The Web    Google
Home Users: IT's Cross to Bear

Home Users: IT's Cross to Bear
May 13, 2005

Home access to the corporate enterprise is on the rise, according to industry watchers. Gridlocked highways, skyrocketing fuel costs, and the desire for a better work/home life balance have employees clamoring to telecommute.

This sea change could mean big headaches for IT managers who are caught unprepared.

Chris Hernandez, senior network engineer at Holtzbrinck Publishers, LLC, in New York, N.Y., knows this first-hand. A year ago, a lax remote access strategy led to someone transporting a virus onto the corporate network. ''It shut us down for a few days,'' he says.

Today, Hernandez and his team have an aggressive program to train and support day extenders and home users. The program includes best practice guidelines and how-to brochures for setting up home machines.

Experts warn that companies need to be savvy about managing home users -- especially if their industry falls under compliance restrictions, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act of 2002.

''Home users using their own computers pose the biggest risk to the corporation,'' says Doug Neal, vice president of product management at iPass, a security software developer in Redwood Shores, Calif. ''They are purchasing their own equipment with varying standards. They probably have the worst scenario: They may have no firewalls and use wireless networks. The threats in that environment are broad.''

He adds that always-on access provided by cable and DSL connections leave these machines even more vulnerable.

On the flip side, some companies do not want the expense of buying and managing PCs for all their employees. Mark Gibbs, president of Gibbs & Co., a network consultancy in Ventura, Calif., says IT groups can spend as much as $5,000 to manage a $1,000 laptop. This can get pricey for a large enterprise. Add to this the fact that some employees don't want the hassle of carrying a laptop home.

To adequately deal with the pressure to provide secure home access, IT groups should follow some basic guidelines.

Have a dedicated security guru managing home access.

Enterprises make the mistake of assigning IT support for telecommuter access to junior members of their security team, says Allen Gwinn, senior IT director at Southern Methodist University in Dallas. But remote access is one of the most critical parts of the network and should be handled by a senior security expert.

''The enterprise must have very, very good security management in place,'' he says. ''How secure your home access is is going to be directly related to how experienced the person is who's managing it.''

Hernandez agrees. He says his security specialist determines how home users access the network. ''He manages and monitors the firewall. If it's being used in the wrong manner, he is the one to report it [to executives].''

The security manager should work with other departments, such as legal and human resources, to set policies and make sure users are compliant.

Study what your users need for access before giving them access

Gwinn says IT managers must carefully plan what parts of the network are going to be open to the real world. ''What can you realistically support?'' he asks. ''You can go very simple or very complicated, but you need to do a complete assessment ahead of time.''

Gibbs says IT groups should work with corporate executives to determine who should be allowed home access based on what they'll be doing. For instance, an HR manager updating staff records might not pose a threat, but a hospital administrator downloading patient files would be in violation of HIPAA regulations.

He adds that companies should set policies around these access constraints. ''You can set privileges, access durations, and allowable behaviors,'' Gibbs notes.

Companies should not be afraid to be too strict, either, according to iPass's Neal. ''I think it's acceptable for companies to lay down policies that would restrict network access,'' he says.

Develop a standard baseline for home computers

Companies allowing home access should develop minimal requirements for anti-virus software, firewalls and intrusion detection/protection systems, says Doug Faith, product manager at Fiberlink Communications Corp., a mobile software maker in Blue Bell, Penn. ''It's very important for IT organizations to maintain a level of governance around hardware, software and access methods,'' he says. ''They should develop a configuration that meets their compliance needs.''

Faith says creating a baseline gives IT groups a minimal level of control over the home user environment. ''The majority of people working from home will want to know what to do -- what the company recommends,'' he says.

Hernandez has strict guidelines for home computer users. ''I even tell them what version of Microsoft Internet Explorer and Windows to use,'' he says. He adds that companies should streamline their operations to support these standards. For instance, he moved from a mixed Novell/Microsoft environment to a Windows-only platform. This helped in deciding what platform home users should employ.

Enforce the policies you've created

Hernandez warns that baseline standards are only useful if IT enforces them.

Although some companies require users to sign a document that outlines the terms of network access, experts warn these often do not cover regulations surrounding hardware and software. In fact, some users might agree to employ a firewall, but then turn it off it becomes too cumbersome.

Hernandez says he uses automated tools from Fiberlink to guarantee hardware and software compliance. When a user tries to connect to the corporate network, his machine is checked to make sure that anti-virus, firewall and Windows patches are all up-to-date. If they aren't, the link is quarantined and users are told what they need to do to comply with baseline standards.

Train and support your users

Experts say the biggest mistake companies make is not training and providing help desk support for home users. They simply let them run amok until a crisis happens.

''If you consider all the initiatives on an IT manager's plate, the last thing they want to deal with is the home user,'' says Fiberlink's Faith. ''If a user does something wrong, IT simply shuts off their access. But the risks are so high that [providing training and support] is something they should think about foremost.''

Hernandez's team creates a brochure of do's and don'ts for home users. They also take advantage of everyone gathering for company conferences to do face-to-face training on new applications and standards in home access.

Companies should develop a safety checklist and review it with their employees, Neal says. ''They should provide training across the board, a cheat sheet for common problems and even specialized training.''

In the end, experts agree that the more attention paid to home users, the less likelihood the company will suffer a network mishap.

  • Is a Job in Security the Cure for Job Insecurity?
  • Cisco Snaps Up Security Software Maker
  • 9/9: Mydoom-U Worm Packed with UPX
  • 8/20: Rbot-GS Exploits Vulnerabilities
  • Phishing Grows with Holiday Shopping Spike
  • 3/21: Sumon-C an IM and P2P Worm
  • 1/26: Patco-A Worm Replaces Doc Files
  • Network Intelligence Upgrades Security Alert Manager
  • 10/29: Beagle@mm!CPL Detects Worms
  • New ID-Synch Access Management Software Ties to HR Systems
  • Big Blue, GE Interlogix Team on Building Security
  • Computer security background information