Going The DistanceGoing The Distance

Remotely accessing the company networks is a part of many workers' everyday life: Traveling executives get up-to-date sales data just before meeting with a client; parents work from home when the kids have the day off from school; and people save hours each workweek by skipping their commutes.

IT departments have typically been less enthusiastic about employees who work outside the office. A remote workforce makes it tough to centralize and control IT systems. And having hundreds or thousands of remote-access points into the company's network is akin to trying to secure a house with the doors and windows left permanently open.

But the numbers of remote workers isn't going to decrease so IT is forced to face the the security challenge. About 21 million U.S. workers are working remotely this year, according to Cahners In-Stat Group. By 2005, that figure will top 35 million.

Some businesses see home offices as a way to cut back on costly leases for satellite offices. Also, the September terrorist attacks forced hundreds of companies to set up remote offices for their employees just to stay in business. As companies rethink their business-continuity plans, they're often including remote access as a crucial element.

Remote access offers businesses an efficient way to get displaced employees back to work, says Gartner analyst John Girard. Companies that have established "any kind of work-at-home or mobile work schemes stand the best chance to get their employees back to work quickly and safely," he wrote in a recent brief.

That's something Frank Gillman, director of technology at the business law offices of Allen Matkins Leck Gamble & Mallory LLP, as well as other California businesses, have known for some time. "We live in California. So forget about terrorists, we deal with earthquakes, flooding, and gridlock," Gillman says.

Gillman cites all the traditional benefits one would expect a law firm with 500 employees and 300 attorneys to reap from a remote-access program: Staff attorneys can access firm's information virtually anywhere. If a mudslide or traffic jam strikes, the attorneys can stay safely at home and deliver a productive workday.

As the number of remote workers has risen, so have concerns about security. Allen Matkins' clients are much more sensitive about security, Gillman says. "It used to come up once in a while. But with the technology boom and more media coverage of hacking, questions about how we protect our systems are being asked more," he says. "Clients now have a more cloak-and-dagger concern: 'How do you protect your systems? Are you protected from someone tapping in?'"

Until last fall, Allen Matkins' attorneys primarily accessed the company network through dial-up connections. The firm decided to address security and ease of access by combining Secure Computing Corp.'s SafeWord authentication and authorization software with Citrix Systems Inc.'s MetaFrame application server.

Gillman says each of the firm's more than 200 attorneys can securely access confidential information from anywhere by logging on to a secure remote-access server: SafeWord secures the connection and Web access to Citrix and users authenticate themselves with their Silver 2000 tokens, which provide a one-time use key. Gillman says each user's access can be controlled, and detailed logs reveal all account activity.

"I want to be able to look at our clients and say we're as secure as we can possibly be," he says. "Confidentiality is everything for us."

Dan Nadir, director of RealSecure Solutions for security vendor Internet Security Systems Inc., says Gillman isn't alone; companies have been examining teleworking and establishing small remote offices long before the terrorists struck.

"It was being driven by economics. Companies want employees to work remotely because of the potential cost savings," says Nadir. Internet Security Systems' clients, he adds, want to do more than simply tell employees "here's your notebook. Go home."

Nadir says the recent Code Red and Nimda attacks have only heightened concerns. "Companies started realizing more that they need secure access so no one can snoop on their systems," he says. "Companies aren't opening the door to remote access workers until they get intrusion-detection or malicious-code-blocking software on their desktops."

As the Code Red and Nimda worms demonstrated, remote and mobile users can be the weakest link when it comes to network security. Security vendor TruSecure Corp. estimates that Code Red spread to more than 500,000 company networks when infected mobile users logged on to the networks.

The majority of internal Code Red infections came not from Internet-facing Microsoft Internet Information Services servers but through notebook computers or systems connecting via virtual private networks, says Russ Cooper, editor of TruSecure's security mailing list, NTBugTraq. Once Code Red entered an internal network, it infected systems running Internet Information Services that hadn't been patched. The worm's relentless scanning degrades network performance, experts say.

These new types of "blended" threats, says Gail Hamilton executive VP at Symantec Corp., raise the stakes for companies seeking to protect their networks from state-of-the-art "malware,'' the term security experts use when talking about malicious software.

Such threats mean IT managers need to install personal firewalls on every desktop and keep antivirus software running at all times, says Pete Lindstrom, director of security strategies for Hurwitz Group. IT departments should continuously check these systems, perhaps run a vulnerability assessment each time a remote desktop authenticates to the network in order to ensure the remote system hasn't already been compromised, he says.

"Companies need to take seriously the security of their remote client access. It becomes a corporate network access point, so they need control of the entire client," Lindstrom says.

Bill O'Brian, senior adviser for corporate security for Bell Canada, agrees. "If you're not protecting remote users with a personal firewall along with antivirus software, you're setting yourself up for disaster."

By installing roughly 6,000 CyberArmor personal firewalls from InfoExpress, O'Brian is hoping to avert future Code Red, Nimda, or other malicious code threats. Eventually, O'Brian hopes to have all of the company's 22,000 remote workers protected by the firewalls.

Bell Canada has tight security policies for its remote workforce: Users can't share files or use the File Transfer Protocol on the Internet, and most, with a few exceptions, are strictly limited to E-mail and VPN access. CyberArmor filters the traffic flowing to and from a user's network interface card, and reports problems such as break-in attempts to a central database, O'Brian says.

