is essential to sound mobile business practices. Enforcing such a policy is more important today than at any time before, as security threats continue to multiply in number and complexity. Increasingly mobile enterprises looking to make their security policies ironclad would do well to explore new client compliancy initiatives. They can help ensure that remote users and client machines are secure and do not jeopardize enterprise networks.

Leave a Reply