Bell Canada initially planned a much slower rollout of CyberArmor. "Nimda has caused us to accelerate that. We're upgrading all firewall and antivirus engines. The current level of risk on the Internet won't allow us to do a controlled deployment," O'Brian says.

That risk level also means there's no time to slack off, O'Brian adds. "In the past month we've been doing four antivirus updates a week," he says.

Despite the security risks mitigated by the firewall, O'Brian says it's still difficult to convince upper management to fund security for security's sake. "We had to find a way to determine, 'are we getting value out of this,'" he says.

That's why O'Brian established the long-term value of CyberArmor by turning on the firewall's logging feature. "The firewall gave us a view to see how people were using their machines," he says.

With CyberArmor, Bell Canada can better understand how its remote systems are being used, what information employees are accessing, and what employees are doing while they're on the Internet. Aligning the deployment of the personal firewall with Bell Canada's business objectives--to deploy a secure mobile workforce and better understand security threats and Internet use--is helping the company design better services for its customers.

Though more companies are considering personal firewalls, its important for IT departments to limit what users can do with them, Internet Security Systems' Nadir says. "You don't want just anyone altering the settings or turning off the system."

Not all businesses can cast such a wide net of control over the remote systems accessing their network. When Spectrum Health Services Inc., a St. Louis contract provider of health-care and administrative management services, decided it wanted to provide seamless access to its remote doctors, it faced a challenge most companies don't have to tackle: Its IT department has no control over the systems and Internet access for each of the offices it wanted to connect to its systems.

Jim Toth, director of information security at Spectrum Health, says the challenge was building a cohesive remote-access strategy despite the lack of control over the types of systems that would be accessing the network. "You need to think holistically and that's been the challenge," Toth says.

So Spectrum chose a Java-based client from AppGate. Because the remote-access client is standards-based, it's easier to deploy to a PC or notebook via a browser. "It was an ideal solution for an environment like ours," Toth says.

Once Toth and his team developed a system that let doctors and certain staff members access sensitive patient and medical records, they had to ensure the system would comply with the rules of the Health Insurance Portability and Accountability Act of 1996. The act, which took effect last April, gives the health-care industry two years to implement policies and procedures to keep patient information confidential. It also lays out guidelines that give patients much more control over what information doctors and hospitals share about them

Toth chose to restrict application access with RSA Security Inc.'s secure tokens. Spectrum Health manages the user IDs, issuing the doctors the SecureID tokens only after the physic-ians sign a health-partner's agree-ment. Toth says the agreement helps establish a chain of trust between Spectrum Health and the physician network.

To ensure that access runs smoothly, Spectrum provides a half-day of training to the physicians and staff who will log on to the system.

Toth began the AppGate RSA implementation in the spring; there are now roughly 5,000 users accessing the system. So far, help-desk queries related to AppGate and RSA Security have been kept to a minimum. "It's very easy to use. The first time someone sets it up all they have to do is download a Java applet; that may take a minute or so," Toth says. "The calls we get are mainly questions regarding the applications running on Spectrum Health Online.''

Large companies aren't the only ones grappling with remote-access management problems. Small companies face similar obstacles--only without the large IT staffs needed to properly manage VPNs and defend against digital threats.

WestLake, a Web-development training company, wanted employees in each of its seven offices to have secure access to business applications running out of its Arlington, Va., headquarters. The applications include Microsoft Great Plains Business Solutions 6.0, Saba Learning Enterprise 3.3 for training and class planning, and Microsoft 2000 applications.

"We looked at various options and the startup costs appeared prohibitive," says Matthew Prentice, IT director for WestLake. Prentice needed to find an affordable way to provide the remote access.

Rather than set up costly application management servers at each remote office, Prentice chose to subscribe to Netilla Networks Inc.'s Virtual Office service to connect all WestLake employees in its Arlington, Boston, Chicago, Detroit, New York, Pittsburgh, and Washington offices.

After installing the Netilla Service Box, Prentice says he was able to securely Web-enable applications within a day. WestLake remote employees simply log on to the URL of the WestLake Virtual Office site. The system then establishes a Secure Sockets Layer session and authenticates the employee via digital certificates.

The remote-access capabilities are helping WestLake keep better track of sales leads. Most of the company's sales staff use FrontRange Solutions Inc.'s GoldMine sales and marketing software. Employees can now access the contact database at the company headquarters, and download new data into GoldMine on a regular basis, says Prentice.

"Whether they're sitting at home, in the office or at a client site, users will do the contact synchronization and keep up to date with tracking leads," he says.

Adding new applications to the Netilla service is also easier than managing application servers, Prentice says. "It's very simple. We give the user the Web site and do the setup," he says. "It's two to three minutes at most."

Businesses have a number of technologies to help protect remote-access systems, but security ultimately rests with the user in the remote office."The vast majority of successful attacks come down to the end user," says Nadir. "They click on things they shouldn't click, such as animated Christmas cards. People shouldn't execute files they don't know about. While you're watching that cute animated card, a hacker could be installing a Trojan so he can capture every keystroke, including passwords."

To Bell Canada's O'Brian, who grew up in the comparatively secure world of telecommunications gear, opening Bell Canada's systems to remote access over the Internet was an eye-opener.

"I was surprised every step of the way. Most of my career was with the closed and well-protected world of telephony," O'Brian says. "Then you get into this: I stuck four machines on the Internet one week and the amount of scans and attacks was phenomenal. It's a dangerous world out there."